From sanju.a at tcs.com Thu Jan 1 05:35:32 2015 From: sanju.a at tcs.com (Sanju A) Date: Thu, 1 Jan 2015 11:05:32 +0530 Subject: [Freeipa-users] Client configuration to point to Replica server once master service failed Message-ID: Hi All, I have configured Master - Master replication and replication (bi direction) is working fine. Can I get the configuration that has to be added/modified in server/client machine so as to point to the replica server once the master failed. Right now it is not working. Regards Sanju Abraham IS - Network/System Administrator Tata Consultancy Services TCS Centre SEZ Unit, Infopark PO, Kochi - 682042,Kerala India Ph:- +91 484 6187490 Mailto: sanju.a at tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Jan 1 06:25:55 2015 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 1 Jan 2015 11:55:55 +0530 Subject: [Freeipa-users] Client configuration to point to Replica server once master service failed In-Reply-To: References: Message-ID: You could use DNS based failover for this. Configure DNS with a low TTL value like 60 secs. When the primary fails, update the dns with the secondary. Services like dynect offer tihs. On 1 January 2015 at 11:05, Sanju A wrote: > Hi All, > > I have configured Master - Master replication and replication (bi > direction) is working fine. > Can I get the configuration that has to be added/modified in server/client > machine so as to point to the replica server once the master failed. Right > now it is not working. > > > Regards > Sanju Abraham > IS - Network/System Administrator > Tata Consultancy Services > TCS Centre SEZ Unit, > Infopark PO, > Kochi - 682042,Kerala > India > Ph:- +91 484 6187490 > Mailto: sanju.a at tcs.com > Website: http://www.tcs.com > ____________________________________________ > Experience certainty. IT Services > Business Solutions > Consulting > ____________________________________________ > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Thu Jan 1 14:09:49 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 1 Jan 2015 15:09:49 +0100 Subject: [Freeipa-users] Client configuration to point to Replica server once master service failed In-Reply-To: References: Message-ID: <20150101140949.GA10051@redhat.com> On Thu, Jan 01, 2015 at 11:05:32AM +0530, Sanju A wrote: > > I have configured Master - Master replication and replication (bi > direction) is working fine. > Can I get the configuration that has to be added/modified in server/client > machine so as to point to the replica server once the master failed. Right > now it is not working. What is your exact configuration and the use case which does not work? Ideally, you want both IPA server to be in the DNS SRV records and use _srv_ in sssd.conf (no direct specification of --server to ipa-client-install) to find the replica automatically. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From andrew.holway at gmail.com Thu Jan 1 16:40:36 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 1 Jan 2015 17:40:36 +0100 Subject: [Freeipa-users] firewalld management In-Reply-To: <54A41CB6.3040307@netbulae.eu> References: <54A41CB6.3040307@netbulae.eu> Message-ID: This would perhaps be a very interesting addition to the HBAC stuff. We're considering deploying freeipa on EC2 and LDAP backed firewalld would be a very powerful tool for a geographically distributed system. On 31 December 2014 at 16:56, Jorick Astrego wrote: > Hi, > > FreeIPA is great! One thing I'm missing though is management of > firewalld services and ports. > > Is that something that would fit in FreeIPA? > > Currently we are using puppet scripts through katello/the foreman, but > as this is very error prone we'd like to have it centrally managed a > different way. > > The firewall rules are very essential IMHO and I thought the whole point > of firewalld is to have make it more manageable... > > I already asked the katello guys but they don't appear very interested > in implementing something there, then I started thinking it would maybe > fit a lot better in freeIPA as it has more overlap with the other > network/authentication stuff. > > It would be wasteful to have another project just for firewalld > management. > > Happy new year everybody! > > Jorick > > > > > > > > > Met vriendelijke groet, With kind regards, > > Jorick Astrego > > *Netbulae Virtualization Experts * > ------------------------------ > Tel: 053 20 30 270 info at netbulae.eu Staalsteden 4-3A KvK 08198180 Fax: > 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 > ------------------------------ > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jan 2 00:49:24 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Jan 2015 19:49:24 -0500 Subject: [Freeipa-users] firewalld management In-Reply-To: References: <54A41CB6.3040307@netbulae.eu> Message-ID: <54A5EB14.9090803@redhat.com> Andrew Holway wrote: > This would perhaps be a very interesting addition to the HBAC stuff. > We're considering deploying freeipa on EC2 and LDAP backed firewalld > would be a very powerful tool for a geographically distributed system. There is an existing open ticket for this request, https://fedorahosted.org/freeipa/ticket/2110 A user contributed an initial design was contributed a few months ago, http://www.freeipa.org/page/V4/Firewall_Configuration Definitely a desirable feature, just a matter of scheduling it. rob > > > On 31 December 2014 at 16:56, Jorick Astrego > wrote: > > Hi, > > FreeIPA is great! One thing I'm missing though is management of > firewalld services and ports. > > Is that something that would fit in FreeIPA? > > Currently we are using puppet scripts through katello/the foreman, but > as this is very error prone we'd like to have it centrally managed a > different way. > > The firewall rules are very essential IMHO and I thought the whole > point > of firewalld is to have make it more manageable... > > I already asked the katello guys but they don't appear very interested > in implementing something there, then I started thinking it would maybe > fit a lot better in freeIPA as it has more overlap with the other > network/authentication stuff. > > It would be wasteful to have another project just for firewalld > management. > > Happy new year everybody! > > Jorick > > > > > > > > ** > Met vriendelijke groet, With kind regards, > > Jorick Astrego* > > Netbulae Virtualization Experts * > ------------------------------------------------------------------------ > Tel: 053 20 30 270 info at netbulae.eu > Staalsteden 4-3A KvK 08198180 > Fax: 053 20 30 271 www.netbulae.eu 7547 > TA Enschede BTW NL821234584B01 > > > ------------------------------------------------------------------------ > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > > From ctcard at hotmail.com Fri Jan 2 15:19:50 2015 From: ctcard at hotmail.com (Chris Card) Date: Fri, 2 Jan 2015 15:19:50 +0000 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client Message-ID: I have existing machines running CentOS 6.3 which I want to include in a freeipa domain. The domain controller machine is running Fedora 21 and freeipa-server-4.1.1-2 while the latest version of ipa I can find that runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. I have successfully run ipa-client-install on the CentOS 6.3 client and set up users who can ssh to the client using ssh-keys. The problem is that I can't get sudo rules to work. I know that the ipa client software version 3.0.0 doesn't automatically set up all the configuration for sssd to control sudo access, but I have set up all the configuration necessary manually: On the client, /etc/nsswitch.conf has sudoers files sss /etc/sssd/sssd/conf has [domain/default] cache_credentials = Truekrb5_realm = krb5_server = :88id_provider = ldapauth_provider = ldapchpass_provider = ldapldap_tls_cacertdir = /etc/openldap/cacerts[domain/] cache_credentials = Truekrb5_store_password_if_offline = Trueipa_domain = id_provider = ipaauth_provider = ipaaccess_provider = ipachpass_provider = ipaipa_dyndns_update = Trueipa_server = ldap_tls_cacert = /etc/ipa/ca.crtsudo_provider = ldapldap_uri = ldap://ldap_sudo_search_base = ou=sudoers,ldap_sasl_mech = GSSAPIldap_sasl_authid = host/ldap_sasl_realm = krb5_server = debug_level = 9[sssd]services = nss, pam, ssh, sudoconfig_file_version = 2 domains = , defaultdebug_level = 9[nss]debug_level = 9 [pam]debug_level = 9 [sudo]debug_level = 9[autofs] I have validated the ldap sasl configuration using ldapsearch, so I'm sure they are correct. The nisdomainname command returns the domain name. The sudo rules are:# ipa sudorule-find--------------------2 Sudo Rules matched-------------------- Rule name: sudo-host1 Enabled: TRUE Command category: all RunAs User category: all User Groups: host1-rw Host Groups: host1 Sudo Option: -authenticate Rule name: sudo-host2 Enabled: TRUE User Groups: host2-rw Host Groups: host2 Sudo Option: -authenticate----------------------------Number of entries returned 2---------------------------- When a user in user group host1-rw sshs to a client in host group host1 and runs "sudo su -" the user gets prompted for a password even though the sudo option -authenticate is set.I'm not convinced that sudo is even attempting to use sssd, but I'm not sure how to confirm this. I have seen some references to /etc/sudo-ldap.conf in online discussions of similar issues. This file exists on my client, but everything is commented out. Do I need to put the ldap client configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf for CentOS 6.3 clients? Any ideas about how to work out what is failing? Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From bpk678 at gmail.com Fri Jan 2 15:28:16 2015 From: bpk678 at gmail.com (Brendan Kearney) Date: Fri, 02 Jan 2015 10:28:16 -0500 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client In-Reply-To: References: Message-ID: <1420212496.14759.0.camel@desktop.bpk2.com> On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote: > I have existing machines running CentOS 6.3 which I want to include in > a freeipa domain. > > The domain controller machine is running Fedora 21 and > freeipa-server-4.1.1-2 while the latest version of ipa I can find that > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. > > > I have successfully run ipa-client-install on the CentOS 6.3 client > and set up users who can ssh to the client using ssh-keys. > > > The problem is that I can't get sudo rules to work. I know that the > ipa client software version 3.0.0 doesn't automatically set up all the > configuration for sssd to control sudo access, but I have set up all > the configuration necessary manually: > > > On the client, /etc/nsswitch.conf has > > > sudoers files sss > > > /etc/sssd/sssd/conf has > > > [domain/default] > > > cache_credentials = True > krb5_realm = > krb5_server = :88 > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_tls_cacertdir = /etc/openldap/cacerts > [domain/] > > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = > ldap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri = ldap:// > ldap_sudo_search_base = ou=sudoers, > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ > ldap_sasl_realm = > krb5_server = > debug_level = 9 > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > > > domains = , default > debug_level = 9 > [nss] > debug_level = 9 > > > [pam] > debug_level = 9 > > > [sudo] > debug_level = 9 > [autofs] > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > sure they are correct. > > > The nisdomainname command returns the domain name. > > > The sudo rules are: > # ipa sudorule-find > -------------------- > 2 Sudo Rules matched > -------------------- > Rule name: sudo-host1 > Enabled: TRUE > Command category: all > RunAs User category: all > User Groups: host1-rw > Host Groups: host1 > Sudo Option: -authenticate > > > Rule name: sudo-host2 > Enabled: TRUE > User Groups: host2-rw > Host Groups: host2 > Sudo Option: -authenticate > ---------------------------- > Number of entries returned 2 > ---------------------------- > > > When a user in user group host1-rw sshs to a client in host group > host1 and runs "sudo su -" the user gets prompted for a password even > though the sudo option -authenticate is set. > I'm not convinced that sudo is even attempting to use sssd, but I'm > not sure how to confirm this. > > > I have seen some references to /etc/sudo-ldap.conf in online > discussions of similar issues. This file exists on my client, but > everything is commented out. Do I need to put the ldap client > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > for CentOS 6.3 clients? > > > Any ideas about how to work out what is failing? > > > Chris > try "!authenticate" (without the quotes), not "-authenticate" (again, no quotes). From ctcard at hotmail.com Fri Jan 2 15:45:03 2015 From: ctcard at hotmail.com (Chris Card) Date: Fri, 2 Jan 2015 15:45:03 +0000 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client In-Reply-To: <1420212496.14759.0.camel@desktop.bpk2.com> References: , <1420212496.14759.0.camel@desktop.bpk2.com> Message-ID: > Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client > From: bpk678 at gmail.com > To: ctcard at hotmail.com > CC: freeipa-users at redhat.com > Date: Fri, 2 Jan 2015 10:28:16 -0500 > > On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote: > > I have existing machines running CentOS 6.3 which I want to include in > > a freeipa domain. > > > > The domain controller machine is running Fedora 21 and > > freeipa-server-4.1.1-2 while the latest version of ipa I can find that > > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. > > > > > > I have successfully run ipa-client-install on the CentOS 6.3 client > > and set up users who can ssh to the client using ssh-keys. > > > > > > The problem is that I can't get sudo rules to work. I know that the > > ipa client software version 3.0.0 doesn't automatically set up all the > > configuration for sssd to control sudo access, but I have set up all > > the configuration necessary manually: > > > > > > On the client, /etc/nsswitch.conf has > > > > > > sudoers files sss > > > > > > /etc/sssd/sssd/conf has > > > > > > [domain/default] > > > > > > cache_credentials = True > > krb5_realm = > > krb5_server = :88 > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_tls_cacertdir = /etc/openldap/cacerts > > [domain/] > > > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > chpass_provider = ipa > > ipa_dyndns_update = True > > ipa_server = > > ldap_tls_cacert = /etc/ipa/ca.crt > > sudo_provider = ldap > > ldap_uri = ldap:// > > ldap_sudo_search_base = ou=sudoers, > > ldap_sasl_mech = GSSAPI > > ldap_sasl_authid = host/ > > ldap_sasl_realm = > > krb5_server = > > debug_level = 9 > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > > > > > domains = , default > > debug_level = 9 > > [nss] > > debug_level = 9 > > > > > > [pam] > > debug_level = 9 > > > > > > [sudo] > > debug_level = 9 > > [autofs] > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > sure they are correct. > > > > > > The nisdomainname command returns the domain name. > > > > > > The sudo rules are: > > # ipa sudorule-find > > -------------------- > > 2 Sudo Rules matched > > -------------------- > > Rule name: sudo-host1 > > Enabled: TRUE > > Command category: all > > RunAs User category: all > > User Groups: host1-rw > > Host Groups: host1 > > Sudo Option: -authenticate > > > > > > Rule name: sudo-host2 > > Enabled: TRUE > > User Groups: host2-rw > > Host Groups: host2 > > Sudo Option: -authenticate > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > > > When a user in user group host1-rw sshs to a client in host group > > host1 and runs "sudo su -" the user gets prompted for a password even > > though the sudo option -authenticate is set. > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > not sure how to confirm this. > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > discussions of similar issues. This file exists on my client, but > > everything is commented out. Do I need to put the ldap client > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > for CentOS 6.3 clients? > > > > > > Any ideas about how to work out what is failing? > > > > > > Chris > > > try "!authenticate" (without the quotes), not "-authenticate" (again, > no quotes). That made no difference (though I think you're correct that -authenticate is wrong). Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Fri Jan 2 17:12:07 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Fri, 2 Jan 2015 17:12:07 +0000 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client In-Reply-To: References: , <1420212496.14759.0.camel@desktop.bpk2.com> Message-ID: From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chris Card Sent: Friday, January 02, 2015 8:45 AM To: Brendan Kearney Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client > Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client > From: bpk678 at gmail.com > To: ctcard at hotmail.com > CC: freeipa-users at redhat.com > Date: Fri, 2 Jan 2015 10:28:16 -0500 > > On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote: > > I have existing machines running CentOS 6.3 which I want to include in > > a freeipa domain. > > > > The domain controller machine is running Fedora 21 and > > freeipa-server-4.1.1-2 while the latest version of ipa I can find that > > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. > > > > > > I have successfully run ipa-client-install on the CentOS 6.3 client > > and set up users who can ssh to the client using ssh-keys. > > > > > > The problem is that I can't get sudo rules to work. I know that the > > ipa client software version 3.0.0 doesn't automatically set up all the > > configuration for sssd to control sudo access, but I have set up all > > the configuration necessary manually: > > > > > > On the client, /etc/nsswitch.conf has > > > > > > sudoers files sss > > > > > > /etc/sssd/sssd/conf has > > > > > > [domain/default] > > > > > > cache_credentials = True > > krb5_realm = > > krb5_server = :88 > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_tls_cacertdir = /etc/openldap/cacerts > > [domain/] > > > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > chpass_provider = ipa > > ipa_dyndns_update = True > > ipa_server = > > ldap_tls_cacert = /etc/ipa/ca.crt > > sudo_provider = ldap > > ldap_uri = ldap:// > > ldap_sudo_search_base = ou=sudoers, > > ldap_sasl_mech = GSSAPI > > ldap_sasl_authid = host/ > > ldap_sasl_realm = > > krb5_server = > > debug_level = 9 > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > > > > > domains = , default > > debug_level = 9 > > [nss] > > debug_level = 9 > > > > > > [pam] > > debug_level = 9 > > > > > > [sudo] > > debug_level = 9 > > [autofs] > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > sure they are correct. > > > > > > The nisdomainname command returns the domain name. > > > > > > The sudo rules are: > > # ipa sudorule-find > > -------------------- > > 2 Sudo Rules matched > > -------------------- > > Rule name: sudo-host1 > > Enabled: TRUE > > Command category: all > > RunAs User category: all > > User Groups: host1-rw > > Host Groups: host1 > > Sudo Option: -authenticate > > > > > > Rule name: sudo-host2 > > Enabled: TRUE > > User Groups: host2-rw > > Host Groups: host2 > > Sudo Option: -authenticate > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > > > When a user in user group host1-rw sshs to a client in host group > > host1 and runs "sudo su -" the user gets prompted for a password even > > though the sudo option -authenticate is set. > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > not sure how to confirm this. > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > discussions of similar issues. This file exists on my client, but > > everything is commented out. Do I need to put the ldap client > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > for CentOS 6.3 clients? > > > > > > Any ideas about how to work out what is failing? > > > > > > Chris > > > try "!authenticate" (without the quotes), not "-authenticate" (again, > no quotes). That made no difference (though I think you're correct that -authenticate is wrong). Sudo didn't work correctly for me until I updated to RHEL 6.6 which had sssd-1.11 Just saying... Craig -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jan 2 18:02:33 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Jan 2015 13:02:33 -0500 Subject: [Freeipa-users] trust non-IPA certificate client In-Reply-To: References: Message-ID: <54A6DD39.3080601@redhat.com> Stephen Ingram wrote: > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram > wrote: > > I have one client using a certificate issued by a third party > provider such that any secure (TLS) LDAP queries are refused since > the certificates were not issued by IPA. Since there are only a few > clients with foreign certificates, can the CA simply be added to the > NSS database used by the 389 directory server so IPA will establish > a secure connection with them? > > > I should have added, "or do I have to somehow add the certificate to the > IPA directory?" Need a little more context here. IPA doesn't use SSL client authentication so it shouldn't be an issue. Can you provide more details on what the client side is doing and what errors you are seeing? rob From rcritten at redhat.com Fri Jan 2 18:14:36 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Jan 2015 13:14:36 -0500 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: Message-ID: <54A6E00C.7080502@redhat.com> Watson, Dan wrote: > Hi All, > > I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. > > The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. > > Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > You can use getent netgroup to get a specific netgroup. Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com rob From CWhite at skytouchtechnology.com Fri Jan 2 18:47:58 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Fri, 2 Jan 2015 18:47:58 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate Message-ID: Subject pretty much says it all. Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png at 01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7660 bytes Desc: image001.png URL: From dpal at redhat.com Fri Jan 2 19:07:47 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 02 Jan 2015 14:07:47 -0500 Subject: [Freeipa-users] firewalld management In-Reply-To: <54A5EB14.9090803@redhat.com> References: <54A41CB6.3040307@netbulae.eu> <54A5EB14.9090803@redhat.com> Message-ID: <54A6EC83.2090602@redhat.com> On 01/01/2015 07:49 PM, Rob Crittenden wrote: > Andrew Holway wrote: >> This would perhaps be a very interesting addition to the HBAC stuff. >> We're considering deploying freeipa on EC2 and LDAP backed firewalld >> would be a very powerful tool for a geographically distributed system. > There is an existing open ticket for this request, > https://fedorahosted.org/freeipa/ticket/2110 > > A user contributed an initial design was contributed a few months ago, > http://www.freeipa.org/page/V4/Firewall_Configuration > > Definitely a desirable feature, just a matter of scheduling it. It seems that the use cases a bit different. The ticket talks about the IPA server firewall configuration. The thread seems to talk about the clients. I do not think we have a ticket for that. The question seems to be: is IPA the right place to store and manage firewall rules centrally? How would they be enforced? Is it a one time configuration at the client installation or real time enforcement of the specific configuration via SSSD or something else? We start to bridge into SCAP area. Is this the right direction to go? I have doubts... Comments welcome! > > rob > >> >> On 31 December 2014 at 16:56, Jorick Astrego > > wrote: >> >> Hi, >> >> FreeIPA is great! One thing I'm missing though is management of >> firewalld services and ports. >> >> Is that something that would fit in FreeIPA? >> >> Currently we are using puppet scripts through katello/the foreman, but >> as this is very error prone we'd like to have it centrally managed a >> different way. >> >> The firewall rules are very essential IMHO and I thought the whole >> point >> of firewalld is to have make it more manageable... >> >> I already asked the katello guys but they don't appear very interested >> in implementing something there, then I started thinking it would maybe >> fit a lot better in freeIPA as it has more overlap with the other >> network/authentication stuff. >> >> It would be wasteful to have another project just for firewalld >> management. >> >> Happy new year everybody! >> >> Jorick >> >> >> >> >> >> >> >> ** >> Met vriendelijke groet, With kind regards, >> >> Jorick Astrego* >> >> Netbulae Virtualization Experts * >> ------------------------------------------------------------------------ >> Tel: 053 20 30 270 info at netbulae.eu >> Staalsteden 4-3A KvK 08198180 >> Fax: 053 20 30 271 www.netbulae.eu 7547 >> TA Enschede BTW NL821234584B01 >> >> >> ------------------------------------------------------------------------ >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> >> >> >> -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Fri Jan 2 19:14:57 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 02 Jan 2015 14:14:57 -0500 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client In-Reply-To: References: , <1420212496.14759.0.camel@desktop.bpk2.com> Message-ID: <54A6EE31.4080002@redhat.com> On 01/02/2015 12:12 PM, Craig White wrote: > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Chris Card > *Sent:* Friday, January 02, 2015 8:45 AM > *To:* Brendan Kearney > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] ipa / sudoers on centos 6.3 client > > > Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client > > From: bpk678 at gmail.com > > To: ctcard at hotmail.com > > CC: freeipa-users at redhat.com > > Date: Fri, 2 Jan 2015 10:28:16 -0500 > > > > On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote: > > > I have existing machines running CentOS 6.3 which I want to include in > > > a freeipa domain. > > > > > > The domain controller machine is running Fedora 21 and > > > freeipa-server-4.1.1-2 while the latest version of ipa I can find that > > > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. > > > > > > > > > I have successfully run ipa-client-install on the CentOS 6.3 client > > > and set up users who can ssh to the client using ssh-keys. > > > > > > > > > The problem is that I can't get sudo rules to work. I know that the > > > ipa client software version 3.0.0 doesn't automatically set up all the > > > configuration for sssd to control sudo access, but I have set up all > > > the configuration necessary manually: > > > > > > > > > On the client, /etc/nsswitch.conf has > > > > > > > > > sudoers files sss > > > > > > > > > /etc/sssd/sssd/conf has > > > > > > > > > [domain/default] > > > > > > > > > cache_credentials = True > > > krb5_realm = > > > krb5_server = :88 > > > id_provider = ldap > > > auth_provider = ldap > > > chpass_provider = ldap > > > ldap_tls_cacertdir = /etc/openldap/cacerts > > > [domain/] > > > > > > > > > cache_credentials = True > > > krb5_store_password_if_offline = True > > > ipa_domain = > > > id_provider = ipa > > > auth_provider = ipa > > > access_provider = ipa > > > chpass_provider = ipa > > > ipa_dyndns_update = True > > > ipa_server = > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > sudo_provider = ldap > > > ldap_uri = ldap:// > > > ldap_sudo_search_base = ou=sudoers, > > > ldap_sasl_mech = GSSAPI > > > ldap_sasl_authid = host/ > > > ldap_sasl_realm = > > > krb5_server = > > > debug_level = 9 > > > [sssd] > > > services = nss, pam, ssh, sudo > > > config_file_version = 2 > > > > > > > > > domains = , default > > > debug_level = 9 > > > [nss] > > > debug_level = 9 > > > > > > > > > [pam] > > > debug_level = 9 > > > > > > > > > [sudo] > > > debug_level = 9 > > > [autofs] > > > > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > > sure they are correct. > > > > > > > > > The nisdomainname command returns the domain name. > > > > > > > > > The sudo rules are: > > > # ipa sudorule-find > > > -------------------- > > > 2 Sudo Rules matched > > > -------------------- > > > Rule name: sudo-host1 > > > Enabled: TRUE > > > Command category: all > > > RunAs User category: all > > > User Groups: host1-rw > > > Host Groups: host1 > > > Sudo Option: -authenticate > > > > > > > > > Rule name: sudo-host2 > > > Enabled: TRUE > > > User Groups: host2-rw > > > Host Groups: host2 > > > Sudo Option: -authenticate > > > ---------------------------- > > > Number of entries returned 2 > > > ---------------------------- > > > > > > > > > When a user in user group host1-rw sshs to a client in host group > > > host1 and runs "sudo su -" the user gets prompted for a password even > > > though the sudo option -authenticate is set. > > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > > not sure how to confirm this. > > > > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > > discussions of similar issues. This file exists on my client, but > > > everything is commented out. Do I need to put the ldap client > > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > > for CentOS 6.3 clients? > > > > > > > > > Any ideas about how to work out what is failing? > > > > > > > > > Chris > > > > > try "!authenticate" (without the quotes), not "-authenticate" (again, > > no quotes). > That made no difference (though I think you're correct that > -authenticate is wrong). > > Sudo didn't work correctly for me until I updated to RHEL 6.6 which > had sssd-1.11 > > Just saying... > > Craig > > > I think 6.3 is the last version where SUDO integration with SSSD does not work out of box. You would need to configure SUDO independently from SSSD in the old way using direct LDAP connection. AFAIR the configurtion is in the sudo-ldap.conf. Find the RHEL 6.3 manual online. I think the doc is correct except that it mentions ldap.conf instead of sudo-ldap. Sorry if the names above are not spelled right (may be it is sudo_ldap or something like), I was writing from the top of my head. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jan 2 19:17:59 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 02 Jan 2015 14:17:59 -0500 Subject: [Freeipa-users] KDC has no support for encryption type In-Reply-To: References: <54A1D467.5040800@redhat.com> Message-ID: <54A6EEE7.6060706@redhat.com> On 12/30/2014 06:06 AM, Matt . wrote: > Readin up on this the weak password setting should work, but it doesn't. > > What are my chances here as I need to do a "ipa pwpolicy-mod --maxlife 200" This touches the expiration not the encryption types. > > Or can this be done from a ldap browser too ? Yes. It sets the global kerberos password expiration attribute. > > 2014-12-29 23:31 GMT+01:00 Matt . : >> OK, thank for that. >> >> But should an IPA install not add them by default ? Maybe this is some >> 4.x dev which is still needed ? >> >> I need to look what I exactly need. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From Dan.Watson at bcferries.com Fri Jan 2 19:41:23 2015 From: Dan.Watson at bcferries.com (Watson, Dan) Date: Fri, 2 Jan 2015 12:41:23 -0700 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: <54A6E00C.7080502@redhat.com> References: <54A6E00C.7080502@redhat.com> Message-ID: Hi Rob, Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: -bash-3.2# getent netgroup test1 Unknown database: netgroup usage: getent database [ key ... ] -bash-3.2# uname -a SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 -bash-3.2# cat /etc/release Solaris 10 10/09 s10s_u8wos_08a SPARC Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 September 2009 -bash-3.2# Thanks! Dan -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: January 02, 2015 10:15 AM To: Watson, Dan; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Integration with Solaris 10 Watson, Dan wrote: > Hi All, > > I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. > > The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. > > Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > You can use getent netgroup to get a specific netgroup. Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com rob From Dan.Watson at bcferries.com Fri Jan 2 20:17:57 2015 From: Dan.Watson at bcferries.com (Watson, Dan) Date: Fri, 2 Jan 2015 13:17:57 -0700 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: <54A6E00C.7080502@redhat.com> Message-ID: I finally got it working, the default setup of "ldapclient init" missed the special mapping for netgroups, so I had to do a manual setup that included the mapping. ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dn=domain,dn=name \ -a domainName=domain.name \ -a defaultServerList=server.domain.name \ -a objectClassMap=shadow:shadowAccount=posixaccount \ -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp It's the last line that forces the OS level ldap client to look in the rich location for the netgroup information. I hope this helps the next person. Thanks for all the help! Dan -----Original Message----- From: Watson, Dan Sent: January 02, 2015 11:41 AM To: 'Rob Crittenden'; freeipa-users at redhat.com Subject: RE: [Freeipa-users] Integration with Solaris 10 Hi Rob, Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: -bash-3.2# getent netgroup test1 Unknown database: netgroup usage: getent database [ key ... ] -bash-3.2# uname -a SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 -bash-3.2# cat /etc/release Solaris 10 10/09 s10s_u8wos_08a SPARC Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 September 2009 -bash-3.2# Thanks! Dan -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: January 02, 2015 10:15 AM To: Watson, Dan; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Integration with Solaris 10 Watson, Dan wrote: > Hi All, > > I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. > > The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. > > Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > You can use getent netgroup to get a specific netgroup. Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com rob From dpal at redhat.com Fri Jan 2 21:11:49 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 02 Jan 2015 16:11:49 -0500 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: <54A6E00C.7080502@redhat.com> Message-ID: <54A70995.2000109@redhat.com> On 01/02/2015 03:17 PM, Watson, Dan wrote: > I finally got it working, the default setup of "ldapclient init" missed the special mapping for netgroups, so I had to do a manual setup that included the mapping. > > ldapclient manual \ > -a credentialLevel=anonymous \ > -a authenticationMethod=none \ > -a defaultSearchBase=dn=domain,dn=name \ > -a domainName=domain.name \ > -a defaultServerList=server.domain.name \ > -a objectClassMap=shadow:shadowAccount=posixaccount \ > -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ > -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ > -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ > -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp > > It's the last line that forces the OS level ldap client to look in the rich location for the netgroup information. I hope this helps the next person. Would you mind creating a wiki page with the solution on the wiki? > > Thanks for all the help! > Dan > -----Original Message----- > From: Watson, Dan > Sent: January 02, 2015 11:41 AM > To: 'Rob Crittenden'; freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Integration with Solaris 10 > > Hi Rob, > > Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: > -bash-3.2# getent netgroup test1 > Unknown database: netgroup > usage: getent database [ key ... ] > -bash-3.2# uname -a > SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 > -bash-3.2# cat /etc/release > Solaris 10 10/09 s10s_u8wos_08a SPARC > Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. > Use is subject to license terms. > Assembled 16 September 2009 > -bash-3.2# > > Thanks! > Dan > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: January 02, 2015 10:15 AM > To: Watson, Dan; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Integration with Solaris 10 > > Watson, Dan wrote: >> Hi All, >> >> I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. >> >> The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient >> >> I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? >> >> The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. >> >> Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. >> >> Can anyone be of some help? >> >> Thanks! >> Dan >> > You can use getent netgroup to get a specific netgroup. > > Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com > > rob > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From rcritten at redhat.com Fri Jan 2 21:45:10 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Jan 2015 16:45:10 -0500 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: <54A6E00C.7080502@redhat.com> Message-ID: <54A71166.1040403@redhat.com> Watson, Dan wrote: > Hi Rob, > > Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: > -bash-3.2# getent netgroup test1 > Unknown database: netgroup > usage: getent database [ key ... ] > -bash-3.2# uname -a > SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 > -bash-3.2# cat /etc/release > Solaris 10 10/09 s10s_u8wos_08a SPARC > Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. > Use is subject to license terms. > Assembled 16 September 2009 > -bash-3.2# Sorry, my Solaris is very rusty. You need to add a service descriptor to the DUA profile if you haven't already, something like: serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com Then re-init the client. getent is still not going to work but ldaplist will: # ldaplist netgroup rob > > Thanks! > Dan > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: January 02, 2015 10:15 AM > To: Watson, Dan; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Integration with Solaris 10 > > Watson, Dan wrote: >> Hi All, >> >> I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. >> >> The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient >> >> I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? >> >> The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. >> >> Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. >> >> Can anyone be of some help? >> >> Thanks! >> Dan >> > > You can use getent netgroup to get a specific netgroup. > > Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com > > rob > From rcritten at redhat.com Fri Jan 2 21:45:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Jan 2015 16:45:57 -0500 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: <54A6E00C.7080502@redhat.com> Message-ID: <54A71195.4050308@redhat.com> Watson, Dan wrote: > I finally got it working, the default setup of "ldapclient init" missed the special mapping for netgroups, so I had to do a manual setup that included the mapping. > > ldapclient manual \ > -a credentialLevel=anonymous \ > -a authenticationMethod=none \ > -a defaultSearchBase=dn=domain,dn=name \ > -a domainName=domain.name \ > -a defaultServerList=server.domain.name \ > -a objectClassMap=shadow:shadowAccount=posixaccount \ > -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ > -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ > -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ > -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp > > It's the last line that forces the OS level ldap client to look in the rich location for the netgroup information. I hope this helps the next person. Glad you got it working, and that'll teach me to catch up on all e-mail before responding :-) rob > > Thanks for all the help! > Dan > -----Original Message----- > From: Watson, Dan > Sent: January 02, 2015 11:41 AM > To: 'Rob Crittenden'; freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Integration with Solaris 10 > > Hi Rob, > > Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: > -bash-3.2# getent netgroup test1 > Unknown database: netgroup > usage: getent database [ key ... ] > -bash-3.2# uname -a > SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 > -bash-3.2# cat /etc/release > Solaris 10 10/09 s10s_u8wos_08a SPARC > Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. > Use is subject to license terms. > Assembled 16 September 2009 > -bash-3.2# > > Thanks! > Dan > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: January 02, 2015 10:15 AM > To: Watson, Dan; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Integration with Solaris 10 > > Watson, Dan wrote: >> Hi All, >> >> I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. >> >> The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient >> >> I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? >> >> The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. >> >> Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. >> >> Can anyone be of some help? >> >> Thanks! >> Dan >> > > You can use getent netgroup to get a specific netgroup. > > Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com > > rob > From genadipost at gmail.com Sat Jan 3 03:13:07 2015 From: genadipost at gmail.com (Genadi Postrilko) Date: Sat, 3 Jan 2015 05:13:07 +0200 Subject: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level Message-ID: Hello all. I'm working on integrating AD trust feature in the forest of a large organization (Its network is not connected to the internet). First I tested the trust in "clean" environment (that i have deployed) to simulate production forest deployment , in the following configuration: The forest root domain : red.com Second Domain tree : blue.com IPA : linux.blue.com All the AD DCs are 2008 R2 server and 2008 R2 functional level. IPA server in installed on RHEL 7. ipa-server-3.3.3-28.el7_0.1.x86_64 ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64 ipa-python-3.3.3-28.el7_0.1.x86_64 With help of the mailing list, all works fine. Users from both red.com and blue.com are able to log into IPA domain. After the success, I proceeded to test the trust in organization's test environment. The installation of the trust itself has completed successfully. But although users from *red.com * were able to log into IPA domain, users from *blue.com * couldn't. After checking the sssd logs it seemed as blue.com domain is unknown to IPA. Therefore I ran "*ipa trustdomain-find red.com " *in both environments, to see if there are any differences. And indeed there were: While in the "clean" environment, the command returned both *red.com * and *blue.com * domains, in organization's test environment it returned only *red.com *. I tried to re fetch the domain with "*ipa trust-fetch-domains red.com " *but it returned the message - " No new trust domains were found". It made me think that maybe the AD is not returning all domains in the forest. I opened wireshark on both environments and ran "*ipa trust-fetch-domains red.com " *to see what is been sent from AD to IPA. In both environments I seen the DsrEnumerateDomainTrusts request and response. Reading the content of response showed that in both environments, the response contained *red.com * and *blue.com * domain. After inspecting the structures that contain domains information (DS_DOMAIN_TRUSTS) , I noticed that in both environments the *TrustAttribute *of red.com is set to 0x0000000. But *TrustAttribute *of blue.com is set to 0x00000020 ( TRUST_ATTRIBUTE_WITHIN_FOREST) in the "clean" environment and to 0x00800000 in the test environment. Reading MSDN for *TrustAttribute*, explains the following: http://msdn.microsoft.com/en-us/library/cc223779.aspx (TRUST_ATTRIBUTE_WITHIN_FOREST) 0x00000020 If this bit is set, then the trusted domain is within the same forest. Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. While I couldn't find specific information about 0x00800000, but this: 0x00400000 - 0x00800000 Previously used trust bits, and are obsolete. I did not find more information on 0x00800000 or a reason why the attributes would be different in the two deployments. I asked for advice from Microsoft IT guy in the organization. He said that difference in the *TrustAttribute *is caused by the fact, that the "clean" environment was created as Windows Server 2008, while the test (and production) forest was created as windows 2000 servers (about 12 years ago) and the forest was gradually upgraded to 2003 and 2008 along the years. Couldn't find more information on the attribute for windows server 2000/2003 but the theory sounds quite logical. I decided to check if *TrustAttribute *influences IPA's domain fetch. fetch_domains function in /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py contains the following lines of code: trust_attributes = dict( NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001, NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002, NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004, NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008, NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010, NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) . . . result = [] for t in domains.array: *if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and* * (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):* res = dict() res['cn'] = unicode(t.dns_name) res['ipantflatname'] = unicode(t.netbios_name) res['ipanttrusteddomainsid'] = unicode(t.sid) res['ipanttrustpartner'] = res['cn'] result.append(res) The bit-wise operation is preformed to check if the trust attribute is set to TRUST_ATTRIBUTE_WITHIN_FOREST (0x00000020) and if so, the trust is added to result array. It seems the value of *TrustAttribute *set to 0x00800000 is the reason the domain wasn't fetched. To confirm it I changed the if statement to: if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *|| * *(t.trust_attributes & 0x00800000)) *and (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): Then deleted and recreated the trust and finally ran "*ipa trust-fetch-domains red.com "-* this time the *blue.com * domain did appear! I was able to login with users from both red.com and blue.com to IPA domain. Checking both upstream 3.3 and 4.1 shows that the if statement was changed to : *if* (*not* (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) *and* (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039 https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102 >From first sight it looks like blue.com will fetched. Haven't yet tested if upstream works in the test environment. Any thoughts on the subject will be great. (I hope i'm not mentioning something that was solved long ago). Genadi -------------- next part -------------- An HTML attachment was scrubbed... URL: From william.muriithi at gmail.com Sat Jan 3 03:13:07 2015 From: william.muriithi at gmail.com (William Muriithi) Date: Fri, 02 Jan 2015 22:13:07 -0500 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client In-Reply-To: References: Message-ID: <20150103031307.6033553.20862.12342@gmail.com> ?Hi, I also think you will have to update to rhel 6.6 if you want to use sssd for sudo. If updating to 6.6 is not a problem, this would be least painful.? > > > The problem is that I can't get sudo rules to work. I know that the > > > ipa client software version 3.0.0 doesn't automatically set up all the > > > configuration for sssd to control sudo access, but I have set up all > > > the configuration necessary manually: > > > > > > > > > On the client, /etc/nsswitch.conf has > > > > > > > > > sudoers files sss This will work only for rhel 6.6. Add ldap between files and sss if you wouldn't be using 6.6 > > > > > > > > > /etc/sssd/sssd/conf has > > > > > > > > > [domain/default] > > > > > > > > > cache_credentials = True > > > krb5_realm = > > > krb5_server = :88 > > > id_provider = ldap > > > auth_provider = ldap > > > chpass_provider = ldap > > > ldap_tls_cacertdir = /etc/openldap/cacerts > > > [domain/] Remove the ldap related lines if on 6.6. If you are not going to use 6.6, keep them, but add a bind password on ipa-server as it can't bind anonymously > > > > > > > > > cache_credentials = True > > > krb5_store_password_if_offline = True > > > ipa_domain = > > > id_provider = ipa > > > auth_provider = ipa > > > access_provider = ipa > > > chpass_provider = ipa > > > ipa_dyndns_update = True > > > ipa_server = > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > sudo_provider = ldap This is assuming you are not using 6.6, else replace ldap with sss > > > ldap_uri = ldap:// > > > ldap_sudo_search_base = ou=sudoers, > > > ldap_sasl_mech = GSSAPI > > > ldap_sasl_authid = host/ > > > ldap_sasl_realm = > > > krb5_server = > > > debug_level = 9 > > > [sssd] > > > services = nss, pam, ssh, sudo > > > config_file_version = 2 > > > > > > > > > domains = , default > > > debug_level = 9 > > > [nss] > > > debug_level = 9 > > > > > > > > > [pam] > > > debug_level = 9 > > > > > > > > > [sudo] > > > debug_level = 9 > > > [autofs] > > > > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > > sure they are correct. > > > > > > > > > The nisdomainname command returns the domain name. > > > > > > > > > The sudo rules are: > > > # ipa sudorule-find > > > -------------------- > > > 2 Sudo Rules matched > > > -------------------- > > > Rule name: sudo-host1 > > > Enabled: TRUE > > > Command category: all > > > RunAs User category: all > > > User Groups: host1-rw > > > Host Groups: host1 > > > Sudo Option: -authenticate > > > > > > > > > Rule name: sudo-host2 > > > Enabled: TRUE > > > User Groups: host2-rw > > > Host Groups: host2 > > > Sudo Option: -authenticate > > > ---------------------------- > > > Number of entries returned 2 > > > ---------------------------- > > > > > > > > > When a user in user group host1-rw sshs to a client in host group > > > host1 and runs "sudo su -" the user gets prompted for a password even > > > though the sudo option -authenticate is set. > > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > > not sure how to confirm this. I think command group all or category all may be problematic. Enable debugging to see if category all is being considered. For me, I had to adjust that, but can't recall how I went around it from memory. > > > > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > > discussions of similar issues. This file exists on my client, but > > > everything is commented out. Do I need to put the ldap client > > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > > for CentOS 6.3 clients? Yes. Uncomment the lines that are commented with a single # and customize it with your realm details plus password you created on ipa-server. At the bottom, enable debugging in case it don't work on first attempt.? If you are on 6.6, disregard this file > > > > > > > > > Any ideas about how to work out what is failing? William? From bentech4you at gmail.com Sat Jan 3 08:26:36 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 3 Jan 2015 11:26:36 +0300 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: <54A70995.2000109@redhat.com> References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> Message-ID: Hi Dmitri i was trying this from last 3 weeks. can you please give us more details about this. I tried ldapclient and i got lot of dependency service related error. can you please give me list of services and configuration file need to change/enable before trying ldapclient ? once again thanks for your effort. Thanks & Regards, Ben On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal wrote: > On 01/02/2015 03:17 PM, Watson, Dan wrote: > >> I finally got it working, the default setup of "ldapclient init" missed >> the special mapping for netgroups, so I had to do a manual setup that >> included the mapping. >> >> ldapclient manual \ >> -a credentialLevel=anonymous \ >> -a authenticationMethod=none \ >> -a defaultSearchBase=dn=domain,dn=name \ >> -a domainName=domain.name \ >> -a defaultServerList=server.domain.name \ >> -a objectClassMap=shadow:shadowAccount=posixaccount \ >> -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' >> \ >> -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp >> \ >> -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp >> \ >> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp >> >> It's the last line that forces the OS level ldap client to look in the >> rich location for the netgroup information. I hope this helps the next >> person. >> > > Would you mind creating a wiki page with the solution on the wiki? > > > >> Thanks for all the help! >> Dan >> -----Original Message----- >> From: Watson, Dan >> Sent: January 02, 2015 11:41 AM >> To: 'Rob Crittenden'; freeipa-users at redhat.com >> Subject: RE: [Freeipa-users] Integration with Solaris 10 >> >> Hi Rob, >> >> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't >> seem to like the netgroup option: >> -bash-3.2# getent netgroup test1 >> Unknown database: netgroup >> usage: getent database [ key ... ] >> -bash-3.2# uname -a >> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc >> SUNW,SPARC-Enterprise-T5120 >> -bash-3.2# cat /etc/release >> Solaris 10 10/09 s10s_u8wos_08a SPARC >> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. >> Use is subject to license terms. >> Assembled 16 September 2009 >> -bash-3.2# >> >> Thanks! >> Dan >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: January 02, 2015 10:15 AM >> To: Watson, Dan; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Integration with Solaris 10 >> >> Watson, Dan wrote: >> >>> Hi All, >>> >>> I've lurked in the list history and cannot find anyone saying they have >>> gotten login restrictions working with Solaris 10 u8. Has anyone on here >>> successfully configured login restrictions on Solaris 10 u8 through u11? >>> I'm looking for specific instructions from someone who has gotten this to >>> work before. >>> >>> The two main routes to login restrictions I could find online are >>> Netgroups or conditional ldap queries in ldapclient >>> >>> I initially tried netgroups but wasn't sure how to trouble shoot when it >>> didn't work. There don't seem to be any user-land tools to query netgroups >>> and further investigation turned up an issue with OpenLDAP. It seems the >>> built-in Solaris 10 ldap client expects schema RFC2307bis and not the >>> OpenLDAP standard RFC2307 (explanation here >>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). >>> does anyone know if this issue applies to IPA? Or how I check? >>> >>> The alternative of passing a restrictive query to ldapclient seems like >>> a good route but doesn't seem to work. The common solution when using the >>> old SunOne directory server was to pass the ldapclient (command line ldap >>> configuration tool) an option like "passwd:ou=people,o=myorg,c= >>> de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here >>> https://community.oracle.com/thread/2014224?start=0&tstart=0) which is >>> supposed to restrict account checking to only people in >>> ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. >>> Unfortunately this doesn't seem to work in IPA, first of all because there >>> is no "isMemberof" attribute to a user, but also doesn't work on other >>> attributes like uid or uidNumber. One possible explanation I've found is >>> that these attributes are not indexed, but I have no idea if this is >>> correct or how to add them to be indexed. >>> >>> Has anyone else solved this? I just need to be able to allow only a >>> specific user group to log in to the host, unfortunately the ssh directive >>> "AllowGroups" is not good enough, this has to be system wide as we also >>> have samba and some other services that rely on system authentication. >>> >>> Can anyone be of some help? >>> >>> Thanks! >>> Dan >>> >>> You can use getent netgroup to get a specific netgroup. >> >> Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com >> >> rob >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From baghery.jone at gmail.com Sat Jan 3 10:14:18 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Sat, 3 Jan 2015 13:44:18 +0330 Subject: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6 In-Reply-To: References: Message-ID: hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write policy for user test execute any command on any host user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo get error) confige sssd.conf ========================= [domain/l.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = l.example.com id_provider = ipa ipa_server = _srv_,ipaserver.l.example.com dap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipasrv.l.example.com ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipadevel.l.example.com ldap_sasl_realm = L.EXAMPLE.COM krb5_server = ipadevel.l.example.com [sssd] config_file_version = 2 services = nss, pam,ssh,sudo ============================ how to solve this problem -------------- next part -------------- An HTML attachment was scrubbed... URL: From tarekhamditn2013 at gmail.com Fri Jan 2 21:09:58 2015 From: tarekhamditn2013 at gmail.com (hamdi tarek) Date: Fri, 2 Jan 2015 22:09:58 +0100 Subject: [Freeipa-users] Script to automatically turn your CentOS 7 Message-ID: Please we are a faculty can help us for the establishment of a centos7 server with squid authentication with card networks 2 lan 1 Wan binds a router. thank you S?il vous plait nous somme une facult? pouvez vous nous aide de pour la mise en place d un serveur centos7 avec authentification squid avec 3 carte r?seaux 2 Lan 1 Wan lie a un routeur . merci Script to automatically turn your CentOS 7 installation into a Router with Squid Caching -------------- next part -------------- An HTML attachment was scrubbed... URL: From baghery.jone at gmail.com Sat Jan 3 10:03:14 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Sat, 3 Jan 2015 13:33:14 +0330 Subject: [Freeipa-users] problem users AD can not sudo in centos 6.6 Message-ID: hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write policy for user test execute any command on any host user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo get error) confige sssd.conf ========================= [domain/l.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = l.example.com id_provider = ipa ipa_server = _srv_,ipaserver.l.example.com dap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipasrv.l.example.com ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipadevel.l.example.com ldap_sasl_realm = L.EXAMPLE.COM krb5_server = ipadevel.l.example.com [sssd] config_file_version = 2 services = nss, pam,ssh,sudo ============================ how to solve this problem -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Sat Jan 3 17:20:46 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 3 Jan 2015 18:20:46 +0100 Subject: [Freeipa-users] ipa / sudoers on centos 6.3 client In-Reply-To: <20150103031307.6033553.20862.12342@gmail.com> References: <20150103031307.6033553.20862.12342@gmail.com> Message-ID: <20150103172046.GA31910@mail.corp.redhat.com> On (02/01/15 22:13), William Muriithi wrote: >?Hi, > >I also think you will have to update to rhel 6.6 if you want to use sssd for sudo. If updating to 6.6 is not a problem, this would be least painful.? > >> > > The problem is that I can't get sudo rules to work. I know that the >> > > ipa client software version 3.0.0 doesn't automatically set up all the >> > > configuration for sssd to control sudo access, but I have set up all >> > > the configuration necessary manually: >> > > >> > > >> > > On the client, /etc/nsswitch.conf has >> > > >> > > >> > > sudoers files sss > >This will work only for rhel 6.6. Add ldap between files and sss if you wouldn't be using 6.6 > It would worh with CentOS 6.4+ just configuration in sssd.conf would be different. CentOS 6.4 and 6.5 *does not have* native sudo ipa provider, but it is possible to configure sssd with ldap provider (more complicated). CentOS 6.6 *has* native sudo ipa provider. The best way hot to configure sssd <-> sudo is to follow instructions in the manual page sssd-sudo. LS From dpal at redhat.com Sat Jan 3 19:10:09 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 03 Jan 2015 14:10:09 -0500 Subject: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6 In-Reply-To: References: Message-ID: <54A83E91.8080909@redhat.com> On 01/03/2015 05:14 AM, alireza baghery wrote: > > > hi > i integrated AD windows 208 R2 with IPA server (centos 6.5) > i write policy for user test execute any command on any host > user test can execute sudo on cetnos 6.5 but on centos 6.6 can not > (sudo get error) > confige sssd.conf > ========================= > [domain/l.example.com ] > debug_level = 6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain =l.example.com > id_provider = ipa > ipa_server = _srv_,ipaserver.l.example.com > dap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri =ldap://ipasrv.l.example.com > ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ipadevel.l.example.com > ldap_sasl_realm =L.EXAMPLE.COM > krb5_server =ipadevel.l.example.com > > > [sssd] > config_file_version = 2 > services = nss, pam,ssh,sudo > ============================ > how to solve this problem > > > Enable sudo debugging and see what happens. Is the command denied or there is some other error? Generally there are two flavors of errors: something is wrong with a connection and no policy gets through or the policies get though but something is wrong with this specific policy or configuration. To start debugging first rule out connectivity issues. SUDO and sssd debug logs are your friends. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jan 3 19:13:50 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 03 Jan 2015 14:13:50 -0500 Subject: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level In-Reply-To: References: Message-ID: <54A83F6E.3020407@redhat.com> On 01/02/2015 10:13 PM, Genadi Postrilko wrote: > > Hello all. > > I'm working on integrating AD trust feature in the forest of a large > organization (Its network is not connected to the internet). > > First I tested the trust in "clean" environment (that i have deployed) > to simulate production forest deployment , in the following configuration: > > > The forest root domain : red.com > > Second Domain tree : blue.com > > IPA : linux.blue.com > > All the AD DCs are 2008 R2 server and 2008 R2 functional level. > > IPA server in installed on RHEL 7. > > ipa-server-3.3.3-28.el7_0.1.x86_64 > > ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64 > > ipa-python-3.3.3-28.el7_0.1.x86_64 > > With help of the mailing list, all works fine. Users from both red.com > and blue.com are able to log into > IPA domain. > > After the success, I proceeded to test the trust in organization's > test environment. > > The installation of the trust itself has completed successfully. But > althoughusers from *red.com * were able to log into > IPA domain, users from *blue.com * couldn't. > > After checking the sssd logs it seemed as blue.com > domain is unknown to IPA. > > Therefore I ran "*ipa trustdomain-find red.com " *in > both environments, to see if there are any differences. > > And indeed there were: > > While in the "clean" environment, the command returned both *red.com > * and *blue.com * domains, in > organization's test environment it returned only *red.com > *. > > I tried to re fetch the domain with "*ipa trust-fetch-domains red.com > " *but it returned the message - " No new trust > domains were found". > > It made me think that maybe the AD is not returning all domains in the > forest. > > I opened wireshark on both environments and ran "*ipa > trust-fetch-domains red.com " *to see what is been > sent from AD to IPA. > > In both environments I seen the DsrEnumerateDomainTrusts request and > response. > > Reading the content of response showed that in both environments, the > responsecontained *red.com * and *blue.com > * domain. > > After inspecting the structures that contain domains information > (DS_DOMAIN_TRUSTS) , I noticed that in both environments the > *TrustAttribute *of red.com is set to 0x0000000. > > But *TrustAttribute *of blue.com is set to > 0x00000020 (TRUST_ATTRIBUTE_WITHIN_FOREST) in the "clean" environment > and to 0x00800000 in the test environment. > > Reading MSDN for *TrustAttribute*, explains the following: > > http://msdn.microsoft.com/en-us/library/cc223779.aspx > > (TRUST_ATTRIBUTE_WITHIN_FOREST) > > 0x00000020 > > If this bit is set, then the trusted domain is within the same forest. > > Only evaluated on Windows Server 2003, Windows Server 2008, Windows > Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. > > While I couldn't find specific information about 0x00800000, but this: > > 0x00400000 - 0x00800000 > > Previously used trust bits, and are obsolete. > > I did not find more information on 0x00800000 or a reason why the > attributes would be different in the two deployments. > > I asked for advice from Microsoft IT guy in the organization. He said > that difference in the *TrustAttribute *is caused by the fact, that > the "clean" environment was created as Windows Server 2008, while the > test (and production) forest was created as windows 2000 servers > (about 12 years ago) and the forest was gradually upgraded to 2003 > and 2008 along the years. > > Couldn't find more information on the attribute for windows server > 2000/2003 but the theory sounds quite logical. > > I decided to check if *TrustAttribute *influences IPA's domain fetch. > > fetch_domains function in > /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py > > contains the following lines of code: > > trust_attributes = dict( > > NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001, > > NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002, > > NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004, > > NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008, > > NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010, > > NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, > > NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) > > . > > . > > . > > result = [] > > for t in domains.array: > > *if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and* > > *(t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):* > > res = dict() > > res['cn'] = unicode(t.dns_name) > > res['ipantflatname'] = unicode(t.netbios_name) > > res['ipanttrusteddomainsid'] = unicode(t.sid) > > res['ipanttrustpartner'] = res['cn'] > > result.append(res) > > The bit-wise operation is preformed to check if the trust attribute is > set to TRUST_ATTRIBUTE_WITHIN_FOREST (0x00000020) and if so, the trust > is added to result array. > > It seems the value of *TrustAttribute *set to 0x00800000 is the reason > the domain wasn't fetched. > > To confirm it I changed the if statement to: > > ** if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *|| * > > *(t.trust_attributes & 0x00800000)) *and (t.trust_flags & > trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > > ** > > Then deleted and recreated the trust and finally ran "*ipa > trust-fetch-domains red.com "-* > > this time the *blue.com * domain did appear! > > I was able to login with users from both red.com and > blue.com to IPA domain. > > Checking both upstream 3.3 and 4.1 shows that the if statement was > changed to : > > *if*(*not*(t.trust_flags &trust_flags['NETR_TRUST_FLAG_PRIMARY'])*and* > > (t.trust_flags &trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039 > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102 > > From first sight it looks like blue.com will fetched. > > Haven't yet tested if upstream works in the test environment. > > Any thoughts on the subject will be great. > > (I hope i'm not mentioning something that was solved long ago). > > Genadi > > > Wow! Sounds like a ticket is due... -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jan 3 19:17:06 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 03 Jan 2015 14:17:06 -0500 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> Message-ID: <54A84032.4050101@redhat.com> On 01/03/2015 03:26 AM, Ben .T.George wrote: > Hi Dmitri > > > i was trying this from last 3 weeks. can you please give us more > details about this. I tried ldapclient and i got lot of dependency > service related error. can you please give me list of services and > configuration file need to change/enable before trying ldapclient ? > > once again thanks for your effort. > Hi Ben, I am a bit confused. My last suggestion was for you to add a wiki page to FreeIPA.org becuase you indicated that you got it working. Rob, may be this is the comment for you. Thanks Dmitri > > > Thanks & Regards, > Ben > > > > On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal > wrote: > > On 01/02/2015 03:17 PM, Watson, Dan wrote: > > I finally got it working, the default setup of "ldapclient > init" missed the special mapping for netgroups, so I had to do > a manual setup that included the mapping. > > ldapclient manual \ > -a credentialLevel=anonymous \ > -a authenticationMethod=none \ > -a defaultSearchBase=dn=domain,dn=name \ > -a domainName=domain.name \ > -a defaultServerList=server.domain.name > \ > -a objectClassMap=shadow:shadowAccount=posixaccount \ > -a > serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' > \ > -a > serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp > \ > -a > serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp > \ > -a > serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp > > It's the last line that forces the OS level ldap client to > look in the rich location for the netgroup information. I hope > this helps the next person. > > > Would you mind creating a wiki page with the solution on the wiki? > > > > Thanks for all the help! > Dan > -----Original Message----- > From: Watson, Dan > Sent: January 02, 2015 11:41 AM > To: 'Rob Crittenden'; freeipa-users at redhat.com > > Subject: RE: [Freeipa-users] Integration with Solaris 10 > > Hi Rob, > > Thanks for the reply. Unfortunately /usr/bin/getent on my > system doesn't seem to like the netgroup option: > -bash-3.2# getent netgroup test1 > Unknown database: netgroup > usage: getent database [ key ... ] > -bash-3.2# uname -a > SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc > SUNW,SPARC-Enterprise-T5120 > -bash-3.2# cat /etc/release > Solaris 10 10/09 s10s_u8wos_08a SPARC > Copyright 2009 Sun Microsystems, Inc. All Rights > Reserved. > Use is subject to license terms. > Assembled 16 September 2009 > -bash-3.2# > > Thanks! > Dan > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com > ] > Sent: January 02, 2015 10:15 AM > To: Watson, Dan; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Integration with Solaris 10 > > Watson, Dan wrote: > > Hi All, > > I've lurked in the list history and cannot find anyone > saying they have gotten login restrictions working with > Solaris 10 u8. Has anyone on here successfully configured > login restrictions on Solaris 10 u8 through u11? I'm > looking for specific instructions from someone who has > gotten this to work before. > > The two main routes to login restrictions I could find > online are Netgroups or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble > shoot when it didn't work. There don't seem to be any > user-land tools to query netgroups and further > investigation turned up an issue with OpenLDAP. It seems > the built-in Solaris 10 ldap client expects schema > RFC2307bis and not the OpenLDAP standard RFC2307 > (explanation here > http://www.openldap.org/lists/openldap-software/200501/msg00309.html). > does anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to > ldapclient seems like a good route but doesn't seem to > work. The common solution when using the old SunOne > directory server was to pass the ldapclient (command line > ldap configuration tool) an option like > "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" > (from here > https://community.oracle.com/thread/2014224?start=0&tstart=0) > which is supposed to restrict account checking to only > people in ou=people,p=myorg,c=de who are also members of > cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this > doesn't seem to work in IPA, first of all because there is > no "isMemberof" attribute to a user, but also doesn't work > on other attributes like uid or uidNumber. One possible > explanation I've found is that these attributes are not > indexed, but I have no idea if this is correct or how to > add them to be indexed. > > Has anyone else solved this? I just need to be able to > allow only a specific user group to log in to the host, > unfortunately the ssh directive "AllowGroups" is not good > enough, this has to be system wide as we also have samba > and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > > You can use getent netgroup to get a specific netgroup. > > Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com > > rob > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sat Jan 3 20:07:59 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 3 Jan 2015 23:07:59 +0300 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: <54A84032.4050101@redhat.com> References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> <54A84032.4050101@redhat.com> Message-ID: Hi Oops sorry. i wrongly addressed you. Actually that question i asked is to Mr. Watson. Regards, Ben On Sat, Jan 3, 2015 at 10:17 PM, Dmitri Pal wrote: > On 01/03/2015 03:26 AM, Ben .T.George wrote: > > Hi Dmitri > > > i was trying this from last 3 weeks. can you please give us more details > about this. I tried ldapclient and i got lot of dependency service > related error. can you please give me list of services and configuration > file need to change/enable before trying ldapclient ? > > once again thanks for your effort. > > > Hi Ben, > > I am a bit confused. My last suggestion was for you to add a wiki page to > FreeIPA.org becuase you indicated that you got it working. > Rob, may be this is the comment for you. > > Thanks > Dmitri > > > > > Thanks & Regards, > Ben > > > > On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal wrote: > >> On 01/02/2015 03:17 PM, Watson, Dan wrote: >> >>> I finally got it working, the default setup of "ldapclient init" missed >>> the special mapping for netgroups, so I had to do a manual setup that >>> included the mapping. >>> >>> ldapclient manual \ >>> -a credentialLevel=anonymous \ >>> -a authenticationMethod=none \ >>> -a defaultSearchBase=dn=domain,dn=name \ >>> -a domainName=domain.name \ >>> -a defaultServerList=server.domain.name \ >>> -a objectClassMap=shadow:shadowAccount=posixaccount \ >>> -a >>> serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ >>> -a >>> serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ >>> -a >>> serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ >>> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp >>> >>> It's the last line that forces the OS level ldap client to look in the >>> rich location for the netgroup information. I hope this helps the next >>> person. >>> >> >> Would you mind creating a wiki page with the solution on the wiki? >> >> >> >>> Thanks for all the help! >>> Dan >>> -----Original Message----- >>> From: Watson, Dan >>> Sent: January 02, 2015 11:41 AM >>> To: 'Rob Crittenden'; freeipa-users at redhat.com >>> Subject: RE: [Freeipa-users] Integration with Solaris 10 >>> >>> Hi Rob, >>> >>> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't >>> seem to like the netgroup option: >>> -bash-3.2# getent netgroup test1 >>> Unknown database: netgroup >>> usage: getent database [ key ... ] >>> -bash-3.2# uname -a >>> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc >>> SUNW,SPARC-Enterprise-T5120 >>> -bash-3.2# cat /etc/release >>> Solaris 10 10/09 s10s_u8wos_08a SPARC >>> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. >>> Use is subject to license terms. >>> Assembled 16 September 2009 >>> -bash-3.2# >>> >>> Thanks! >>> Dan >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: January 02, 2015 10:15 AM >>> To: Watson, Dan; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Integration with Solaris 10 >>> >>> Watson, Dan wrote: >>> >>>> Hi All, >>>> >>>> I've lurked in the list history and cannot find anyone saying they have >>>> gotten login restrictions working with Solaris 10 u8. Has anyone on here >>>> successfully configured login restrictions on Solaris 10 u8 through u11? >>>> I'm looking for specific instructions from someone who has gotten this to >>>> work before. >>>> >>>> The two main routes to login restrictions I could find online are >>>> Netgroups or conditional ldap queries in ldapclient >>>> >>>> I initially tried netgroups but wasn't sure how to trouble shoot when >>>> it didn't work. There don't seem to be any user-land tools to query >>>> netgroups and further investigation turned up an issue with OpenLDAP. It >>>> seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not >>>> the OpenLDAP standard RFC2307 (explanation here >>>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). >>>> does anyone know if this issue applies to IPA? Or how I check? >>>> >>>> The alternative of passing a restrictive query to ldapclient seems like >>>> a good route but doesn't seem to work. The common solution when using the >>>> old SunOne directory server was to pass the ldapclient (command line ldap >>>> configuration tool) an option like >>>> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" >>>> (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) >>>> which is supposed to restrict account checking to only people in >>>> ou=people,p=myorg,c=de who are also members of >>>> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to >>>> work in IPA, first of all because there is no "isMemberof" attribute to a >>>> user, but also doesn't work on other attributes like uid or uidNumber. One >>>> possible explanation I've found is that these attributes are not indexed, >>>> but I have no idea if this is correct or how to add them to be indexed. >>>> >>>> Has anyone else solved this? I just need to be able to allow only a >>>> specific user group to log in to the host, unfortunately the ssh directive >>>> "AllowGroups" is not good enough, this has to be system wide as we also >>>> have samba and some other services that rely on system authentication. >>>> >>>> Can anyone be of some help? >>>> >>>> Thanks! >>>> Dan >>>> >>>> You can use getent netgroup to get a specific netgroup. >>> >>> Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com >>> >>> rob >>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From amessina at messinet.com Sat Jan 3 23:29:37 2015 From: amessina at messinet.com (Anthony Messina) Date: Sat, 03 Jan 2015 17:29:37 -0600 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master Message-ID: <14525002.8PxJUuzMte@linux-ws1.messinet.com> I was hoping to "migrate" from F20 to F21 using: http://www.freeipa.org/page/Howto/Migration http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master Where the new F21 replica would become the new "master" from which I would later create other F21 replica(s). F20 master: freeipa-server-3.3.5-1.fc20.x86_64 F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 The first F21 replica installation fails when attempting to setup the CA and I'm not sure where to go from here. Any guidance is appreciated. Thanks. 2015-01-03T23:09:39Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-03T23:09:39Z DEBUG Starting external process 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb' 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from /tmp/tmpZNHZWb. 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 579, in main(sys.argv) File "/usr/sbin/pkispawn", line 480, in main info = parser.sd_get_info() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 464, in sd_get_info info = sd.get_security_domain_info() File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in get_security_domain_info info = SecurityDomainInfo.from_json(response.json()) File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json ret.name = json_value['id'] KeyError: 'id' 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit status 1 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 671, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From bentech4you at gmail.com Sun Jan 4 07:10:18 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 4 Jan 2015 10:10:18 +0300 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54A1C0A6.1080006@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> Message-ID: HI This is i am struggling to get this working on Solaris x86 client. as i did many things based on many tutorials. \i am wondering why people who achieved this already not sharing this information about configuring Solaris as IPA client . Regards, Ben On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal wrote: > On 12/21/2014 07:50 PM, Fraser Tweedale wrote: > >> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George wrote: >> >>> Hi List >>> >>> how can i configure solaris 10 sparc and x86 as ipa clients. >>> >>> Regards, >>> Ben >>> >> Hi Ben, >> >> Please follow the Solaris 8/9/10 instructions on the wiki: >> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >> >> Let us know if run into difficulties or if there are error or >> omissions in the instructions. >> > > Also see https://fedorahosted.org/freeipa/ticket/4633 > > >> Cheers, >> >> Fraser >> >> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Jan 4 08:17:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 4 Jan 2015 03:17:41 -0500 (EST) Subject: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level In-Reply-To: References: Message-ID: <304872588.3242134.1420359461689.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hello all. > I'm working on integrating AD trust feature in the forest of a large > organization (Its network is not connected to the internet). > First I tested the trust in "clean" environment (that i have deployed) to > simulate production forest deployment , in the following configuration: > The forest root domain : red.com > Second Domain tree : blue.com > IPA : linux.blue.com > All the AD DCs are 2008 R2 server and 2008 R2 functional level. > IPA server in installed on RHEL 7. > ipa-server-3.3.3-28.el7_0.1.x86_64 > ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64 > ipa-python-3.3.3-28.el7_0.1.x86_64 > With help of the mailing list, all works fine. Users from both red.com and > blue.com are able to log into IPA domain. > After the success, I proceeded to test the trust in organization's test > environment. > The installation of the trust itself has completed successfully. But although > users from red.com were able to log into IPA domain, users from blue.com > couldn't. > After checking the sssd logs it seemed as blue.com domain is unknown to IPA. > Therefore I ran " ipa trustdomain-find red.com " in both environments, to see > if there are any differences. > And indeed there were: > While in the "clean" environment, the command returned both red.com and > blue.com domains, in organization's test environment it returned only > red.com . > I tried to re fetch the domain with " ipa trust-fetch-domains red.com " but > it returned the message - " No new trust domains were found". > It made me think that maybe the AD is not returning all domains in the > forest. > I opened wireshark on both environments and ran " ipa trust-fetch-domains > red.com " to see what is been sent from AD to IPA. > In both environments I seen the DsrEnumerateDomainTrusts request and > response. > Reading the content of response showed that in both environments, the > response contained red.com and blue.com domain. > After inspecting the structures that contain domains information > (DS_DOMAIN_TRUSTS) , I noticed that in both environments the TrustAttribute > of red.com is set to 0x0000000. > But TrustAttribute of blue.com is set to 0x00000020 ( > TRUST_ATTRIBUTE_WITHIN_FOREST ) in the "clean" environment and to 0x00800000 > in the test environment. > Reading MSDN for TrustAttribute , explains the following: > http://msdn.microsoft.com/en-us/library/cc223779.aspx > (TRUST_ATTRIBUTE_WITHIN_FOREST) > 0x00000020 > If this bit is set, then the trusted domain is within the same forest. > Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server > 2008 R2, Windows Server 2012, and Windows Server 2012 R2. > While I couldn't find specific information about 0x00800000, but this: > 0x00400000 - 0x00800000 > Previously used trust bits, and are obsolete. > I did not find more information on 0x00800000 or a reason why the attributes > would be different in the two deployments. > I asked for advice from Microsoft IT guy in the organization. He said that > difference in the TrustAttribute is caused by the fact, that the "clean" > environment was created as Windows Server 2008, while the test (and > production) forest was created as windows 2000 servers (about 12 years ago) > and the forest was gradually upgraded to 2003 and 2008 along the years. > Couldn't find more information on the attribute for windows server 2000/2003 > but the theory sounds quite logical. > I decided to check if TrustAttribute influences IPA's domain fetch. > fetch_domains function in > /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py > contains the following lines of code: > trust_attributes = dict( > NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001, > NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002, > NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004, > NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008, > NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010, > NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, > NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) > . > . > . > result = [] > for t in domains.array: > if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and > (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > res = dict() > res['cn'] = unicode(t.dns_name) > res['ipantflatname'] = unicode(t.netbios_name) > res['ipanttrusteddomainsid'] = unicode(t.sid) > res['ipanttrustpartner'] = res['cn'] > result.append(res) > The bit-wise operation is preformed to check if the trust attribute is set to > TRUST_ATTRIBUTE_WITHIN_FOREST (0x00000020) and if so, the trust is added to > result array. > It seems the value of TrustAttribute set to 0x00800000 is the reason the > domain wasn't fetched. > To confirm it I changed the if statement to: > if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] || > (t.trust_attributes & 0x00800000)) and (t.trust_flags & > trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > Then deleted and recreated the trust and finally ran " ipa > trust-fetch-domains red.com "- > this time the blue.com domain did appear! > I was able to login with users from both red.com and blue.com to IPA domain. > Checking both upstream 3.3 and 4.1 shows that the if statement was changed to > : > if ( not ( t . trust_flags & trust_flags [ 'NETR_TRUST_FLAG_PRIMARY' ]) and > ( t . trust_flags & trust_flags [ 'NETR_TRUST_FLAG_IN_FOREST' ])): > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039 > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102 > From first sight it looks like blue.com will fetched. > Haven't yet tested if upstream works in the test environment. > Any thoughts on the subject will be great. > (I hope i'm not mentioning something that was solved long ago). The fix you see in the git repo was released in 3.3.3-28.el7_0.3, as https://rhn.redhat.com/errata/RHBA-2014-1828.html Can you please confirm that this version fixes the issue for you? -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From genadipost at gmail.com Sun Jan 4 08:25:12 2015 From: genadipost at gmail.com (Genadi Postrilko) Date: Sun, 4 Jan 2015 10:25:12 +0200 Subject: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level In-Reply-To: <54A83F6E.3020407@redhat.com> References: <54A83F6E.3020407@redhat.com> Message-ID: I would like to make a correction. The change i made is: if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *or* (t.trust_attributes & 0x00800000)) and (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): and not: if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *||* (t.trust_attributes & 0x00800000)) and (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): -------------- next part -------------- An HTML attachment was scrubbed... URL: From genadipost at gmail.com Sun Jan 4 15:01:34 2015 From: genadipost at gmail.com (Genadi Postrilko) Date: Sun, 4 Jan 2015 17:01:34 +0200 Subject: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level In-Reply-To: <304872588.3242134.1420359461689.JavaMail.zimbra@redhat.com> References: <304872588.3242134.1420359461689.JavaMail.zimbra@redhat.com> Message-ID: It will take some time to bring the new packages into organizations network. But as soon as it happens, ill inform you on the results. Thank you. 2015-01-04 10:17 GMT+02:00 Alexander Bokovoy : > > > ------------------------------ > > Hello all. > > I'm working on integrating AD trust feature in the forest of a large > organization (Its network is not connected to the internet). > > First I tested the trust in "clean" environment (that i have deployed) to > simulate production forest deployment , in the following configuration: > > > The forest root domain : red.com > > Second Domain tree : blue.com > > IPA : linux.blue.com > > All the AD DCs are 2008 R2 server and 2008 R2 functional level. > > IPA server in installed on RHEL 7. > > ipa-server-3.3.3-28.el7_0.1.x86_64 > > ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64 > > ipa-python-3.3.3-28.el7_0.1.x86_64 > > > > With help of the mailing list, all works fine. Users from both red.com > and blue.com are able to log into IPA domain. > > After the success, I proceeded to test the trust in organization's test > environment. > > The installation of the trust itself has completed successfully. But > although users from *red.com * were able to log into IPA > domain, users from *blue.com * couldn't. > > After checking the sssd logs it seemed as blue.com domain is unknown to > IPA. > > Therefore I ran "*ipa trustdomain-find red.com " *in both > environments, to see if there are any differences. > > And indeed there were: > > While in the "clean" environment, the command returned both *red.com > * and *blue.com * domains, in > organization's test environment it returned only *red.com > *. > > I tried to re fetch the domain with "*ipa trust-fetch-domains red.com > " *but it returned the message - " No new trust domains > were found". > > > > It made me think that maybe the AD is not returning all domains in the > forest. > > I opened wireshark on both environments and ran "*ipa > trust-fetch-domains red.com " *to see what is been sent > from AD to IPA. > > > > In both environments I seen the DsrEnumerateDomainTrusts request and > response. > > Reading the content of response showed that in both environments, the > response contained *red.com * and *blue.com > * domain. > > After inspecting the structures that contain domains information > (DS_DOMAIN_TRUSTS) , I noticed that in both environments the *TrustAttribute > *of red.com is set to 0x0000000. > > But *TrustAttribute *of blue.com is set to 0x00000020 ( > TRUST_ATTRIBUTE_WITHIN_FOREST) in the "clean" environment and to > 0x00800000 in the test environment. > > Reading MSDN for *TrustAttribute*, explains the following: > > http://msdn.microsoft.com/en-us/library/cc223779.aspx > > (TRUST_ATTRIBUTE_WITHIN_FOREST) > > 0x00000020 > > If this bit is set, then the trusted domain is within the same forest. > > Only evaluated on Windows Server 2003, Windows Server 2008, Windows > Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. > > While I couldn't find specific information about 0x00800000, but this: > > 0x00400000 - 0x00800000 > > Previously used trust bits, and are obsolete. > > > > I did not find more information on 0x00800000 or a reason why the > attributes would be different in the two deployments. > > I asked for advice from Microsoft IT guy in the organization. He said that > difference in the *TrustAttribute *is caused by the fact, that the > "clean" environment was created as Windows Server 2008, while the test (and > production) forest was created as windows 2000 servers (about 12 years > ago) and the forest was gradually upgraded to 2003 and 2008 along the years. > > Couldn't find more information on the attribute for windows server > 2000/2003 but the theory sounds quite logical. > > I decided to check if *TrustAttribute *influences IPA's domain fetch. > > fetch_domains function in > /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py > > contains the following lines of code: > > trust_attributes = dict( > > NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001, > > NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002, > > NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004, > > NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008, > > NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010, > > NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, > > NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) > > . > > . > > . > > > > result = [] > > for t in domains.array: > > *if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and* > > * (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):* > > res = dict() > > res['cn'] = unicode(t.dns_name) > > res['ipantflatname'] = unicode(t.netbios_name) > > res['ipanttrusteddomainsid'] = unicode(t.sid) > > res['ipanttrustpartner'] = res['cn'] > > result.append(res) > > The bit-wise operation is preformed to check if the trust attribute is set > to TRUST_ATTRIBUTE_WITHIN_FOREST (0x00000020) and if so, the trust is > added to result array. > > It seems the value of *TrustAttribute *set to 0x00800000 is the reason > the domain wasn't fetched. > > To confirm it I changed the if statement to: > > if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *|| * > > *(t.trust_attributes & 0x00800000)) *and (t.trust_flags & > trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > > > > Then deleted and recreated the trust and finally ran "*ipa > trust-fetch-domains red.com "-* > > this time the *blue.com * domain did appear! > > I was able to login with users from both red.com and blue.com to IPA > domain. > > > > Checking both upstream 3.3 and 4.1 shows that the if statement was changed > to : > > > > *if* (*not* (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) *and* > > (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > > > > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039 > > > > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102 > > > > From first sight it looks like blue.com will fetched. > > Haven't yet tested if upstream works in the test environment. > > > > Any thoughts on the subject will be great. > > (I hope i'm not mentioning something that was solved long ago). > > The fix you see in the git repo was released in 3.3.3-28.el7_0.3, as > https://rhn.redhat.com/errata/RHBA-2014-1828.html > > Can you please confirm that this version fixes the issue for you? > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun Jan 4 16:11:27 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 04 Jan 2015 11:11:27 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> Message-ID: <54A9662F.9020304@redhat.com> On 01/04/2015 02:10 AM, Ben .T.George wrote: > HI > > This is i am struggling to get this working on Solaris x86 client. as > i did many things based on many tutorials. \i am wondering why people > who achieved this already not sharing this information about > configuring Solaris as IPA client . Solaris can be configured to be a client of IPA so it seems that there is some misalignment of the expectations. What is your goal? What kind of integration for Solaris client you want to achieve? Just LDAP authentication would work following the instructions. I suspect that something that you are trying to accomplish is either done differently or have not been a priority for others and thus have not been explored. > > Regards, > Ben > > On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal > wrote: > > On 12/21/2014 07:50 PM, Fraser Tweedale wrote: > > On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George wrote: > > Hi List > > how can i configure solaris 10 sparc and x86 as ipa clients. > > Regards, > Ben > > Hi Ben, > > Please follow the Solaris 8/9/10 instructions on the wiki: > http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 > > Let us know if run into difficulties or if there are error or > omissions in the instructions. > > > Also see https://fedorahosted.org/freeipa/ticket/4633 > > > Cheers, > > Fraser > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sun Jan 4 18:19:01 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 4 Jan 2015 21:19:01 +0300 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54A9662F.9020304@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> Message-ID: HI Thanks for the replay. i was trying to achieve just LDAP authentication only. If possible Role based access and Host based access. but most priority is to authenticate solaris against Active Directory/IPA The tutorials/Guides are not clear actually as i tried many times. My IPA server is working fine. bcoz i tested by adding linux(centos) as IPA client by using client ass ipa commands. Regards, Ben On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal wrote: > On 01/04/2015 02:10 AM, Ben .T.George wrote: > > HI > > This is i am struggling to get this working on Solaris x86 client. as i > did many things based on many tutorials. \i am wondering why people who > achieved this already not sharing this information about configuring > Solaris as IPA client . > > > Solaris can be configured to be a client of IPA so it seems that there is > some misalignment of the expectations. > What is your goal? What kind of integration for Solaris client you want to > achieve? Just LDAP authentication would work following the instructions. > I suspect that something that you are trying to accomplish is either done > differently or have not been a priority for others and thus have not been > explored. > > > > Regards, > Ben > > On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal wrote: > >> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >> >>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George wrote: >>> >>>> Hi List >>>> >>>> how can i configure solaris 10 sparc and x86 as ipa clients. >>>> >>>> Regards, >>>> Ben >>>> >>> Hi Ben, >>> >>> Please follow the Solaris 8/9/10 instructions on the wiki: >>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>> >>> Let us know if run into difficulties or if there are error or >>> omissions in the instructions. >>> >> >> Also see https://fedorahosted.org/freeipa/ticket/4633 >> >> >>> Cheers, >>> >>> Fraser >>> >>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go To http://freeipa.org for more info on the project >>>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun Jan 4 21:34:26 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 04 Jan 2015 16:34:26 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> Message-ID: <54A9B1E2.30802@redhat.com> On 01/04/2015 01:19 PM, Ben .T.George wrote: > > HI > > Thanks for the replay. > > i was trying to achieve just LDAP authentication only. If possible > Role based access and Host based access. but most priority is to > authenticate solaris against Active Directory/IPA > > The tutorials/Guides are not clear actually as i tried many times. My > IPA server is working fine. bcoz i tested by adding linux(centos) as > IPA client by using client ass ipa commands. OK, so let me make sure I get you right: you have IPA and it is in trust relations with AD, right? You tested it from Linux clients and it works but not with Solaris client, right? Which version of IPA are you using? Have you looked at ipa-advise tool? Which manuals and tutorials you tried? > > Regards, > Ben > > On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal > wrote: > > On 01/04/2015 02:10 AM, Ben .T.George wrote: >> HI >> >> This is i am struggling to get this working on Solaris x86 >> client. as i did many things based on many tutorials. \i am >> wondering why people who achieved this already not sharing this >> information about configuring Solaris as IPA client . > > Solaris can be configured to be a client of IPA so it seems that > there is some misalignment of the expectations. > What is your goal? What kind of integration for Solaris client you > want to achieve? Just LDAP authentication would work following the > instructions. > I suspect that something that you are trying to accomplish is > either done differently or have not been a priority for others and > thus have not been explored. > > >> >> Regards, >> Ben >> >> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal > > wrote: >> >> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >> >> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George >> wrote: >> >> Hi List >> >> how can i configure solaris 10 sparc and x86 as ipa >> clients. >> >> Regards, >> Ben >> >> Hi Ben, >> >> Please follow the Solaris 8/9/10 instructions on the wiki: >> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >> >> Let us know if run into difficulties or if there are error or >> omissions in the instructions. >> >> >> Also see https://fedorahosted.org/freeipa/ticket/4633 >> >> >> Cheers, >> >> Fraser >> >> -- >> Manage your subscription for the Freeipa-users >> mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Mon Jan 5 03:30:31 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 5 Jan 2015 06:30:31 +0300 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54A9B1E2.30802@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> Message-ID: HI yes you are right. Linux clients working and IPA is in trust relationship with AD. currently i am using 3.3.3 i guess i didn't tryed ipa-advice tool yet. I am not aware about this tool. can you please give right directions regarding this tool, so that i can try on it. regarding manuals and tutorials: http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html Regards,Ben On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal wrote: > On 01/04/2015 01:19 PM, Ben .T.George wrote: > > > HI > > Thanks for the replay. > > i was trying to achieve just LDAP authentication only. If possible Role > based access and Host based access. but most priority is to authenticate > solaris against Active Directory/IPA > > The tutorials/Guides are not clear actually as i tried many times. My > IPA server is working fine. bcoz i tested by adding linux(centos) as IPA > client by using client ass ipa commands. > > > OK, so let me make sure I get you right: you have IPA and it is in trust > relations with AD, right? You tested it from Linux clients and it works but > not with Solaris client, right? Which version of IPA are you using? Have > you looked at ipa-advise tool? > Which manuals and tutorials you tried? > > > > Regards, > Ben > > On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal wrote: > >> On 01/04/2015 02:10 AM, Ben .T.George wrote: >> >> HI >> >> This is i am struggling to get this working on Solaris x86 client. as i >> did many things based on many tutorials. \i am wondering why people who >> achieved this already not sharing this information about configuring >> Solaris as IPA client . >> >> >> Solaris can be configured to be a client of IPA so it seems that there >> is some misalignment of the expectations. >> What is your goal? What kind of integration for Solaris client you want >> to achieve? Just LDAP authentication would work following the instructions. >> I suspect that something that you are trying to accomplish is either done >> differently or have not been a priority for others and thus have not been >> explored. >> >> >> >> Regards, >> Ben >> >> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal wrote: >> >>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>> >>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George wrote: >>>> >>>>> Hi List >>>>> >>>>> how can i configure solaris 10 sparc and x86 as ipa clients. >>>>> >>>>> Regards, >>>>> Ben >>>>> >>>> Hi Ben, >>>> >>>> Please follow the Solaris 8/9/10 instructions on the wiki: >>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>> >>>> Let us know if run into difficulties or if there are error or >>>> omissions in the instructions. >>>> >>> >>> Also see https://fedorahosted.org/freeipa/ticket/4633 >>> >>> >>>> Cheers, >>>> >>>> Fraser >>>> >>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go To http://freeipa.org for more info on the project >>>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vaclav.adamec at suchy-zleb.cz Mon Jan 5 05:14:24 2015 From: vaclav.adamec at suchy-zleb.cz (Vaclav Adamec) Date: Mon, 5 Jan 2015 06:14:24 +0100 Subject: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6 In-Reply-To: <54A83E91.8080909@redhat.com> References: <54A83E91.8080909@redhat.com> Message-ID: Hi, I had same issue after upgrading registered Centos 6.5 to 6.6 (and with new IPA client). New version already contain sudo support, so sssd.conf doesn't contain it. You can uninstall ipa client and register server again - keep configuration file generated by IPA client itself (I used puppet for maintain this file and end up with multiple version chaos because of centos and IPA versions) Vasek example of clean config file (you don't need to setup anything manually): [domain/xxx.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xxx.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = server.xxx.com chpass_provider = ipa ipa_server = _srv_, ipa.xxx.com dns_discovery_domain = xxx.com [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xxx.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Sat, Jan 3, 2015 at 8:10 PM, Dmitri Pal wrote: > On 01/03/2015 05:14 AM, alireza baghery wrote: > > > > hi > i integrated AD windows 208 R2 with IPA server (centos 6.5) > i write policy for user test execute any command on any host > user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo > get error) > confige sssd.conf > ========================= > > [domain/l.example.com] > debug_level = 6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = l.example.com > id_provider = ipa > ipa_server = _srv_,ipaserver.l.example.com > dap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri = ldap://ipasrv.l.example.com > ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ipadevel.l.example.com > ldap_sasl_realm = L.EXAMPLE.COM > krb5_server = ipadevel.l.example.com > > > [sssd] > config_file_version = 2 > services = nss, pam,ssh,sudo > > ============================ > how to solve this problem > > > > Enable sudo debugging and see what happens. Is the command denied or > there is some other error? > Generally there are two flavors of errors: something is wrong with a > connection and no policy gets through or the policies get though but > something is wrong with this specific policy or configuration. > To start debugging first rule out connectivity issues. > > SUDO and sssd debug logs are your friends. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- -- May the fox be with you ... /\ (~( ) ) /\_/\ (_=---_(@ @) ( \ / /|/----\|\ V " " " " -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jan 5 08:22:28 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 05 Jan 2015 09:22:28 +0100 Subject: [Freeipa-users] Logging: IPA to Rsyslog to Logstash In-Reply-To: <56343345B145C043AE990701E3D193950478E330@EXVS2.nrplc.localnet> References: <20141216095930.GC27648@localhost.localdomain> <56343345B145C043AE990701E3D193950478E330@EXVS2.nrplc.localnet> Message-ID: <54AA49C4.6030601@redhat.com> Hello Duncan, thank you for doing this! Could you transform this post to http://www.freeipa.org/page/HowTos#Working_with_FreeIPA article, please? I think that other people could use that too. Thank you very much. Petr^2 Spacek On 19.12.2014 17:35, Innes, Duncan wrote: > Earlier this year I said I'd feed back how my IPA to Rsyslog to Logstash > experiments went. > > They went badly. And I didn't get much time. Today, however, I managed > to get over my imaginary finishing line: > > All systems are RHEL 6.6. > > Rsyslog (rsyslog7-7.4.10) is configured to import logs from some dirsrv > files: > > # cat /etc/rsyslog.d/dirsrv.conf > module(load="imfile" PollingInterval="2") > > input(type="imfile" > File="/var/log/dirsrv/slapd-EXAMPLE-COM/access" > Tag="dirsrv" > StateFile="statedirsrv" > Facility="local0") > > input(type="imfile" > File="/var/log/dirsrv/slapd-EXAMPLE-COM/errors" > Tag="dirsrv" > StateFile="statedirsrverr" > Severity="error" > Facility="local0") > > # > > This pulls in those log entries on a regular basis. Rsyslog8 allows you > to use inotify for file changes, but that's not available to me. > > Rsyslog is then also configured to push all logs to my Logstash servers: > > # cat /etc/rsyslog.d/logstash.conf > template(name="ls_json" type="list" option.json="on") > { constant(value="{") > constant(value="\"@timestamp\":\"") property(name="timegenerated" > dateFormat="rfc3339") > constant(value="\",\"@version\":\"1") > constant(value="\",\"message\":\"") property(name="msg") > constant(value="\",\"host\":\"") property(name="hostname") > constant(value="\",\"my_environment\":\"dev") > constant(value="\",\"my_project\":\"Infrastructure") > constant(value="\",\"my_use\":\"IPA") > constant(value="\",\"logsource\":\"") property(name="fromhost") > constant(value="\",\"severity_label\":\"") > property(name="syslogseverity-text") > constant(value="\",\"severity\":\"") property(name="syslogseverity") > constant(value="\",\"facility_label\":\"") > property(name="syslogfacility-text") > constant(value="\",\"facility\":\"") property(name="syslogfacility") > constant(value="\",\"program\":\"") property(name="programname") > constant(value="\",\"pid\":\"") property(name="procid") > constant(value="\",\"rawmsg\":\"") property(name="rawmsg") > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > constant(value="\"}\n") > } > > *.* @@logstash01.example.com:5500;ls_json > $ActionExecOnlyWhenPreviousIsSuspended on > & @@logstash02.example.com:5500;ls_json > & /var/log/localbuffer > $ActionExecOnlyWhenPreviousIsSuspended off > > [root at lvdlvldap02 ~]# > > Which pushes all logs to my logstash servers in JSON format. Failover > is built in by using 2 logstash servers. > The client needs to have SELinux managed to allow rsyslog to write to > port 5500: > > # semanage port -a -t syslogd_port_t -p tcp 5500 > # semanage port -l | grep 5500 > > The Logstash servers are then configured to listen on this port and do > some simple groking, before sending everything to the ElasticSearch > cluster: > > # cat /etc/logstash/conf.d/syslog.conf > input { > tcp { > type => syslogjson > port => 5500 > codec => "json" > } > } > > filter { > # This replaces the host field (UDP source) with the host that > generated the message (sysloghost) > if [sysloghost] { > mutate { > replace => [ "host", "%{sysloghost}" ] > remove_field => "sysloghost" # prune the field after successfully > replacing "host" > } > } > if [type] == "syslogjson" { > grok { > patterns_dir => "/opt/logstash/patterns" > match => { "message" => "%{VIRGINFW}" } > match => { "message" => "%{AUDITAVC}" } > match => { "message" => "%{COMMONAPACHELOG}" } > tag_on_failure => [] > } > } > > # This filter populates the @timestamp field with the timestamp that's > in the actual message > # dirsrv logs are currently pulled in every 2 minutes, so @timestamp > is wrong > if [syslogtag] == "dirsrv" { > mutate { > remove_field => [ 'rawmsg' ] > } > grok { > match => [ "message", "%{HTTPDATE:log_timestamp}" ] > } > date { > match => [ "log_timestamp", "dd/MMM/YYY:HH:mm:ss Z"] > locale => "en" > remove_field => [ "log_timestamp" ] > } > } > } > > output { > elasticsearch { > protocol => node > node_name => "Indexer01" > } > } > # > > It works well for the most part. I'm not performing any groking of the > actual message line as yet to pull out various bits of data into their > own separate fields, but at least I'm managing to log the access and > errors from multiple IPA servers. > > The @timestamp field ends up with the timestamp from the actual message > line, so it's only down to second accuracy. This means that multiple > log lines on the same second lose their ordering when viewed in the > Logstash/Kibana interface. But the important thing at this point is > that they're now held centrally. > > Is it feasible to alter the timestamp resolution that dirsrv uses? This > would help separate log lines properly. > > Cheers & Merry Festive Holiday thing > > Duncan > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our website at virginmoney.com > -- Petr^2 Spacek From pspacek at redhat.com Mon Jan 5 08:34:48 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 05 Jan 2015 09:34:48 +0100 Subject: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp In-Reply-To: <20141231214019.GB12182@redhat.com> References: <1419889643.23227.22.camel@desktop.bpk2.com> <54A1CD4E.9020704@redhat.com> <1419898346.23227.33.camel@desktop.bpk2.com> <20141231180616.GA3669@redhat.com> <1420052372.5698.15.camel@desktop.bpk2.com> <20141231213437.GA12182@redhat.com> <20141231214019.GB12182@redhat.com> Message-ID: <54AA4CA8.6030600@redhat.com> On 31.12.2014 22:40, Jan Pazdziora wrote: > On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote: >> >>> endpoints, or their users, should not be trusted to >>> make updates to DNS zones. TSIG signed updates from servers are still >>> preferred over authenticated updates from endpoints or users. >> >> Server has identity just like service, just like user. You can have >> unimportant server and you can have important (admin) user. Ruling >> out authentication > > ... oops, I seem to have failed to finish this paragraph. > > Ruling out authentication of identities means that you give up on > centrally controlled access policies -- something that FreeIPA is > good at, besides just storing identities. > > In other words, instead of having increasing number of shared > secrets around your network, it might be useful to adopt the > approach when idenities can get created without many restrictions, > and what you allow those identities to do is what matters. Generally I agree with Jan. If you insist on using TSIG, you can do that manually by editing named.conf on IPA servers: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG -- Petr^2 Spacek From pspacek at redhat.com Mon Jan 5 08:36:52 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 05 Jan 2015 09:36:52 +0100 Subject: [Freeipa-users] Client configuration to point to Replica server once master service failed In-Reply-To: References: Message-ID: <54AA4D24.6050805@redhat.com> On 1.1.2015 07:25, Prashant Bapat wrote: > You could use DNS based failover for this. > > Configure DNS with a low TTL value like 60 secs. When the primary fails, > update the dns with the secondary. This should not be necessary for FreeIPA because we use DNS SRV records and clients are supposed to automatically fail-over to next server if some other server is unreachable. We could give you better advice if you give us more details as Jan asked in his reply. Have a nice day! Petr^2 Spacek > > Services like dynect offer tihs. > > On 1 January 2015 at 11:05, Sanju A wrote: > >> Hi All, >> >> I have configured Master - Master replication and replication (bi >> direction) is working fine. >> Can I get the configuration that has to be added/modified in server/client >> machine so as to point to the replica server once the master failed. Right >> now it is not working. From pspacek at redhat.com Mon Jan 5 08:47:28 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 05 Jan 2015 09:47:28 +0100 Subject: [Freeipa-users] KDC has no support for encryption type In-Reply-To: References: <54A1D467.5040800@redhat.com> Message-ID: <54AA4FA0.1030907@redhat.com> On 29.12.2014 23:31, Matt . wrote: > But should an IPA install not add them by default ? Maybe this is some I'm not sure that I understand what you mean, but DES is disabled on purpose because it is completely insecure nowadays. Maybe you should try to rule it out from your deployment. According to [1], it was possible to attack DES key back in 2008. I don't want to even guess how easy it has to be today. DES in Kerberos was formally deprecated by RFC 6649 [2]. Also, -CRC variants are completely insecure by design (because it is malleable). [1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology [2] https://tools.ietf.org/html/rfc6649 Have a nice day! -- Petr^2 Spacek From pspacek at redhat.com Mon Jan 5 08:51:11 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 05 Jan 2015 09:51:11 +0100 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: <54A70995.2000109@redhat.com> References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> Message-ID: <54AA507F.4080003@redhat.com> On 2.1.2015 22:11, Dmitri Pal wrote: > Would you mind creating a wiki page with the solution on the wiki? Maybe you could check & modify http://www.freeipa.org/page/ConfiguringUnixClients ... Normal Fedora Account will allow you to edit the page. -- Petr^2 Spacek From Duncan.Innes at virginmoney.com Mon Jan 5 11:01:30 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Mon, 5 Jan 2015 11:01:30 -0000 Subject: [Freeipa-users] Logging: IPA to Rsyslog to Logstash In-Reply-To: <5494EEF9.1060801@redhat.com> References: <20141216095930.GC27648@localhost.localdomain><56343345B145C043AE990701E3D193950478E330@EXVS2.nrplc.localnet> <5494EEF9.1060801@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478E333@EXVS2.nrplc.localnet> -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal > Sent: 20 December 2014 03:37 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Logging: IPA to Rsyslog to Logstash > > On 12/19/2014 11:35 AM, Innes, Duncan wrote: > > > > > Is it feasible to alter the timestamp resolution that dirsrv uses? > > This would help separate log lines properly. > > Please file a 389 RFE. > Done: https://fedorahosted.org/389/ticket/47982 > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From bentech4you at gmail.com Mon Jan 5 11:20:02 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 5 Jan 2015 14:20:02 +0300 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: <54AA507F.4080003@redhat.com> References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> <54AA507F.4080003@redhat.com> Message-ID: HI sorry that was a misunderstand happened from his side, actually i was strugglling to set it up for solaris \ regards, ben On Mon, Jan 5, 2015 at 11:51 AM, Petr Spacek wrote: > On 2.1.2015 22:11, Dmitri Pal wrote: > > Would you mind creating a wiki page with the solution on the wiki? > Maybe you could check & modify > http://www.freeipa.org/page/ConfiguringUnixClients ... > > Normal Fedora Account will allow you to edit the page. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Jan 5 11:27:07 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Jan 2015 12:27:07 +0100 Subject: [Freeipa-users] how to configure Linux Cent Os as ipa client manual installation In-Reply-To: <54A1BF77.9040008@redhat.com> References: <54A1BF77.9040008@redhat.com> Message-ID: <54AA750B.8050809@redhat.com> On 12/29/2014 09:54 PM, Dmitri Pal wrote: > On 12/20/2014 05:02 AM, Ben .T.George wrote: >> >> Hi >> >> I was trying to configure centos as ipa client and got failed with that,. >> >> anyone please help me to configure centos as ipa client through manual >> configuration. >> >> Regards, >> Ben >> >> > Sorry for a delayed response. > What version of CentOS? What version of the server? > Why manually? On CentOS you can use ipa-client-install and it will do the work > for you. > What did you do and what did not work? You can find some info here: http://www.freeipa.org/page/Troubleshooting#Client_Installation If I read correctly, you are trying to do manual configuration. This may be a tricky procedure and is not tested regularly. ipa-client-install is the way to go in most deployments as it helps you avoid the pitfalls you probably hit. Martin From mkosek at redhat.com Mon Jan 5 11:33:15 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Jan 2015 12:33:15 +0100 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: Message-ID: <54AA767B.7030404@redhat.com> On 01/02/2015 07:47 PM, Craig White wrote: > Subject pretty much says it all. > > Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. > > But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? > > Craig White > System Administrator > O 623-201-8179 M 602-377-9752 > > [cid:image001.png at 01CF86FE.42D51630] > > SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 CCing Pavel to advise. >From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. Martin From mkosek at redhat.com Mon Jan 5 11:47:05 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Jan 2015 12:47:05 +0100 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <14525002.8PxJUuzMte@linux-ws1.messinet.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> Message-ID: <54AA79B9.6010002@redhat.com> On 01/04/2015 12:29 AM, Anthony Messina wrote: > I was hoping to "migrate" from F20 to F21 using: > http://www.freeipa.org/page/Howto/Migration > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The migration procedure is only needed if you run FreeIPA server with PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was surprised such setup worked in Fedora 20. > Where the new F21 replica would become the new "master" from which I would > later create other F21 replica(s). > > F20 master: freeipa-server-3.3.5-1.fc20.x86_64 > F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 > > The first F21 replica installation fails when attempting to setup the CA and > I'm not sure where to go from here. Any guidance is appreciated. Thanks. CCing Fraser and Endi from PKI team to advise. > 2015-01-03T23:09:39Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-03T23:09:39Z DEBUG Starting external process > 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpZNHZWb' > 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 > 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from > /tmp/tmpZNHZWb. > > 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): > File "/usr/sbin/pkispawn", line 579, in > main(sys.argv) > File "/usr/sbin/pkispawn", line 480, in main > info = parser.sd_get_info() > File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", > line 464, in sd_get_info > info = sd.get_security_domain_info() > File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in > get_security_domain_info > info = SecurityDomainInfo.from_json(response.json()) > File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json > ret.name = json_value['id'] > KeyError: 'id' > > 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit > status 1 > 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 671, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > > > From Duncan.Innes at virginmoney.com Mon Jan 5 11:49:14 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Mon, 5 Jan 2015 11:49:14 -0000 Subject: [Freeipa-users] Logging: IPA to Rsyslog to Logstash In-Reply-To: <54AA49C4.6030601@redhat.com> References: <20141216095930.GC27648@localhost.localdomain><56343345B145C043AE990701E3D193950478E330@EXVS2.nrplc.localnet> <54AA49C4.6030601@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478E334@EXVS2.nrplc.localnet> Sure - efforts so far at: http://www.freeipa.org/page/Centralised_Logging_with_Logstash/ElasticSea rch/Kibana Hope it helps. Cheers Duncan > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: 05 January 2015 08:22 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Logging: IPA to Rsyslog to Logstash > > Hello Duncan, > > thank you for doing this! > > Could you transform this post to > http://www.freeipa.org/page/HowTos#Working_with_FreeIPA article, please? I think that other people could use that too. > > Thank you very much. > Petr^2 Spacek This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From mkosek at redhat.com Mon Jan 5 11:58:14 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Jan 2015 12:58:14 +0100 Subject: [Freeipa-users] Logging: IPA to Rsyslog to Logstash In-Reply-To: <56343345B145C043AE990701E3D193950478E334@EXVS2.nrplc.localnet> References: <20141216095930.GC27648@localhost.localdomain><56343345B145C043AE990701E3D193950478E330@EXVS2.nrplc.localnet> <54AA49C4.6030601@redhat.com> <56343345B145C043AE990701E3D193950478E334@EXVS2.nrplc.localnet> Message-ID: <54AA7C56.8070703@redhat.com> Thanks, I just changed it to follow Mediawiki syntax and renamed it to http://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana to keep current Howto structure. Please feel free encouraged to fill up any more details as you go with your adventures that the community may profit from! Thanks, Martin On 01/05/2015 12:49 PM, Innes, Duncan wrote: > Sure - efforts so far at: > > http://www.freeipa.org/page/Centralised_Logging_with_Logstash/ElasticSea > rch/Kibana > > Hope it helps. > > Cheers > Duncan > >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >> Sent: 05 January 2015 08:22 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Logging: IPA to Rsyslog to Logstash >> >> Hello Duncan, >> >> thank you for doing this! >> >> Could you transform this post to >> http://www.freeipa.org/page/HowTos#Working_with_FreeIPA article, > please? I think that other people could use that too. >> >> Thank you very much. >> Petr^2 Spacek > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our website at virginmoney.com > From amessina at messinet.com Mon Jan 5 13:05:41 2015 From: amessina at messinet.com (Anthony Messina) Date: Mon, 05 Jan 2015 07:05:41 -0600 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <54AA79B9.6010002@redhat.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA79B9.6010002@redhat.com> Message-ID: <20150105070541.Horde.WA1gl3S_Oarnft29Zh3WLQ5@messinet.com> Quoting Martin Kosek : > On 01/04/2015 12:29 AM, Anthony Messina wrote: >> I was hoping to "migrate" from F20 to F21 using: >> http://www.freeipa.org/page/Howto/Migration >> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > The migration procedure is only needed if you run FreeIPA server > with PKI based > on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance > functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was > surprised such setup worked in Fedora 20. I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum upgraded to F20. With the significant changes for Fedora.next, systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master. While I use the yum upgrade procedure often with great success on a number of my other servers, it can be tricky and sometimes unreliablem leaving around cruft that can interfere with proper operation. I'm one of those folks that's waiting patiently for the FreeIPA-to-FreeIPA migration ;) Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM instance to F21 FreeIPA 4.1.2? Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5 master. >> Where the new F21 replica would become the new "master" from which I would >> later create other F21 replica(s). >> >> F20 master: freeipa-server-3.3.5-1.fc20.x86_64 >> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 >> >> The first F21 replica installation fails when attempting to setup the CA and >> I'm not sure where to go from here. Any guidance is appreciated. Thanks. > > CCing Fraser and Endi from PKI team to advise. > >> 2015-01-03T23:09:39Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2015-01-03T23:09:39Z DEBUG Starting external process >> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >> '/tmp/tmpZNHZWb' >> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 >> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from >> /tmp/tmpZNHZWb. >> >> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): >> File "/usr/sbin/pkispawn", line 579, in >> main(sys.argv) >> File "/usr/sbin/pkispawn", line 480, in main >> info = parser.sd_get_info() >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", >> line 464, in sd_get_info >> info = sd.get_security_domain_info() >> File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in >> get_security_domain_info >> info = SecurityDomainInfo.from_json(response.json()) >> File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, >> in from_json >> ret.name = json_value['id'] >> KeyError: 'id' >> >> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command >> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned >> non-zero exit >> status 1 >> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 382, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 372, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 671, in __spawn_instance >> raise RuntimeError('Configuration of CA failed') >> RuntimeError: Configuration of CA failed >> >> >> -- Anthony - https://messinet.com - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: PGP Digital Signature URL: From mkosek at redhat.com Mon Jan 5 13:53:04 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Jan 2015 14:53:04 +0100 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <20150105070541.Horde.WA1gl3S_Oarnft29Zh3WLQ5@messinet.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA79B9.6010002@redhat.com> <20150105070541.Horde.WA1gl3S_Oarnft29Zh3WLQ5@messinet.com> Message-ID: <54AA9740.6070002@redhat.com> On 01/05/2015 02:05 PM, Anthony Messina wrote: > > Quoting Martin Kosek : > >> On 01/04/2015 12:29 AM, Anthony Messina wrote: >>> I was hoping to "migrate" from F20 to F21 using: >>> http://www.freeipa.org/page/Howto/Migration >>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >> >> The migration procedure is only needed if you run FreeIPA server with PKI based >> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance >> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was >> surprised such setup worked in Fedora 20. > > I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum > upgraded to F20. With the significant changes for Fedora.next, systemd-216, > and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by > replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master. Ah, makes more sense then. The PKI error below gets more serious then - Fraser and Endi, please help Anthony. > While I use the yum upgrade procedure often with great success on a number of > my other servers, it can be tricky and sometimes unreliablem leaving around > cruft that can interfere with proper operation. I'm one of those folks that's > waiting patiently for the FreeIPA-to-FreeIPA migration ;) I am just afraid everyone is just waiting and no one is willing to invest in this feature and code ;-) IIRC, the difficulty in implementing the migration tool is mostly in handling Kerberos and certificate data, which are based on data secret and unique to the original server. > Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM > instance to F21 FreeIPA 4.1.2? It should work, yes. > Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5 > master. Indeed. This looks like a bug :-( >>> Where the new F21 replica would become the new "master" from which I would >>> later create other F21 replica(s). >>> >>> F20 master: freeipa-server-3.3.5-1.fc20.x86_64 >>> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 >>> >>> The first F21 replica installation fails when attempting to setup the CA and >>> I'm not sure where to go from here. Any guidance is appreciated. Thanks. >> >> CCing Fraser and Endi from PKI team to advise. >> >>> 2015-01-03T23:09:39Z DEBUG Saving StateFile to >>> '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2015-01-03T23:09:39Z DEBUG Starting external process >>> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>> '/tmp/tmpZNHZWb' >>> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 >>> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from >>> /tmp/tmpZNHZWb. >>> >>> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): >>> File "/usr/sbin/pkispawn", line 579, in >>> main(sys.argv) >>> File "/usr/sbin/pkispawn", line 480, in main >>> info = parser.sd_get_info() >>> File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", >>> line 464, in sd_get_info >>> info = sd.get_security_domain_info() >>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in >>> get_security_domain_info >>> info = SecurityDomainInfo.from_json(response.json()) >>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json >>> ret.name = json_value['id'] >>> KeyError: 'id' >>> >>> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command >>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit >>> status 1 >>> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 382, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 372, in run_step >>> method() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 671, in __spawn_instance >>> raise RuntimeError('Configuration of CA failed') >>> RuntimeError: Configuration of CA failed >>> >>> >>> > > From janellenicole80 at gmail.com Mon Jan 5 14:24:15 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 05 Jan 2015 06:24:15 -0800 Subject: [Freeipa-users] how to configure Linux Cent Os as ipa client manual installation In-Reply-To: <54AA750B.8050809@redhat.com> References: <54A1BF77.9040008@redhat.com> <54AA750B.8050809@redhat.com> Message-ID: <54AA9E8F.6040900@gmail.com> Hi everyone, Happy New Year. Was following this thread and wondering about those of us with a couple of 2000-3000 servers to run ipa-client-install on? Any suggestions? Was looking around for even the basics of puppet or chef configs, but nothing exists. Any suggestions? One of the concerns I have is, even with puppet/chef, you need credentials during the install to "add" the client on the server. Security? ~J On 1/5/15 3:27 AM, Martin Kosek wrote: > On 12/29/2014 09:54 PM, Dmitri Pal wrote: >> On 12/20/2014 05:02 AM, Ben .T.George wrote: >>> Hi >>> >>> I was trying to configure centos as ipa client and got failed with that,. >>> >>> anyone please help me to configure centos as ipa client through manual >>> configuration. >>> >>> Regards, >>> Ben >>> >>> >> Sorry for a delayed response. >> What version of CentOS? What version of the server? >> Why manually? On CentOS you can use ipa-client-install and it will do the work >> for you. >> What did you do and what did not work? > You can find some info here: > http://www.freeipa.org/page/Troubleshooting#Client_Installation > > If I read correctly, you are trying to do manual configuration. This may be a > tricky procedure and is not tested regularly. ipa-client-install is the way to > go in most deployments as it helps you avoid the pitfalls you probably hit. > > Martin > From rcritten at redhat.com Mon Jan 5 14:59:43 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 Jan 2015 09:59:43 -0500 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> <54AA507F.4080003@redhat.com> Message-ID: <54AAA6DF.8010204@redhat.com> Ben .T.George wrote: > HI > > sorry that was a misunderstand happened from his side, actually i was > strugglling to set it up for solaris \ We simply lack the expertise to help much further beyond the documentation you've already seen. Another IPA user contributed a significant amount of information that was not, and likely will be, integrated into our existing documentation. You can find that information here: https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 I've followed these extended steps and have gotten Solaris 9 and 10 x86 clients setup in the recent past. I seem to recall having gotten it working on Sparc too but saw segfaults trying to get krb5 working, and lacking a support contract couldn't get the latest jumbo patches. I did not tweak any services at all, but I used it in a rather artificial way. I just installed a basic OS in a VM, logged in, fixed nsswitch.conf.ldap, ran ldapclient init and was most of the way there. >From the perspective of a Solaris client IPA is just a compliant LDAP and MIT Kerberos server. It provides an RFC 2307-compatible schema for groups via cn=compat, which you likely already have configured if you used our DUAProfile. So other, generic Solaris guides may also be useful. rob > > > regards, > ben > > On Mon, Jan 5, 2015 at 11:51 AM, Petr Spacek > wrote: > > On 2.1.2015 22:11, Dmitri Pal wrote: > > Would you mind creating a wiki page with the solution on the wiki? > Maybe you could check & modify > http://www.freeipa.org/page/ConfiguringUnixClients ... > > Normal Fedora Account will allow you to edit the page. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > > > -- > > > From mkosek at redhat.com Mon Jan 5 15:15:59 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Jan 2015 16:15:59 +0100 Subject: [Freeipa-users] how to configure Linux Cent Os as ipa client manual installation In-Reply-To: <54AA9E8F.6040900@gmail.com> References: <54A1BF77.9040008@redhat.com> <54AA750B.8050809@redhat.com> <54AA9E8F.6040900@gmail.com> Message-ID: <54AAAAAF.5060509@redhat.com> On 01/05/2015 03:24 PM, Janelle wrote: > Hi everyone, Happy New Year. > > Was following this thread and wondering about those of us with a couple of > 2000-3000 servers to run ipa-client-install on? Any suggestions? Was looking > around for even the basics of puppet or chef configs, but nothing exists. > > Any suggestions? One of the concerns I have is, even with puppet/chef, you need > credentials during the install to "add" the client on the server. Security? Right, it is not a very good idea to bake an admin password in the Puppet scripts. Couple options you can follow: - Install clients using pre-created one time password or host keytab (you need to create the client host entry first) - If you still want to use the privileged account to enroll the client, you can also pass it's password to ipa-client-install stdin, when it's running it unattended mode. This way you will avoid having it baked in your configs directly: # cat /root/enrollman_password | ipa-client-install --unattended --principal enrollman HTH. > > ~J > > > On 1/5/15 3:27 AM, Martin Kosek wrote: >> On 12/29/2014 09:54 PM, Dmitri Pal wrote: >>> On 12/20/2014 05:02 AM, Ben .T.George wrote: >>>> Hi >>>> >>>> I was trying to configure centos as ipa client and got failed with that,. >>>> >>>> anyone please help me to configure centos as ipa client through manual >>>> configuration. >>>> >>>> Regards, >>>> Ben >>>> >>>> >>> Sorry for a delayed response. >>> What version of CentOS? What version of the server? >>> Why manually? On CentOS you can use ipa-client-install and it will do the work >>> for you. >>> What did you do and what did not work? >> You can find some info here: >> http://www.freeipa.org/page/Troubleshooting#Client_Installation >> >> If I read correctly, you are trying to do manual configuration. This may be a >> tricky procedure and is not tested regularly. ipa-client-install is the way to >> go in most deployments as it helps you avoid the pitfalls you probably hit. >> >> Martin >> > From rmeggins at redhat.com Mon Jan 5 15:20:01 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 Jan 2015 08:20:01 -0700 Subject: [Freeipa-users] dirsrv password incorrect on replicas? In-Reply-To: <54945975.6070108@gmail.com> References: <549305A1.6050806@gmail.com> <54931CE4.60602@redhat.com> <54932424.8020001@gmail.com> <5493281C.5030903@redhat.com> <5493DE5F.8060603@redhat.com> <54945975.6070108@gmail.com> Message-ID: <54AAABA1.8030305@redhat.com> On 12/19/2014 09:59 AM, Janelle wrote: > I am the only one who has access to these systems, so unless I did it > in my sleep.. :-) Ok. Please file a ticket and provide steps to reproduce the issue. > > ~J > > On 12/19/14 12:14 AM, Ludwig Krispenz wrote: >> >> On 12/18/2014 08:16 PM, Rich Megginson wrote: >>> On 12/18/2014 11:59 AM, Janelle wrote: >>>> I am looking at the 2 entries in dse.ldif - and indeed they are >>>> different. If I replace the one in question with the one from the >>>> working system, it works again. >>> >>> I'm assuming by "entry" you are referring to nsslapd-rootpw in >>> cn=config. >>> >>>> >>>> I did find - replica was created on Dec 11 at noon -- and the >>>> dse.ldif file CHANGED a day later?!? >>> >>> The dse.ldif file changes all the time - unique id generator state, >>> csn generator state, replication state, etc. etc. >>> >>> BUT - nsslapd-rootpw SHOULD NOT CHANGE >> no, except someone follows the steps to change it. >> Janelle, could it be that someone else was working on that server, >> not knowing the root pw and changing it in dse.ldif ? > From rcritten at redhat.com Mon Jan 5 15:26:35 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 Jan 2015 10:26:35 -0500 Subject: [Freeipa-users] how to configure Linux Cent Os as ipa client manual installation In-Reply-To: <54AA9E8F.6040900@gmail.com> References: <54A1BF77.9040008@redhat.com> <54AA750B.8050809@redhat.com> <54AA9E8F.6040900@gmail.com> Message-ID: <54AAAD2B.4050908@redhat.com> Janelle wrote: > Hi everyone, Happy New Year. > > Was following this thread and wondering about those of us with a couple > of 2000-3000 servers to run ipa-client-install on? Any suggestions? Was > looking around for even the basics of puppet or chef configs, but > nothing exists. > > Any suggestions? One of the concerns I have is, even with puppet/chef, > you need credentials during the install to "add" the client on the > server. Security? If you want puppet I'd start with https://github.com/purpleidea/puppet-ipa As for enrolling a slew of systems, it depends on whether they are new or to-be-deployed. You can generate an OTP for the clients to avoid having to pass around admin-level credentials, for example. You can do this for existing or new, but it can be easier on new systems as the OTP can be passed in during kickstart. rob > > ~J > > > On 1/5/15 3:27 AM, Martin Kosek wrote: >> On 12/29/2014 09:54 PM, Dmitri Pal wrote: >>> On 12/20/2014 05:02 AM, Ben .T.George wrote: >>>> Hi >>>> >>>> I was trying to configure centos as ipa client and got failed with >>>> that,. >>>> >>>> anyone please help me to configure centos as ipa client through manual >>>> configuration. >>>> >>>> Regards, >>>> Ben >>>> >>>> >>> Sorry for a delayed response. >>> What version of CentOS? What version of the server? >>> Why manually? On CentOS you can use ipa-client-install and it will do >>> the work >>> for you. >>> What did you do and what did not work? >> You can find some info here: >> http://www.freeipa.org/page/Troubleshooting#Client_Installation >> >> If I read correctly, you are trying to do manual configuration. This >> may be a >> tricky procedure and is not tested regularly. ipa-client-install is >> the way to >> go in most deployments as it helps you avoid the pitfalls you probably >> hit. >> >> Martin >> > From edewata at redhat.com Mon Jan 5 15:40:08 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 Jan 2015 22:40:08 +0700 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <54AA9740.6070002@redhat.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA79B9.6010002@redhat.com> <20150105070541.Horde.WA1gl3S_Oarnft29Zh3WLQ5@messinet.com> <54AA9740.6070002@redhat.com> Message-ID: <54AAB058.5070402@redhat.com> On 1/5/2015 8:53 PM, Martin Kosek wrote: > On 01/05/2015 02:05 PM, Anthony Messina wrote: >>>> I was hoping to "migrate" from F20 to F21 using: >>>> http://www.freeipa.org/page/Howto/Migration >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >>> >>> The migration procedure is only needed if you run FreeIPA server with PKI based >>> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance >>> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was >>> surprised such setup worked in Fedora 20. >> >> I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum >> upgraded to F20. With the significant changes for Fedora.next, systemd-216, >> and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by >> replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master. > > Ah, makes more sense then. The PKI error below gets more serious then - Fraser > and Endi, please help Anthony. I'm discussing this with Ade (CC'd). Based on the stack trace it looks like the replica thinks the master returns an incomplete information about the security domain, probably due to the different Dogtag versions used in master and replica. We need some additional info: 1. What is the pki-ca version on the master (F20)? 2. What is the pki-ca version on the replica (F21)? 3. What is the output of this URL on the master? https://:8443/ca/rest/securityDomain/domainInfo Thanks. -- Endi S. Dewata From amessina at messinet.com Mon Jan 5 15:49:53 2015 From: amessina at messinet.com (Anthony Messina) Date: Mon, 05 Jan 2015 09:49:53 -0600 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <54AA9740.6070002@redhat.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA79B9.6010002@redhat.com> <20150105070541.Horde.WA1gl3S_Oarnft29Zh3WLQ5@messinet.com> <54AA9740.6070002@redhat.com> Message-ID: <20150105094953.Horde.fod_sVpSMbU7sUecy2Nr4w2@messinet.com> Quoting Martin Kosek : > On 01/05/2015 02:05 PM, Anthony Messina wrote: >> >> Quoting Martin Kosek : >> >>> On 01/04/2015 12:29 AM, Anthony Messina wrote: >>>> I was hoping to "migrate" from F20 to F21 using: >>>> http://www.freeipa.org/page/Howto/Migration >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >>> >>> The migration procedure is only needed if you run FreeIPA server >>> with PKI based >>> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 >>> FreeIPA&PKI instance >>> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was >>> surprised such setup worked in Fedora 20. >> >> I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum >> upgraded to F20. With the significant changes for Fedora.next, systemd-216, >> and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by >> replicating the current F20 3.3.5 master to what would become an >> F21 4.1.2 master. > > Ah, makes more sense then. The PKI error below gets more serious > then - Fraser > and Endi, please help Anthony. > >> While I use the yum upgrade procedure often with great success on a >> number of >> my other servers, it can be tricky and sometimes unreliablem leaving around >> cruft that can interfere with proper operation. I'm one of those >> folks that's >> waiting patiently for the FreeIPA-to-FreeIPA migration ;) > > I am just afraid everyone is just waiting and no one is willing to invest in > this feature and code ;-) IIRC, the difficulty in implementing the migration > tool is mostly in handling Kerberos and certificate data, which are based on > data secret and unique to the original server. You may be right here about everyone waiting. Unfortnuately for this case, I am not a programmer, but a mere sysadmin. However, I can do code/design digging to look at the situation from outside the box to see what I might be able to find. >> Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM >> instance to F21 FreeIPA 4.1.2? > > It should work, yes. > >> Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5 >> master. > > Indeed. This looks like a bug :-( > > >>>> Where the new F21 replica would become the new "master" from which I would >>>> later create other F21 replica(s). >>>> >>>> F20 master: freeipa-server-3.3.5-1.fc20.x86_64 >>>> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64 >>>> >>>> The first F21 replica installation fails when attempting to setup >>>> the CA and >>>> I'm not sure where to go from here. Any guidance is appreciated. Thanks. >>> >>> CCing Fraser and Endi from PKI team to advise. >>> >>>> 2015-01-03T23:09:39Z DEBUG Saving StateFile to >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> 2015-01-03T23:09:39Z DEBUG Starting external process >>>> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>>> '/tmp/tmpZNHZWb' >>>> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1 >>>> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from >>>> /tmp/tmpZNHZWb. >>>> >>>> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last): >>>> File "/usr/sbin/pkispawn", line 579, in >>>> main(sys.argv) >>>> File "/usr/sbin/pkispawn", line 480, in main >>>> info = parser.sd_get_info() >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", >>>> line 464, in sd_get_info >>>> info = sd.get_security_domain_info() >>>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in >>>> get_security_domain_info >>>> info = SecurityDomainInfo.from_json(response.json()) >>>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, >>>> in from_json >>>> ret.name = json_value['id'] >>>> KeyError: 'id' >>>> >>>> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command >>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned >>>> non-zero exit >>>> status 1 >>>> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last): >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line >>>> 382, in start_creation >>>> run_step(full_msg, method) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line >>>> 372, in run_step >>>> method() >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 671, in __spawn_instance >>>> raise RuntimeError('Configuration of CA failed') >>>> RuntimeError: Configuration of CA failed >>>> >>>> >>>> >> >> -- Anthony - https://messinet.com - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: PGP Digital Signature URL: From dpal at redhat.com Mon Jan 5 15:51:57 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 05 Jan 2015 10:51:57 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> Message-ID: <54AAB31D.1010709@redhat.com> On 01/04/2015 10:30 PM, Ben .T.George wrote: > HI > > yes you are right. Linux clients working and IPA is in trust > relationship with AD. > > currently i am using 3.3.3 i guess i didn't tryed ipa-advice tool yet. > I am not aware about this tool. can you please give right directions > regarding this tool, so that i can try on it. > > regarding manuals and tutorials: > > http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 > http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html I think this should help: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf It mentions the tool too. > > Regards,Ben > > > On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal > wrote: > > On 01/04/2015 01:19 PM, Ben .T.George wrote: >> >> HI >> >> Thanks for the replay. >> >> i was trying to achieve just LDAP authentication only. If >> possible Role based access and Host based access. but most >> priority is to authenticate solaris against Active Directory/IPA >> >> The tutorials/Guides are not clear actually as i tried many >> times. My IPA server is working fine. bcoz i tested by adding >> linux(centos) as IPA client by using client ass ipa commands. > > OK, so let me make sure I get you right: you have IPA and it is in > trust relations with AD, right? You tested it from Linux clients > and it works but not with Solaris client, right? Which version of > IPA are you using? Have you looked at ipa-advise tool? > Which manuals and tutorials you tried? > > >> >> Regards, >> Ben >> >> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal > > wrote: >> >> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>> HI >>> >>> This is i am struggling to get this working on Solaris x86 >>> client. as i did many things based on many tutorials. \i am >>> wondering why people who achieved this already not sharing >>> this information about configuring Solaris as IPA client . >> >> Solaris can be configured to be a client of IPA so it seems >> that there is some misalignment of the expectations. >> What is your goal? What kind of integration for Solaris >> client you want to achieve? Just LDAP authentication would >> work following the instructions. >> I suspect that something that you are trying to accomplish is >> either done differently or have not been a priority for >> others and thus have not been explored. >> >> >>> >>> Regards, >>> Ben >>> >>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal >>> > wrote: >>> >>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>> >>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben >>> .T.George wrote: >>> >>> Hi List >>> >>> how can i configure solaris 10 sparc and x86 as >>> ipa clients. >>> >>> Regards, >>> Ben >>> >>> Hi Ben, >>> >>> Please follow the Solaris 8/9/10 instructions on the >>> wiki: >>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>> >>> Let us know if run into difficulties or if there are >>> error or >>> omissions in the instructions. >>> >>> >>> Also see https://fedorahosted.org/freeipa/ticket/4633 >>> >>> >>> Cheers, >>> >>> Fraser >>> >>> -- >>> Manage your subscription for the Freeipa-users >>> mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the >>> project >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jan 5 15:54:05 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 05 Jan 2015 10:54:05 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54AAB31D.1010709@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> <54AAB31D.1010709@redhat.com> Message-ID: <54AAB39D.9060208@redhat.com> On 01/05/2015 10:51 AM, Dmitri Pal wrote: > On 01/04/2015 10:30 PM, Ben .T.George wrote: >> HI >> >> yes you are right. Linux clients working and IPA is in trust >> relationship with AD. >> >> currently i am using 3.3.3 i guess i didn't tryed ipa-advice tool >> yet. I am not aware about this tool. can you please give right >> directions regarding this tool, so that i can try on it. >> >> regarding manuals and tutorials: >> >> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >> http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > > I think this should help: > http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > It mentions the tool too. You need to point your Solaris clients to compat tree. > >> >> Regards,Ben >> >> >> On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal > > wrote: >> >> On 01/04/2015 01:19 PM, Ben .T.George wrote: >>> >>> HI >>> >>> Thanks for the replay. >>> >>> i was trying to achieve just LDAP authentication only. If >>> possible Role based access and Host based access. but most >>> priority is to authenticate solaris against Active Directory/IPA >>> >>> The tutorials/Guides are not clear actually as i tried many >>> times. My IPA server is working fine. bcoz i tested by adding >>> linux(centos) as IPA client by using client ass ipa commands. >> >> OK, so let me make sure I get you right: you have IPA and it is >> in trust relations with AD, right? You tested it from Linux >> clients and it works but not with Solaris client, right? Which >> version of IPA are you using? Have you looked at ipa-advise tool? >> Which manuals and tutorials you tried? >> >> >>> >>> Regards, >>> Ben >>> >>> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal >> > wrote: >>> >>> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>>> HI >>>> >>>> This is i am struggling to get this working on Solaris x86 >>>> client. as i did many things based on many tutorials. \i am >>>> wondering why people who achieved this already not sharing >>>> this information about configuring Solaris as IPA client . >>> >>> Solaris can be configured to be a client of IPA so it seems >>> that there is some misalignment of the expectations. >>> What is your goal? What kind of integration for Solaris >>> client you want to achieve? Just LDAP authentication would >>> work following the instructions. >>> I suspect that something that you are trying to accomplish >>> is either done differently or have not been a priority for >>> others and thus have not been explored. >>> >>> >>>> >>>> Regards, >>>> Ben >>>> >>>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal >>>> > wrote: >>>> >>>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>>> >>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben >>>> .T.George wrote: >>>> >>>> Hi List >>>> >>>> how can i configure solaris 10 sparc and x86 as >>>> ipa clients. >>>> >>>> Regards, >>>> Ben >>>> >>>> Hi Ben, >>>> >>>> Please follow the Solaris 8/9/10 instructions on >>>> the wiki: >>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>> >>>> Let us know if run into difficulties or if there >>>> are error or >>>> omissions in the instructions. >>>> >>>> >>>> Also see https://fedorahosted.org/freeipa/ticket/4633 >>>> >>>> >>>> Cheers, >>>> >>>> Fraser >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users >>>> mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go To http://freeipa.org for more info on the >>>> project >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing >>>> list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go To http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jan 5 15:57:54 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 05 Jan 2015 10:57:54 -0500 Subject: [Freeipa-users] how to configure Linux Cent Os as ipa client manual installation In-Reply-To: <54AAAD2B.4050908@redhat.com> References: <54A1BF77.9040008@redhat.com> <54AA750B.8050809@redhat.com> <54AA9E8F.6040900@gmail.com> <54AAAD2B.4050908@redhat.com> Message-ID: <54AAB482.1070906@redhat.com> On 01/05/2015 10:26 AM, Rob Crittenden wrote: > Janelle wrote: >> Hi everyone, Happy New Year. >> >> Was following this thread and wondering about those of us with a couple >> of 2000-3000 servers to run ipa-client-install on? Any suggestions? Was >> looking around for even the basics of puppet or chef configs, but >> nothing exists. >> >> Any suggestions? One of the concerns I have is, even with puppet/chef, >> you need credentials during the install to "add" the client on the >> server. Security? > If you want puppet I'd start with https://github.com/purpleidea/puppet-ipa > > As for enrolling a slew of systems, it depends on whether they are new > or to-be-deployed. You can generate an OTP for the clients to avoid > having to pass around admin-level credentials, for example. You can do > this for existing or new, but it can be easier on new systems as the OTP > can be passed in during kickstart. You might want to consider Foreman which now has IPA integration for automatic provisioning and enrollment. > > rob > >> ~J >> >> >> On 1/5/15 3:27 AM, Martin Kosek wrote: >>> On 12/29/2014 09:54 PM, Dmitri Pal wrote: >>>> On 12/20/2014 05:02 AM, Ben .T.George wrote: >>>>> Hi >>>>> >>>>> I was trying to configure centos as ipa client and got failed with >>>>> that,. >>>>> >>>>> anyone please help me to configure centos as ipa client through manual >>>>> configuration. >>>>> >>>>> Regards, >>>>> Ben >>>>> >>>>> >>>> Sorry for a delayed response. >>>> What version of CentOS? What version of the server? >>>> Why manually? On CentOS you can use ipa-client-install and it will do >>>> the work >>>> for you. >>>> What did you do and what did not work? >>> You can find some info here: >>> http://www.freeipa.org/page/Troubleshooting#Client_Installation >>> >>> If I read correctly, you are trying to do manual configuration. This >>> may be a >>> tricky procedure and is not tested regularly. ipa-client-install is >>> the way to >>> go in most deployments as it helps you avoid the pitfalls you probably >>> hit. >>> >>> Martin >>> -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From bentech4you at gmail.com Mon Jan 5 18:21:59 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 5 Jan 2015 21:21:59 +0300 Subject: [Freeipa-users] Integration with Solaris 10 In-Reply-To: <54AAA6DF.8010204@redhat.com> References: <54A6E00C.7080502@redhat.com> <54A70995.2000109@redhat.com> <54AA507F.4080003@redhat.com> <54AAA6DF.8010204@redhat.com> Message-ID: HI thanks for the replay. for me ldapclient init was successfully finished and also getting KRB5 keys. kinit admin is asking for password and it's accepting admin password. also id admin is showing , getent password admin also showing. but when i try to ssh to solaris client followed with at domain, it's not working. Regards, Ben On Mon, Jan 5, 2015 at 5:59 PM, Rob Crittenden wrote: > Ben .T.George wrote: > > HI > > > > sorry that was a misunderstand happened from his side, actually i was > > strugglling to set it up for solaris \ > > We simply lack the expertise to help much further beyond the > documentation you've already seen. > > Another IPA user contributed a significant amount of information that > was not, and likely will be, integrated into our existing documentation. > You can find that information here: > > https://bugzilla.redhat.com/show_bug.cgi?id=815533 > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > I've followed these extended steps and have gotten Solaris 9 and 10 x86 > clients setup in the recent past. I seem to recall having gotten it > working on Sparc too but saw segfaults trying to get krb5 working, and > lacking a support contract couldn't get the latest jumbo patches. > > I did not tweak any services at all, but I used it in a rather > artificial way. I just installed a basic OS in a VM, logged in, fixed > nsswitch.conf.ldap, ran ldapclient init and was most of the way there. > > From the perspective of a Solaris client IPA is just a compliant LDAP > and MIT Kerberos server. It provides an RFC 2307-compatible schema for > groups via cn=compat, which you likely already have configured if you > used our DUAProfile. So other, generic Solaris guides may also be useful. > > rob > > > > > > > regards, > > ben > > > > On Mon, Jan 5, 2015 at 11:51 AM, Petr Spacek > > wrote: > > > > On 2.1.2015 22:11, Dmitri Pal wrote: > > > Would you mind creating a wiki page with the solution on the wiki? > > Maybe you could check & modify > > http://www.freeipa.org/page/ConfiguringUnixClients ... > > > > Normal Fedora Account will allow you to edit the page. > > > > -- > > Petr^2 Spacek > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > > > > > > > > > -- > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Mon Jan 5 18:32:35 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Mon, 5 Jan 2015 18:32:35 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <54AA767B.7030404@redhat.com> References: <54AA767B.7030404@redhat.com> Message-ID: Hi - reply at bottom -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Monday, January 05, 2015 4:33 AM To: Craig White; freeipa-users at redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo !requiretty !authenticate On 01/02/2015 07:47 PM, Craig White wrote: > Subject pretty much says it all. > > Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. > > But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? > > Craig White > System Administrator > O 623-201-8179 M 602-377-9752 > > [cid:image001.png at 01CF86FE.42D51630] > > SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 CCing Pavel to advise. >From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. Martin ---- Thanks Martin Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. $ ipa sudorule-show --all Rule name: rundeck dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local Rule name: rundeck Enabled: TRUE Host category: all Command category: all RunAs User category: all Users: rundeck Sudo Option: !requiretty, !authenticate ipauniqueid: XXXXXX objectclass: ipaassociation, ipasudorule At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... sudo: sorry, you must have a tty to run sudo :-( (client system) # rpm -qa | egrep 'ipa|sssd' sssd-ldap-1.11.6-30.el6.x86_64 libipa_hbac-1.11.6-30.el6.x86_64 python-sssdconfig-1.11.6-30.el6.noarch sssd-ipa-1.11.6-30.el6.x86_64 sssd-client-1.11.6-30.el6.x86_64 sssd-common-1.11.6-30.el6.x86_64 sssd-ad-1.11.6-30.el6.x86_64 sssd-1.11.6-30.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.11.6-30.el6.x86_64 sssd-krb5-common-1.11.6-30.el6.x86_64 sssd-krb5-1.11.6-30.el6.x86_64 sssd-common-pac-1.11.6-30.el6.x86_64 ipa-python-3.0.0-42.el6.x86_64 sssd-proxy-1.11.6-30.el6.x86_64 ipa-client-3.0.0-42.el6.x86_64 From bentech4you at gmail.com Mon Jan 5 18:31:25 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 5 Jan 2015 21:31:25 +0300 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54AAB39D.9060208@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> <54AAB31D.1010709@redhat.com> <54AAB39D.9060208@redhat.com> Message-ID: HI Thanks for the information. When i run ipa-advise, i am getting below output, which advice i need to choose. all of them are pointing to linux based [root at kwtpocpbis01 ~]# ipa-advise ---------------------------------------------------------------------- List of available advices ---------------------------------------------------------------------- config-fedora-authconfig : Authconfig instructions for configuring Fedora 18/19 client with IPA server without use of SSSD. config-freebsd-nss-pam-ldapd : Instructions for configuring a FreeBSD system with nss-pam-ldapd. config-generic-linux-nss-pam-ldapd : Instructions for configuring a system with nss-pam-ldapd. This set of instructions is targeted for linux systems that do not include the authconfig utility. config-generic-linux-sssd-before-1-9 : Instructions for configuring a system with an old version of SSSD (1.5-1.8) as a FreeIPA client. This set of instructions is targeted for linux systems that do not include the authconfig utility. config-redhat-nss-ldap : Instructions for configuring a system with nss-ldap as a FreeIPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. config-redhat-nss-pam-ldapd : Instructions for configuring a system with nss-pam-ldapd as a FreeIPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. config-redhat-sssd-before-1-9 : Instructions for configuring a system with an old version of SSSD (1.5-1.8) as a FreeIPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. thanks & Regards, Ben On Mon, Jan 5, 2015 at 6:54 PM, Dmitri Pal wrote: > On 01/05/2015 10:51 AM, Dmitri Pal wrote: > > On 01/04/2015 10:30 PM, Ben .T.George wrote: > > HI > > yes you are right. Linux clients working and IPA is in trust > relationship with AD. > > currently i am using 3.3.3 i guess i didn't tryed ipa-advice tool yet. I > am not aware about this tool. can you please give right directions > regarding this tool, so that i can try on it. > > regarding manuals and tutorials: > > http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 > > http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > > > I think this should help: > http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > It mentions the tool too. > > > You need to point your Solaris clients to compat tree. > > > > > Regards,Ben > > > On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal wrote: > >> On 01/04/2015 01:19 PM, Ben .T.George wrote: >> >> >> HI >> >> Thanks for the replay. >> >> i was trying to achieve just LDAP authentication only. If possible Role >> based access and Host based access. but most priority is to authenticate >> solaris against Active Directory/IPA >> >> The tutorials/Guides are not clear actually as i tried many times. My >> IPA server is working fine. bcoz i tested by adding linux(centos) as IPA >> client by using client ass ipa commands. >> >> >> OK, so let me make sure I get you right: you have IPA and it is in trust >> relations with AD, right? You tested it from Linux clients and it works but >> not with Solaris client, right? Which version of IPA are you using? Have >> you looked at ipa-advise tool? >> Which manuals and tutorials you tried? >> >> >> >> Regards, >> Ben >> >> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal wrote: >> >>> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>> >>> HI >>> >>> This is i am struggling to get this working on Solaris x86 client. as >>> i did many things based on many tutorials. \i am wondering why people who >>> achieved this already not sharing this information about configuring >>> Solaris as IPA client . >>> >>> >>> Solaris can be configured to be a client of IPA so it seems that there >>> is some misalignment of the expectations. >>> What is your goal? What kind of integration for Solaris client you want >>> to achieve? Just LDAP authentication would work following the instructions. >>> I suspect that something that you are trying to accomplish is either >>> done differently or have not been a priority for others and thus have not >>> been explored. >>> >>> >>> >>> Regards, >>> Ben >>> >>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal wrote: >>> >>>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>>> >>>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George wrote: >>>>> >>>>>> Hi List >>>>>> >>>>>> how can i configure solaris 10 sparc and x86 as ipa clients. >>>>>> >>>>>> Regards, >>>>>> Ben >>>>>> >>>>> Hi Ben, >>>>> >>>>> Please follow the Solaris 8/9/10 instructions on the wiki: >>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>>> >>>>> Let us know if run into difficulties or if there are error or >>>>> omissions in the instructions. >>>>> >>>> >>>> Also see https://fedorahosted.org/freeipa/ticket/4633 >>>> >>>> >>>>> Cheers, >>>>> >>>>> Fraser >>>>> >>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go To http://freeipa.org for more info on the project >>>>>> >>>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go To http://freeipa.org for more info on the project >>>> >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jan 5 20:49:49 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 05 Jan 2015 15:49:49 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> <54AAB31D.1010709@redhat.com> <54AAB39D.9060208@redhat.com> Message-ID: <54AAF8ED.7030209@redhat.com> On 01/05/2015 01:31 PM, Ben .T.George wrote: > HI > > Thanks for the information. When i run ipa-advise, i am getting below > output, which advice i need to choose. all of them are pointing to > linux based > > [root at kwtpocpbis01 ~]# ipa-advise > ---------------------------------------------------------------------- > List of available advices > ---------------------------------------------------------------------- > config-fedora-authconfig : Authconfig instructions for > configuring Fedora 18/19 > client with > IPA server without use of SSSD. > config-freebsd-nss-pam-ldapd : Instructions for configuring a > FreeBSD system with > nss-pam-ldapd. > config-generic-linux-nss-pam-ldapd : Instructions for > configuring a system > with nss-pam-ldapd. This set of > instructions is targeted > for linux > systems that do not include the > authconfig utility. > config-generic-linux-sssd-before-1-9 : Instructions for > configuring a system > with an old version of SSSD > (1.5-1.8) > as a FreeIPA client. This > set of > instructions is targeted > for linux > systems that do not include the > authconfig utility. > config-redhat-nss-ldap : Instructions for > configuring a system > with nss-ldap as a FreeIPA > client. > This set of instructions is > targeted > for platforms that include the > authconfig utility, which > are all Red > Hat based platforms. > config-redhat-nss-pam-ldapd : Instructions for > configuring a system > with nss-pam-ldapd as a FreeIPA > client. This set of > instructions is > targeted for platforms that > include > the authconfig utility, > which are all > Red Hat based platforms. > config-redhat-sssd-before-1-9 : Instructions for > configuring a system > with an old version of SSSD > (1.5-1.8) > as a FreeIPA client. This > set of > instructions is targeted for > platforms that include the > authconfig > utility, which are all Red > Hat based > platforms. > > Hm, I remember that AB mentioned that he had one for Solaris. He is on PTO till Wednesday. Please ping him on IRC after Wed. > thanks & Regards, > Ben > > On Mon, Jan 5, 2015 at 6:54 PM, Dmitri Pal > wrote: > > On 01/05/2015 10:51 AM, Dmitri Pal wrote: >> On 01/04/2015 10:30 PM, Ben .T.George wrote: >>> HI >>> >>> yes you are right. Linux clients working and IPA is in trust >>> relationship with AD. >>> >>> currently i am using 3.3.3 i guess i didn't tryed ipa-advice >>> tool yet. I am not aware about this tool. can you please give >>> right directions regarding this tool, so that i can try on it. >>> >>> regarding manuals and tutorials: >>> >>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>> http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html >>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> >> I think this should help: >> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf >> It mentions the tool too. > > You need to point your Solaris clients to compat tree. > > >> >>> >>> Regards,Ben >>> >>> >>> On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal >> > wrote: >>> >>> On 01/04/2015 01:19 PM, Ben .T.George wrote: >>>> >>>> HI >>>> >>>> Thanks for the replay. >>>> >>>> i was trying to achieve just LDAP authentication only. If >>>> possible Role based access and Host based access. but most >>>> priority is to authenticate solaris against Active >>>> Directory/IPA >>>> >>>> The tutorials/Guides are not clear actually as i tried many >>>> times. My IPA server is working fine. bcoz i tested by >>>> adding linux(centos) as IPA client by using client ass ipa >>>> commands. >>> >>> OK, so let me make sure I get you right: you have IPA and it >>> is in trust relations with AD, right? You tested it from >>> Linux clients and it works but not with Solaris client, >>> right? Which version of IPA are you using? Have you looked >>> at ipa-advise tool? >>> Which manuals and tutorials you tried? >>> >>> >>>> >>>> Regards, >>>> Ben >>>> >>>> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal >>> > wrote: >>>> >>>> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>>>> HI >>>>> >>>>> This is i am struggling to get this working on Solaris >>>>> x86 client. as i did many things based on many >>>>> tutorials. \i am wondering why people who achieved >>>>> this already not sharing this information about >>>>> configuring Solaris as IPA client . >>>> >>>> Solaris can be configured to be a client of IPA so it >>>> seems that there is some misalignment of the expectations. >>>> What is your goal? What kind of integration for Solaris >>>> client you want to achieve? Just LDAP authentication >>>> would work following the instructions. >>>> I suspect that something that you are trying to >>>> accomplish is either done differently or have not been >>>> a priority for others and thus have not been explored. >>>> >>>> >>>>> >>>>> Regards, >>>>> Ben >>>>> >>>>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal >>>>> > wrote: >>>>> >>>>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>>>> >>>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben >>>>> .T.George wrote: >>>>> >>>>> Hi List >>>>> >>>>> how can i configure solaris 10 sparc and >>>>> x86 as ipa clients. >>>>> >>>>> Regards, >>>>> Ben >>>>> >>>>> Hi Ben, >>>>> >>>>> Please follow the Solaris 8/9/10 instructions >>>>> on the wiki: >>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>>> >>>>> Let us know if run into difficulties or if >>>>> there are error or >>>>> omissions in the instructions. >>>>> >>>>> >>>>> Also see https://fedorahosted.org/freeipa/ticket/4633 >>>>> >>>>> >>>>> Cheers, >>>>> >>>>> Fraser >>>>> >>>>> -- >>>>> Manage your subscription for the >>>>> Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go To http://freeipa.org for more info on >>>>> the project >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users >>>>> mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go To http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From amessina at messinet.com Mon Jan 5 21:55:55 2015 From: amessina at messinet.com (Anthony Messina) Date: Mon, 05 Jan 2015 15:55:55 -0600 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <54AAB058.5070402@redhat.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA9740.6070002@redhat.com> <54AAB058.5070402@redhat.com> Message-ID: <2848790.lWqZO0nozr@linux-ws1.messinet.com> On Monday, January 05, 2015 10:40:08 PM Endi Sukma Dewata wrote: > On 1/5/2015 8:53 PM, Martin Kosek wrote: > > On 01/05/2015 02:05 PM, Anthony Messina wrote: > >>>> I was hoping to "migrate" from F20 to F21 using: > >>>> http://www.freeipa.org/page/Howto/Migration > >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > >>> > >>> The migration procedure is only needed if you run FreeIPA server with > >>> PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 > >>> FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported > >>> since Fedora 18, so I was surprised such setup worked in Fedora 20. > >> > >> I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum > >> upgraded to F20. With the significant changes for Fedora.next, > >> systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd > >> retire the old) by replicating the current F20 3.3.5 master to what > >> would become an F21 4.1.2 master.> > > Ah, makes more sense then. The PKI error below gets more serious then - > > Fraser and Endi, please help Anthony. > > I'm discussing this with Ade (CC'd). Based on the stack trace it looks > like the replica thinks the master returns an incomplete information > about the security domain, probably due to the different Dogtag versions > used in master and replica. > > We need some additional info: > > 1. What is the pki-ca version on the master (F20)? pki-ca-10.1.2-7.fc20.noarch > 2. What is the pki-ca version on the replica (F21)? pki-ca-10.2.0-5.fc21.noarch > 3. What is the output of this URL on the master? > https://:8443/ca/rest/securityDomain/domainInfo FALSE TRUE ipa1.example.com 80 443 443 443 443 CA ipa1.example.com 8443 TRUE TRUE ipa2.example.com 80 443 443 443 443 CA ipa2.example.com 8443 -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From bentech4you at gmail.com Tue Jan 6 03:35:29 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 06:35:29 +0300 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line Message-ID: Hi LIst, how to check IPA <-> Active directory trust relationship . i just want to confirm my ipa server is working fine. Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Tue Jan 6 03:37:36 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 06:37:36 +0300 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54AAF8ED.7030209@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> <54AAB31D.1010709@redhat.com> <54AAB39D.9060208@redhat.com> <54AAF8ED.7030209@redhat.com> Message-ID: HI IRC is like totally dead. i have waited one whole day to anyone responding. not even to my replay. i didn't see any messages at all. Regards, Ben On Mon, Jan 5, 2015 at 11:49 PM, Dmitri Pal wrote: > On 01/05/2015 01:31 PM, Ben .T.George wrote: > > HI > > Thanks for the information. When i run ipa-advise, i am getting below > output, which advice i need to choose. all of them are pointing to linux > based > > [root at kwtpocpbis01 ~]# ipa-advise > ---------------------------------------------------------------------- > List of available advices > ---------------------------------------------------------------------- > config-fedora-authconfig : Authconfig instructions for > configuring Fedora 18/19 client > with > IPA server without use of SSSD. > config-freebsd-nss-pam-ldapd : Instructions for configuring a > FreeBSD system with > nss-pam-ldapd. > config-generic-linux-nss-pam-ldapd : Instructions for configuring a > system > with nss-pam-ldapd. This set of > instructions is targeted for > linux > systems that do not include the > authconfig utility. > config-generic-linux-sssd-before-1-9 : Instructions for configuring a > system > with an old version of SSSD > (1.5-1.8) > as a FreeIPA client. This set of > instructions is targeted for > linux > systems that do not include the > authconfig utility. > config-redhat-nss-ldap : Instructions for configuring a > system > with nss-ldap as a FreeIPA > client. > This set of instructions is > targeted > for platforms that include the > authconfig utility, which are > all Red > Hat based platforms. > config-redhat-nss-pam-ldapd : Instructions for configuring a > system > with nss-pam-ldapd as a FreeIPA > client. This set of > instructions is > targeted for platforms that > include > the authconfig utility, which > are all > Red Hat based platforms. > config-redhat-sssd-before-1-9 : Instructions for configuring a > system > with an old version of SSSD > (1.5-1.8) > as a FreeIPA client. This set of > instructions is targeted for > platforms that include the > authconfig > utility, which are all Red Hat > based > platforms. > > > > Hm, I remember that AB mentioned that he had one for Solaris. > He is on PTO till Wednesday. Please ping him on IRC after Wed. > > > thanks & Regards, > Ben > > On Mon, Jan 5, 2015 at 6:54 PM, Dmitri Pal wrote: > >> On 01/05/2015 10:51 AM, Dmitri Pal wrote: >> >> On 01/04/2015 10:30 PM, Ben .T.George wrote: >> >> HI >> >> yes you are right. Linux clients working and IPA is in trust >> relationship with AD. >> >> currently i am using 3.3.3 i guess i didn't tryed ipa-advice tool yet. >> I am not aware about this tool. can you please give right directions >> regarding this tool, so that i can try on it. >> >> regarding manuals and tutorials: >> >> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >> >> http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html >> >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> >> >> I think this should help: >> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf >> It mentions the tool too. >> >> >> You need to point your Solaris clients to compat tree. >> >> >> >> >> Regards,Ben >> >> >> On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal wrote: >> >>> On 01/04/2015 01:19 PM, Ben .T.George wrote: >>> >>> >>> HI >>> >>> Thanks for the replay. >>> >>> i was trying to achieve just LDAP authentication only. If possible >>> Role based access and Host based access. but most priority is to >>> authenticate solaris against Active Directory/IPA >>> >>> The tutorials/Guides are not clear actually as i tried many times. My >>> IPA server is working fine. bcoz i tested by adding linux(centos) as IPA >>> client by using client ass ipa commands. >>> >>> >>> OK, so let me make sure I get you right: you have IPA and it is in >>> trust relations with AD, right? You tested it from Linux clients and it >>> works but not with Solaris client, right? Which version of IPA are you >>> using? Have you looked at ipa-advise tool? >>> Which manuals and tutorials you tried? >>> >>> >>> >>> Regards, >>> Ben >>> >>> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal wrote: >>> >>>> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>>> >>>> HI >>>> >>>> This is i am struggling to get this working on Solaris x86 client. as >>>> i did many things based on many tutorials. \i am wondering why people who >>>> achieved this already not sharing this information about configuring >>>> Solaris as IPA client . >>>> >>>> >>>> Solaris can be configured to be a client of IPA so it seems that there >>>> is some misalignment of the expectations. >>>> What is your goal? What kind of integration for Solaris client you want >>>> to achieve? Just LDAP authentication would work following the instructions. >>>> I suspect that something that you are trying to accomplish is either >>>> done differently or have not been a priority for others and thus have not >>>> been explored. >>>> >>>> >>>> >>>> Regards, >>>> Ben >>>> >>>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal wrote: >>>> >>>>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>>>> >>>>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, Ben .T.George wrote: >>>>>> >>>>>>> Hi List >>>>>>> >>>>>>> how can i configure solaris 10 sparc and x86 as ipa clients. >>>>>>> >>>>>>> Regards, >>>>>>> Ben >>>>>>> >>>>>> Hi Ben, >>>>>> >>>>>> Please follow the Solaris 8/9/10 instructions on the wiki: >>>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>>>> >>>>>> Let us know if run into difficulties or if there are error or >>>>>> omissions in the instructions. >>>>>> >>>>> >>>>> Also see https://fedorahosted.org/freeipa/ticket/4633 >>>>> >>>>> >>>>>> Cheers, >>>>>> >>>>>> Fraser >>>>>> >>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go To http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go To http://freeipa.org for more info on the project >>>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Tue Jan 6 09:21:05 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Tue, 06 Jan 2015 10:21:05 +0100 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: <54AA767B.7030404@redhat.com> Message-ID: <54ABA901.8050703@redhat.com> On 01/05/2015 07:32 PM, Craig White wrote: > Hi - reply at bottom > > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Monday, January 05, 2015 4:33 AM > To: Craig White; freeipa-users at redhat.com; Pavel Brezina > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > On 01/02/2015 07:47 PM, Craig White wrote: >> Subject pretty much says it all. >> >> Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. >> >> But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? >> >> Craig White >> System Administrator >> O 623-201-8179 M 602-377-9752 >> >> [cid:image001.png at 01CF86FE.42D51630] >> >> SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 > > CCing Pavel to advise. > > From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? > Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. > > Martin > ---- > Thanks Martin > > Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. > > $ ipa sudorule-show --all > Rule name: rundeck > dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local > Rule name: rundeck > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > Users: rundeck > Sudo Option: !requiretty, !authenticate > ipauniqueid: XXXXXX > objectclass: ipaassociation, ipasudorule > > At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... > > sudo: sorry, you must have a tty to run sudo :-( > > (client system) > # rpm -qa | egrep 'ipa|sssd' > sssd-ldap-1.11.6-30.el6.x86_64 > libipa_hbac-1.11.6-30.el6.x86_64 > python-sssdconfig-1.11.6-30.el6.noarch > sssd-ipa-1.11.6-30.el6.x86_64 > sssd-client-1.11.6-30.el6.x86_64 > sssd-common-1.11.6-30.el6.x86_64 > sssd-ad-1.11.6-30.el6.x86_64 > sssd-1.11.6-30.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-python-1.11.6-30.el6.x86_64 > sssd-krb5-common-1.11.6-30.el6.x86_64 > sssd-krb5-1.11.6-30.el6.x86_64 > sssd-common-pac-1.11.6-30.el6.x86_64 > ipa-python-3.0.0-42.el6.x86_64 > sssd-proxy-1.11.6-30.el6.x86_64 > ipa-client-3.0.0-42.el6.x86_64 Hi, just to be sure that the problem is indeed in options - the rule without any sudoOption and with only one of them does work, right? Can you send us sudo debug log? You can enable debug log by putting the following line in /etc/sudo.conf: Debug sudo /var/log/sudo.log all at debug From lslebodn at redhat.com Tue Jan 6 10:10:31 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 6 Jan 2015 11:10:31 +0100 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <54ABA901.8050703@redhat.com> References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> Message-ID: <20150106101031.GA4718@mail.corp.redhat.com> On (06/01/15 10:21), Pavel B?ezina wrote: >On 01/05/2015 07:32 PM, Craig White wrote: >>Hi - reply at bottom >> >>-----Original Message----- >>From: Martin Kosek [mailto:mkosek at redhat.com] >>Sent: Monday, January 05, 2015 4:33 AM >>To: Craig White; freeipa-users at redhat.com; Pavel Brezina >>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >>On 01/02/2015 07:47 PM, Craig White wrote: >>>Subject pretty much says it all. >>> >>>Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. >>> >>>But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? >>> >>>Craig White >>>System Administrator >>>O 623-201-8179 M 602-377-9752 >>> >>>[cid:image001.png at 01CF86FE.42D51630] >>> >>>SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 >> >>CCing Pavel to advise. >> >> From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? >>Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. >> >>Martin >>---- >>Thanks Martin >> >>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. >> >>$ ipa sudorule-show --all >>Rule name: rundeck >> dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local >> Rule name: rundeck >> Enabled: TRUE >> Host category: all >> Command category: all >> RunAs User category: all >> Users: rundeck >> Sudo Option: !requiretty, !authenticate >> ipauniqueid: XXXXXX >> objectclass: ipaassociation, ipasudorule >> >>At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... >> >>sudo: sorry, you must have a tty to run sudo :-( >> >>(client system) >># rpm -qa | egrep 'ipa|sssd' >>sssd-ldap-1.11.6-30.el6.x86_64 >>libipa_hbac-1.11.6-30.el6.x86_64 >>python-sssdconfig-1.11.6-30.el6.noarch >>sssd-ipa-1.11.6-30.el6.x86_64 >>sssd-client-1.11.6-30.el6.x86_64 >>sssd-common-1.11.6-30.el6.x86_64 >>sssd-ad-1.11.6-30.el6.x86_64 >>sssd-1.11.6-30.el6.x86_64 >>python-iniparse-0.3.1-2.1.el6.noarch >>libipa_hbac-python-1.11.6-30.el6.x86_64 >>sssd-krb5-common-1.11.6-30.el6.x86_64 >>sssd-krb5-1.11.6-30.el6.x86_64 >>sssd-common-pac-1.11.6-30.el6.x86_64 >>ipa-python-3.0.0-42.el6.x86_64 >>sssd-proxy-1.11.6-30.el6.x86_64 >>ipa-client-3.0.0-42.el6.x86_64 > >Hi, >just to be sure that the problem is indeed in options - the rule without any >sudoOption and with only one of them does work, right? > >Can you send us sudo debug log? You can enable debug log by putting the >following line in /etc/sudo.conf: > >Debug sudo /var/log/sudo.log all at debug > It will help as well if you provide your sssd and nsswitch configuration files. (/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly. LS From rmeggins at redhat.com Tue Jan 6 14:19:15 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 06 Jan 2015 07:19:15 -0700 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: References: Message-ID: <54ABEEE3.4040303@redhat.com> On 01/05/2015 08:35 PM, Ben .T.George wrote: > > Hi LIst, > > how to check IPA <-> Active directory trust relationship . i just want > to confirm my ipa server is working fine. On an IPA server or client machine: $ kinit adusername at ADDOMAIN.COM Password: aduserpassword If there are no AD users yet, you can try with administrator at ADDOMAIN.COM assuming you have the AD admin password. > > Regards, > Ben > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dbischof at hrz.uni-kassel.de Tue Jan 6 14:19:01 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Tue, 6 Jan 2015 15:19:01 +0100 (CET) Subject: [Freeipa-users] Replica install fails when using --setup-ca Message-ID: Hi, I have two small FreeIPA installations (for two different realms), both with CentOS 6/FreeIPA 3.0.0-42. After running them both with only one master server each for a while, I attempted to extend both installations with one replica each. Doing a ipa-replica-install --setup-ca /var/lib/ipa/replica-info-... worked fine for one of the installations, but failed for the other: --- [...] [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname xxx -cs_port 9445 -client_certdb_dir /tmp/tmp-YsXvhP -client_certdb_pwd XXXXXXXX -preop_pin vJl0m3xc9Oz7b1fIgttD -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY -ca_server_cert_subject_name CN=xxx,O=YYY -ca_audit_signing_cert_subject_name CN=CA Audit,O=YYY -ca_sign_cert_subject_name CN=Certificate Authority,O=YYY -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://mmm:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. --- /var/log/ipareplica-install.log: --- [...] Error in DomainPanel(): updateStatus value is null ERROR: ConfigureCA: DomainPanel() failure ERROR: unable to create CA ####################################################################### 2015-01-06T13:36:25Z DEBUG stderr= 2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 2015-01-06T13:36:25Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 476, in main (CA, cs) = cainstance.install_replica_ca(config) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1626, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed --- Omitting "--setup-ca" lets me successfully install a working replica server. The problem appears to be my installation (since the other one works) - however: Both (intended) replica servers are nearly identical (operating system version, installed packages, etc.). My understanding is that a replica without a CA is not a 100%-clone of a IPA master, right? What are the downsides of having a replica without a CA? Thank you for looking into this, --Daniel. From dpal at redhat.com Tue Jan 6 15:05:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 06 Jan 2015 10:05:51 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> <54AAB31D.1010709@redhat.com> <54AAB39D.9060208@redhat.com> <54AAF8ED.7030209@redhat.com> Message-ID: <54ABF9CF.4000109@redhat.com> On 01/05/2015 10:37 PM, Ben .T.George wrote: > HI > > IRC is like totally dead. i have waited one whole day to anyone > responding. not even to my replay. i didn't see any messages at all. As I said AB is on PTO till tomorrow. Please ping him when he is back. > > Regards, > Ben > > > On Mon, Jan 5, 2015 at 11:49 PM, Dmitri Pal > wrote: > > On 01/05/2015 01:31 PM, Ben .T.George wrote: >> HI >> >> Thanks for the information. When i run ipa-advise, i am getting >> below output, which advice i need to choose. all of them are >> pointing to linux based >> >> [root at kwtpocpbis01 ~]# ipa-advise >> ---------------------------------------------------------------------- >> List of available advices >> ---------------------------------------------------------------------- >> config-fedora-authconfig : Authconfig instructions for >> configuring Fedora 18/19 client with >> IPA server without use of SSSD. >> config-freebsd-nss-pam-ldapd : Instructions for configuring a >> FreeBSD system with nss-pam-ldapd. >> config-generic-linux-nss-pam-ldapd : Instructions for >> configuring a system >> with nss-pam-ldapd. This set of >> instructions is targeted for linux >> systems that do not include the >> authconfig utility. >> config-generic-linux-sssd-before-1-9 : Instructions for >> configuring a system >> with an old version of SSSD (1.5-1.8) >> as a FreeIPA client. This set of >> instructions is targeted for linux >> systems that do not include the >> authconfig utility. >> config-redhat-nss-ldap : Instructions for configuring a system >> with nss-ldap as a FreeIPA client. >> This set of instructions is targeted >> for platforms that include the >> authconfig utility, which are all Red >> Hat based platforms. >> config-redhat-nss-pam-ldapd : Instructions for configuring a >> system >> with nss-pam-ldapd as a FreeIPA >> client. This set of instructions is >> targeted for platforms that include >> the authconfig utility, which are all >> Red Hat based platforms. >> config-redhat-sssd-before-1-9 : Instructions for configuring >> a system >> with an old version of SSSD (1.5-1.8) >> as a FreeIPA client. This set of >> instructions is targeted for >> platforms that include the authconfig >> utility, which are all Red Hat based >> platforms. >> >> > > Hm, I remember that AB mentioned that he had one for Solaris. > He is on PTO till Wednesday. Please ping him on IRC after Wed. > > >> thanks & Regards, >> Ben >> >> On Mon, Jan 5, 2015 at 6:54 PM, Dmitri Pal > > wrote: >> >> On 01/05/2015 10:51 AM, Dmitri Pal wrote: >>> On 01/04/2015 10:30 PM, Ben .T.George wrote: >>>> HI >>>> >>>> yes you are right. Linux clients working and IPA is in >>>> trust relationship with AD. >>>> >>>> currently i am using 3.3.3 i guess i didn't tryed >>>> ipa-advice tool yet. I am not aware about this tool. can >>>> you please give right directions regarding this tool, so >>>> that i can try on it. >>>> >>>> regarding manuals and tutorials: >>>> >>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>> http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html >>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >>>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >>> >>> I think this should help: >>> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf >>> It mentions the tool too. >> >> You need to point your Solaris clients to compat tree. >> >> >>> >>>> >>>> Regards,Ben >>>> >>>> >>>> On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal >>>> > wrote: >>>> >>>> On 01/04/2015 01:19 PM, Ben .T.George wrote: >>>>> >>>>> HI >>>>> >>>>> Thanks for the replay. >>>>> >>>>> i was trying to achieve just LDAP authentication only. >>>>> If possible Role based access and Host based access. >>>>> but most priority is to authenticate solaris against >>>>> Active Directory/IPA >>>>> >>>>> The tutorials/Guides are not clear actually as i tried >>>>> many times. My IPA server is working fine. bcoz i >>>>> tested by adding linux(centos) as IPA client by using >>>>> client ass ipa commands. >>>> >>>> OK, so let me make sure I get you right: you have IPA >>>> and it is in trust relations with AD, right? You tested >>>> it from Linux clients and it works but not with Solaris >>>> client, right? Which version of IPA are you using? Have >>>> you looked at ipa-advise tool? >>>> Which manuals and tutorials you tried? >>>> >>>> >>>>> >>>>> Regards, >>>>> Ben >>>>> >>>>> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal >>>>> > wrote: >>>>> >>>>> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>>>>> HI >>>>>> >>>>>> This is i am struggling to get this working on >>>>>> Solaris x86 client. as i did many things based on >>>>>> many tutorials. \i am wondering why people who >>>>>> achieved this already not sharing this >>>>>> information about configuring Solaris as IPA client . >>>>> >>>>> Solaris can be configured to be a client of IPA so >>>>> it seems that there is some misalignment of the >>>>> expectations. >>>>> What is your goal? What kind of integration for >>>>> Solaris client you want to achieve? Just LDAP >>>>> authentication would work following the instructions. >>>>> I suspect that something that you are trying to >>>>> accomplish is either done differently or have not >>>>> been a priority for others and thus have not been >>>>> explored. >>>>> >>>>> >>>>>> >>>>>> Regards, >>>>>> Ben >>>>>> >>>>>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal >>>>>> > wrote: >>>>>> >>>>>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>>>>> >>>>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, >>>>>> Ben .T.George wrote: >>>>>> >>>>>> Hi List >>>>>> >>>>>> how can i configure solaris 10 sparc >>>>>> and x86 as ipa clients. >>>>>> >>>>>> Regards, >>>>>> Ben >>>>>> >>>>>> Hi Ben, >>>>>> >>>>>> Please follow the Solaris 8/9/10 >>>>>> instructions on the wiki: >>>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>>>> >>>>>> Let us know if run into difficulties or >>>>>> if there are error or >>>>>> omissions in the instructions. >>>>>> >>>>>> >>>>>> Also see >>>>>> https://fedorahosted.org/freeipa/ticket/4633 >>>>>> >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Fraser >>>>>> >>>>>> -- >>>>>> Manage your subscription for the >>>>>> Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go To http://freeipa.org for more >>>>>> info on the project >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the >>>>>> Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go To http://freeipa.org for more info on the >>>>>> project >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jan 6 15:23:14 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jan 2015 10:23:14 -0500 Subject: [Freeipa-users] how can i configure solaris 10 sparc and x86 as ipa clients In-Reply-To: <54ABF9CF.4000109@redhat.com> References: <20141222005025.GP4163@dhcp-40-8.bne.redhat.com> <54A1C0A6.1080006@redhat.com> <54A9662F.9020304@redhat.com> <54A9B1E2.30802@redhat.com> <54AAB31D.1010709@redhat.com> <54AAB39D.9060208@redhat.com> <54AAF8ED.7030209@redhat.com> <54ABF9CF.4000109@redhat.com> Message-ID: <54ABFDE2.7070200@redhat.com> Dmitri Pal wrote: > On 01/05/2015 10:37 PM, Ben .T.George wrote: >> HI >> >> IRC is like totally dead. i have waited one whole day to anyone >> responding. not even to my replay. i didn't see any messages at all. > > As I said AB is on PTO till tomorrow. Please ping him when he is back. You're on #freeipa on freenode, right? Activity has been low in the new year but it hasn't been zero. rob > >> >> Regards, >> Ben >> >> >> On Mon, Jan 5, 2015 at 11:49 PM, Dmitri Pal > > wrote: >> >> On 01/05/2015 01:31 PM, Ben .T.George wrote: >>> HI >>> >>> Thanks for the information. When i run ipa-advise, i am getting >>> below output, which advice i need to choose. all of them are >>> pointing to linux based >>> >>> [root at kwtpocpbis01 ~]# ipa-advise >>> ---------------------------------------------------------------------- >>> List of available advices >>> ---------------------------------------------------------------------- >>> config-fedora-authconfig : Authconfig >>> instructions for >>> configuring Fedora >>> 18/19 client with >>> IPA server without use >>> of SSSD. >>> config-freebsd-nss-pam-ldapd : Instructions for >>> configuring a >>> FreeBSD system with >>> nss-pam-ldapd. >>> config-generic-linux-nss-pam-ldapd : Instructions for >>> configuring a system >>> with nss-pam-ldapd. >>> This set of >>> instructions is >>> targeted for linux >>> systems that do not >>> include the >>> authconfig utility. >>> config-generic-linux-sssd-before-1-9 : Instructions for >>> configuring a system >>> with an old version of >>> SSSD (1.5-1.8) >>> as a FreeIPA client. >>> This set of >>> instructions is >>> targeted for linux >>> systems that do not >>> include the >>> authconfig utility. >>> config-redhat-nss-ldap : Instructions for >>> configuring a system >>> with nss-ldap as a >>> FreeIPA client. >>> This set of >>> instructions is targeted >>> for platforms that >>> include the >>> authconfig utility, >>> which are all Red >>> Hat based platforms. >>> config-redhat-nss-pam-ldapd : Instructions for >>> configuring a system >>> with nss-pam-ldapd as >>> a FreeIPA >>> client. This set of >>> instructions is >>> targeted for platforms >>> that include >>> the authconfig >>> utility, which are all >>> Red Hat based platforms. >>> config-redhat-sssd-before-1-9 : Instructions for >>> configuring a system >>> with an old version of >>> SSSD (1.5-1.8) >>> as a FreeIPA client. >>> This set of >>> instructions is >>> targeted for >>> platforms that include >>> the authconfig >>> utility, which are all >>> Red Hat based >>> platforms. >>> >>> >> >> Hm, I remember that AB mentioned that he had one for Solaris. >> He is on PTO till Wednesday. Please ping him on IRC after Wed. >> >> >>> thanks & Regards, >>> Ben >>> >>> On Mon, Jan 5, 2015 at 6:54 PM, Dmitri Pal >> > wrote: >>> >>> On 01/05/2015 10:51 AM, Dmitri Pal wrote: >>>> On 01/04/2015 10:30 PM, Ben .T.George wrote: >>>>> HI >>>>> >>>>> yes you are right. Linux clients working and IPA is in >>>>> trust relationship with AD. >>>>> >>>>> currently i am using 3.3.3 i guess i didn't tryed >>>>> ipa-advice tool yet. I am not aware about this tool. can >>>>> you please give right directions regarding this tool, so >>>>> that i can try on it. >>>>> >>>>> regarding manuals and tutorials: >>>>> >>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>>> http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html >>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >>>>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >>>> >>>> I think this should help: >>>> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf >>>> It mentions the tool too. >>> >>> You need to point your Solaris clients to compat tree. >>> >>> >>>> >>>>> >>>>> Regards,Ben >>>>> >>>>> >>>>> On Mon, Jan 5, 2015 at 12:34 AM, Dmitri Pal >>>>> > wrote: >>>>> >>>>> On 01/04/2015 01:19 PM, Ben .T.George wrote: >>>>>> >>>>>> HI >>>>>> >>>>>> Thanks for the replay. >>>>>> >>>>>> i was trying to achieve just LDAP authentication only. >>>>>> If possible Role based access and Host based access. >>>>>> but most priority is to authenticate solaris against >>>>>> Active Directory/IPA >>>>>> >>>>>> The tutorials/Guides are not clear actually as i tried >>>>>> many times. My IPA server is working fine. bcoz i >>>>>> tested by adding linux(centos) as IPA client by using >>>>>> client ass ipa commands. >>>>> >>>>> OK, so let me make sure I get you right: you have IPA >>>>> and it is in trust relations with AD, right? You tested >>>>> it from Linux clients and it works but not with Solaris >>>>> client, right? Which version of IPA are you using? Have >>>>> you looked at ipa-advise tool? >>>>> Which manuals and tutorials you tried? >>>>> >>>>> >>>>>> >>>>>> Regards, >>>>>> Ben >>>>>> >>>>>> On Sun, Jan 4, 2015 at 7:11 PM, Dmitri Pal >>>>>> > wrote: >>>>>> >>>>>> On 01/04/2015 02:10 AM, Ben .T.George wrote: >>>>>>> HI >>>>>>> >>>>>>> This is i am struggling to get this working on >>>>>>> Solaris x86 client. as i did many things based on >>>>>>> many tutorials. \i am wondering why people who >>>>>>> achieved this already not sharing this >>>>>>> information about configuring Solaris as IPA client . >>>>>> >>>>>> Solaris can be configured to be a client of IPA so >>>>>> it seems that there is some misalignment of the >>>>>> expectations. >>>>>> What is your goal? What kind of integration for >>>>>> Solaris client you want to achieve? Just LDAP >>>>>> authentication would work following the instructions. >>>>>> I suspect that something that you are trying to >>>>>> accomplish is either done differently or have not >>>>>> been a priority for others and thus have not been >>>>>> explored. >>>>>> >>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Ben >>>>>>> >>>>>>> On Mon, Dec 29, 2014 at 11:59 PM, Dmitri Pal >>>>>>> > wrote: >>>>>>> >>>>>>> On 12/21/2014 07:50 PM, Fraser Tweedale wrote: >>>>>>> >>>>>>> On Sun, Dec 21, 2014 at 09:03:17AM +0300, >>>>>>> Ben .T.George wrote: >>>>>>> >>>>>>> Hi List >>>>>>> >>>>>>> how can i configure solaris 10 sparc >>>>>>> and x86 as ipa clients. >>>>>>> >>>>>>> Regards, >>>>>>> Ben >>>>>>> >>>>>>> Hi Ben, >>>>>>> >>>>>>> Please follow the Solaris 8/9/10 >>>>>>> instructions on the wiki: >>>>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Solaris_8.2F9.2F10 >>>>>>> >>>>>>> Let us know if run into difficulties or >>>>>>> if there are error or >>>>>>> omissions in the instructions. >>>>>>> >>>>>>> >>>>>>> Also see >>>>>>> https://fedorahosted.org/freeipa/ticket/4633 >>>>>>> >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Fraser >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the >>>>>>> Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go To http://freeipa.org for more >>>>>>> info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thank you, >>>>>>> Dmitri Pal >>>>>>> >>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>> Red Hat, Inc. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the >>>>>>> Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go To http://freeipa.org for more info on the >>>>>>> project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > From sbose at redhat.com Tue Jan 6 15:41:28 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 6 Jan 2015 16:41:28 +0100 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: <54ABEEE3.4040303@redhat.com> References: <54ABEEE3.4040303@redhat.com> Message-ID: <20150106154128.GJ23112@localhost.localdomain> On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > >Hi LIst, > > > >how to check IPA <-> Active directory trust relationship . i just want to > >confirm my ipa server is working fine. > > On an IPA server or client machine: > $ kinit adusername at ADDOMAIN.COM > Password: aduserpassword > > If there are no AD users yet, you can try with administrator at ADDOMAIN.COM > assuming you have the AD admin password. Additionally you have to check if the AD user can get a ticket for an IPA service e.g. after calling kinit with the AD user call kvno ldap/ipaserver.ipa.domain at IPA.DOMAIN bye, Sumit > > > > >Regards, > >Ben > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From edewata at redhat.com Tue Jan 6 15:58:28 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 06 Jan 2015 22:58:28 +0700 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <2848790.lWqZO0nozr@linux-ws1.messinet.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA9740.6070002@redhat.com> <54AAB058.5070402@redhat.com> <2848790.lWqZO0nozr@linux-ws1.messinet.com> Message-ID: <54AC0624.9080805@redhat.com> On 1/6/2015 4:55 AM, Anthony Messina wrote: >> I'm discussing this with Ade (CC'd). Based on the stack trace it looks >> like the replica thinks the master returns an incomplete information >> about the security domain, probably due to the different Dogtag versions >> used in master and replica. >> >> We need some additional info: >> >> 1. What is the pki-ca version on the master (F20)? > > pki-ca-10.1.2-7.fc20.noarch > >> 2. What is the pki-ca version on the replica (F21)? > > pki-ca-10.2.0-5.fc21.noarch > >> 3. What is the output of this URL on the master? >> https://:8443/ca/rest/securityDomain/domainInfo > > > > > > FALSE > TRUE > ipa1.example.com > 80 > 443 > 443 > 443 > 443 > CA ipa1.example.com 8443 > > > TRUE > TRUE > ipa2.example.com > 80 > 443 > 443 > 443 > 443 > CA ipa2.example.com 8443 > > > Thanks for the info. This is indeed a bug. I filed the following ticket for Dogtag: https://fedorahosted.org/pki/ticket/1235 -- Endi S. Dewata From amessina at messinet.com Tue Jan 6 16:30:51 2015 From: amessina at messinet.com (Anthony Messina) Date: Tue, 06 Jan 2015 10:30:51 -0600 Subject: [Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master In-Reply-To: <54AC0624.9080805@redhat.com> References: <14525002.8PxJUuzMte@linux-ws1.messinet.com> <54AA9740.6070002@redhat.com> <54AAB058.5070402@redhat.com> <2848790.lWqZO0nozr@linux-ws1.messinet.com> <54AC0624.9080805@redhat.com> Message-ID: <20150106103052.Horde.xYoWnBkU9QqpxO1bw5ID_g7@messinet.com> Quoting Endi Sukma Dewata : > On 1/6/2015 4:55 AM, Anthony Messina wrote: >>> I'm discussing this with Ade (CC'd). Based on the stack trace it looks >>> like the replica thinks the master returns an incomplete information >>> about the security domain, probably due to the different Dogtag versions >>> used in master and replica. >>> >>> We need some additional info: >>> >>> 1. What is the pki-ca version on the master (F20)? >> >> pki-ca-10.1.2-7.fc20.noarch >> >>> 2. What is the pki-ca version on the replica (F21)? >> >> pki-ca-10.2.0-5.fc21.noarch >> >>> 3. What is the output of this URL on the master? >>> https://:8443/ca/rest/securityDomain/domainInfo >> >> >> >> >> >> FALSE >> TRUE >> ipa1.example.com >> 80 >> 443 >> 443 >> 443 >> 443 >> CA ipa1.example.com 8443 >> >> >> TRUE >> TRUE >> ipa2.example.com >> 80 >> 443 >> 443 >> 443 >> 443 >> CA ipa2.example.com 8443 >> >> >> > > Thanks for the info. This is indeed a bug. I filed the following > ticket for Dogtag: > https://fedorahosted.org/pki/ticket/1235 > > -- > Endi S. Dewata Thank you Endi. -A -- Anthony - https://messinet.com - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: PGP Digital Signature URL: From bentech4you at gmail.com Tue Jan 6 16:52:20 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 19:52:20 +0300 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: <20150106154128.GJ23112@localhost.localdomain> References: <54ABEEE3.4040303@redhat.com> <20150106154128.GJ23112@localhost.localdomain> Message-ID: Hi I Tried on IPA server and below is my output: [root at kwtpocpbis01 ~]# kinit adm-ben.george at kwttestdc.com Password for adm-ben.george at kwttestdc.com: kinit: KDC reply did not match expectations while getting initial credentials how can i troubleshot this issue.? Thanks & Regards, Ben On Tue, Jan 6, 2015 at 6:41 PM, Sumit Bose wrote: > On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > > > >Hi LIst, > > > > > >how to check IPA <-> Active directory trust relationship . i just want > to > > >confirm my ipa server is working fine. > > > > On an IPA server or client machine: > > $ kinit adusername at ADDOMAIN.COM > > Password: aduserpassword > > > > If there are no AD users yet, you can try with > administrator at ADDOMAIN.COM > > assuming you have the AD admin password. > > Additionally you have to check if the AD user can get a ticket for an IPA > service e.g. after calling kinit with the AD user call > > kvno ldap/ipaserver.ipa.domain at IPA.DOMAIN > > bye, > Sumit > > > > > > > > >Regards, > > >Ben > > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue Jan 6 17:03:21 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 6 Jan 2015 18:03:21 +0100 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: References: <54ABEEE3.4040303@redhat.com> <20150106154128.GJ23112@localhost.localdomain> Message-ID: <20150106170320.GM23112@localhost.localdomain> On Tue, Jan 06, 2015 at 07:52:20PM +0300, Ben .T.George wrote: > Hi > > I Tried on IPA server and below is my output: > > [root at kwtpocpbis01 ~]# kinit adm-ben.george at kwttestdc.com > Password for adm-ben.george at kwttestdc.com: > kinit: KDC reply did not match expectations while getting initial > credentials > > how can i troubleshot this issue.? The argument to kinit is a Kerberos principal which is handled case-sensitive by kinit. To get around the error message either use kinit -C adm-ben.george at kwttestdc.com or kinit adm-ben.george at KWTTESTDC.COM (typically the realm part is upper-case, if your user name contains upper-case letters as well you should use them here as well, if you don't know 'kinit -C' might be the better solution) HTH bye, Sumit > > Thanks & Regards, > Ben > > > On Tue, Jan 6, 2015 at 6:41 PM, Sumit Bose wrote: > > > On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > > > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > > > > > >Hi LIst, > > > > > > > >how to check IPA <-> Active directory trust relationship . i just want > > to > > > >confirm my ipa server is working fine. > > > > > > On an IPA server or client machine: > > > $ kinit adusername at ADDOMAIN.COM > > > Password: aduserpassword > > > > > > If there are no AD users yet, you can try with > > administrator at ADDOMAIN.COM > > > assuming you have the AD admin password. > > > > Additionally you have to check if the AD user can get a ticket for an IPA > > service e.g. after calling kinit with the AD user call > > > > kvno ldap/ipaserver.ipa.domain at IPA.DOMAIN > > > > bye, > > Sumit > > > > > > > > > > > > >Regards, > > > >Ben > > > > > > > > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go To http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > From bentech4you at gmail.com Tue Jan 6 17:13:17 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 20:13:17 +0300 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: <20150106170320.GM23112@localhost.localdomain> References: <54ABEEE3.4040303@redhat.com> <20150106154128.GJ23112@localhost.localdomain> <20150106170320.GM23112@localhost.localdomain> Message-ID: HI thanks for the replay. please find below output.it's asking for password and accepting that. but something wrong [root at kwtpocpbis01 ~]# kinit -C adm-ben.george at kwttestdc.com Password for adm-ben.george at kwttestdc.com: [root at kwtpocpbis01 ~]# getent passwd adm-ben.george [root at kwtpocpbis01 ~]# id adm-ben.george id: adm-ben.george: no such user Regards, Ben On Tue, Jan 6, 2015 at 8:03 PM, Sumit Bose wrote: > On Tue, Jan 06, 2015 at 07:52:20PM +0300, Ben .T.George wrote: > > Hi > > > > I Tried on IPA server and below is my output: > > > > [root at kwtpocpbis01 ~]# kinit adm-ben.george at kwttestdc.com > > Password for adm-ben.george at kwttestdc.com: > > kinit: KDC reply did not match expectations while getting initial > > credentials > > > > how can i troubleshot this issue.? > > The argument to kinit is a Kerberos principal which is handled > case-sensitive by kinit. To get around the error message either use > > kinit -C adm-ben.george at kwttestdc.com > > or > > kinit adm-ben.george at KWTTESTDC.COM > > (typically the realm part is upper-case, if your user name contains > upper-case letters as well you should use them here as well, if you > don't know 'kinit -C' might be the better solution) > > HTH > > bye, > Sumit > > > > Thanks & Regards, > > Ben > > > > > > On Tue, Jan 6, 2015 at 6:41 PM, Sumit Bose wrote: > > > > > On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > > > > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > > > > > > > >Hi LIst, > > > > > > > > > >how to check IPA <-> Active directory trust relationship . i just > want > > > to > > > > >confirm my ipa server is working fine. > > > > > > > > On an IPA server or client machine: > > > > $ kinit adusername at ADDOMAIN.COM > > > > Password: aduserpassword > > > > > > > > If there are no AD users yet, you can try with > > > administrator at ADDOMAIN.COM > > > > assuming you have the AD admin password. > > > > > > Additionally you have to check if the AD user can get a ticket for an > IPA > > > service e.g. after calling kinit with the AD user call > > > > > > kvno ldap/ipaserver.ipa.domain at IPA.DOMAIN > > > > > > bye, > > > Sumit > > > > > > > > > > > > > > > > >Regards, > > > > >Ben > > > > > > > > > > > > > > > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go To http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go To http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Tue Jan 6 17:17:11 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Tue, 6 Jan 2015 17:17:11 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <20150106101031.GA4718@mail.corp.redhat.com> References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> Message-ID: -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Tuesday, January 06, 2015 3:11 AM To: Craig White Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sudo !requiretty !authenticate On (06/01/15 10:21), Pavel B?ezina wrote: >On 01/05/2015 07:32 PM, Craig White wrote: >>Hi - reply at bottom >> >>-----Original Message----- >>From: Martin Kosek [mailto:mkosek at redhat.com] >>Sent: Monday, January 05, 2015 4:33 AM >>To: Craig White; freeipa-users at redhat.com; Pavel Brezina >>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >>On 01/02/2015 07:47 PM, Craig White wrote: >>>Subject pretty much says it all. >>> >>>Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. >>> >>>But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? >>> >>>Craig White >>>System Administrator >>>O 623-201-8179 M 602-377-9752 >>> >>>[cid:image001.png at 01CF86FE.42D51630] >>> >>>SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 >> >>CCing Pavel to advise. >> >> From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? >>Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. >> >>Martin >>---- >>Thanks Martin >> >>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. >> >>$ ipa sudorule-show --all >>Rule name: rundeck >> dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local >> Rule name: rundeck >> Enabled: TRUE >> Host category: all >> Command category: all >> RunAs User category: all >> Users: rundeck >> Sudo Option: !requiretty, !authenticate >> ipauniqueid: XXXXXX >> objectclass: ipaassociation, ipasudorule >> >>At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... >> >>sudo: sorry, you must have a tty to run sudo :-( >> >>(client system) >># rpm -qa | egrep 'ipa|sssd' >>sssd-ldap-1.11.6-30.el6.x86_64 >>libipa_hbac-1.11.6-30.el6.x86_64 >>python-sssdconfig-1.11.6-30.el6.noarch >>sssd-ipa-1.11.6-30.el6.x86_64 >>sssd-client-1.11.6-30.el6.x86_64 >>sssd-common-1.11.6-30.el6.x86_64 >>sssd-ad-1.11.6-30.el6.x86_64 >>sssd-1.11.6-30.el6.x86_64 >>python-iniparse-0.3.1-2.1.el6.noarch >>libipa_hbac-python-1.11.6-30.el6.x86_64 >>sssd-krb5-common-1.11.6-30.el6.x86_64 >>sssd-krb5-1.11.6-30.el6.x86_64 >>sssd-common-pac-1.11.6-30.el6.x86_64 >>ipa-python-3.0.0-42.el6.x86_64 >>sssd-proxy-1.11.6-30.el6.x86_64 >>ipa-client-3.0.0-42.el6.x86_64 > >Hi, >just to be sure that the problem is indeed in options - the rule >without any sudoOption and with only one of them does work, right? > >Can you send us sudo debug log? You can enable debug log by putting the >following line in /etc/sudo.conf: > >Debug sudo /var/log/sudo.log all at debug > It will help as well if you provide your sssd and nsswitch configuration files. (/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly. ---- OK - changed the sudo rule to only !authenticate and then logged in manually... ssh -tt rundeck@$MY_SERVER thus removing the 'requiretty' problem and then when I ran my sudo command, it still asked me for a password. I have the sudo debug log attached to this email. I can however, ssh as myself and 'sudo su -' on this server (a different sudo rule without any 'options' so it seems that the problem is sudo options only. sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = app001.stt.local chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa001.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt-internal.local [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] nsswitch.conf (removed commented/empty lines) passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus sudoers: files sss -------------- next part -------------- A non-text attachment was scrubbed... Name: sudo.log Type: application/octet-stream Size: 107103 bytes Desc: sudo.log URL: From sbose at redhat.com Tue Jan 6 17:18:23 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 6 Jan 2015 18:18:23 +0100 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: References: <54ABEEE3.4040303@redhat.com> <20150106154128.GJ23112@localhost.localdomain> <20150106170320.GM23112@localhost.localdomain> Message-ID: <20150106171823.GN23112@localhost.localdomain> On Tue, Jan 06, 2015 at 08:13:17PM +0300, Ben .T.George wrote: > HI > > thanks for the replay. > > please find below output.it's asking for password and accepting that. but > something wrong > > [root at kwtpocpbis01 ~]# kinit -C adm-ben.george at kwttestdc.com > Password for adm-ben.george at kwttestdc.com: > > [root at kwtpocpbis01 ~]# getent passwd adm-ben.george Please try getent passwd adm-ben.george at kwttestdc.com We use fully-qualified names to avoid name collisions. Does the kvno command work? bye, Sumit > > [root at kwtpocpbis01 ~]# id adm-ben.george > id: adm-ben.george: no such user > > Regards, > Ben > > On Tue, Jan 6, 2015 at 8:03 PM, Sumit Bose wrote: > > > On Tue, Jan 06, 2015 at 07:52:20PM +0300, Ben .T.George wrote: > > > Hi > > > > > > I Tried on IPA server and below is my output: > > > > > > [root at kwtpocpbis01 ~]# kinit adm-ben.george at kwttestdc.com > > > Password for adm-ben.george at kwttestdc.com: > > > kinit: KDC reply did not match expectations while getting initial > > > credentials > > > > > > how can i troubleshot this issue.? > > > > The argument to kinit is a Kerberos principal which is handled > > case-sensitive by kinit. To get around the error message either use > > > > kinit -C adm-ben.george at kwttestdc.com > > > > or > > > > kinit adm-ben.george at KWTTESTDC.COM > > > > (typically the realm part is upper-case, if your user name contains > > upper-case letters as well you should use them here as well, if you > > don't know 'kinit -C' might be the better solution) > > > > HTH > > > > bye, > > Sumit > > > > > > Thanks & Regards, > > > Ben > > > > > > > > > On Tue, Jan 6, 2015 at 6:41 PM, Sumit Bose wrote: > > > > > > > On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > > > > > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > > > > > > > > > >Hi LIst, > > > > > > > > > > > >how to check IPA <-> Active directory trust relationship . i just > > want > > > > to > > > > > >confirm my ipa server is working fine. > > > > > > > > > > On an IPA server or client machine: > > > > > $ kinit adusername at ADDOMAIN.COM > > > > > Password: aduserpassword > > > > > > > > > > If there are no AD users yet, you can try with > > > > administrator at ADDOMAIN.COM > > > > > assuming you have the AD admin password. > > > > > > > > Additionally you have to check if the AD user can get a ticket for an > > IPA > > > > service e.g. after calling kinit with the AD user call > > > > > > > > kvno ldap/ipaserver.ipa.domain at IPA.DOMAIN > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > > > > > > > >Regards, > > > > > >Ben > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > Go To http://freeipa.org for more info on the project > > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go To http://freeipa.org for more info on the project > > > > > > From bentech4you at gmail.com Tue Jan 6 17:32:24 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 20:32:24 +0300 Subject: [Freeipa-users] How to check IPA <--> AD trust from command line In-Reply-To: <20150106171823.GN23112@localhost.localdomain> References: <54ABEEE3.4040303@redhat.com> <20150106154128.GJ23112@localhost.localdomain> <20150106170320.GM23112@localhost.localdomain> <20150106171823.GN23112@localhost.localdomain> Message-ID: HI thanks now i am getting output: [root at kwtpocpbis01 ~]# getent passwd adm-ben.george at kwttestdc.com adm-ben.george at kwttestdc.com:*:1198401206:1198401206:ADM Ben George:/home/ kwttestdc.com/adm-ben.george: [root at kwtpocpbis01 ~]# id adm-ben.george at kwttestdc.com uid=1198401206(adm-ben.george at kwttestdc.com) gid=1198401206( adm-ben.george at kwttestdc.com) groups=1198401206(adm-ben.george at kwttestdc.com),1198400512(domain admins at kwttestdc.com),1198401147(wseallowmediaaccess at kwttestdc.com ),1198401151(wsealertadministrators at kwttestdc.com),1198401148( wseallowaddinaccess at kwttestdc.com),1198401152( wseremoteaccessusers at kwttestdc.com),1198401146( wseallowcomputeraccess at kwttestdc.com),1198401150( wseallowhomepagelinks at kwttestdc.com),1198401144( wseremotewebaccessusers at kwttestdc.com),1198401145( wseallowshareaccess at kwttestdc.com),1198401149( wseallowdashboardaccess at kwttestdc.com),535600004(ad_admins),1198400513(domain users at kwttestdc.com) i was trying the kinit command on solaris . -C key is not there Thanks & Regards, Ben On Tue, Jan 6, 2015 at 8:18 PM, Sumit Bose wrote: > On Tue, Jan 06, 2015 at 08:13:17PM +0300, Ben .T.George wrote: > > HI > > > > thanks for the replay. > > > > please find below output.it's asking for password and accepting that. > but > > something wrong > > > > [root at kwtpocpbis01 ~]# kinit -C adm-ben.george at kwttestdc.com > > Password for adm-ben.george at kwttestdc.com: > > > > [root at kwtpocpbis01 ~]# getent passwd adm-ben.george > > Please try > > getent passwd adm-ben.george at kwttestdc.com > > We use fully-qualified names to avoid name collisions. > > Does the kvno command work? > > bye, > Sumit > > > > > [root at kwtpocpbis01 ~]# id adm-ben.george > > id: adm-ben.george: no such user > > > > Regards, > > Ben > > > > On Tue, Jan 6, 2015 at 8:03 PM, Sumit Bose wrote: > > > > > On Tue, Jan 06, 2015 at 07:52:20PM +0300, Ben .T.George wrote: > > > > Hi > > > > > > > > I Tried on IPA server and below is my output: > > > > > > > > [root at kwtpocpbis01 ~]# kinit adm-ben.george at kwttestdc.com > > > > Password for adm-ben.george at kwttestdc.com: > > > > kinit: KDC reply did not match expectations while getting initial > > > > credentials > > > > > > > > how can i troubleshot this issue.? > > > > > > The argument to kinit is a Kerberos principal which is handled > > > case-sensitive by kinit. To get around the error message either use > > > > > > kinit -C adm-ben.george at kwttestdc.com > > > > > > or > > > > > > kinit adm-ben.george at KWTTESTDC.COM > > > > > > (typically the realm part is upper-case, if your user name contains > > > upper-case letters as well you should use them here as well, if you > > > don't know 'kinit -C' might be the better solution) > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > Thanks & Regards, > > > > Ben > > > > > > > > > > > > On Tue, Jan 6, 2015 at 6:41 PM, Sumit Bose wrote: > > > > > > > > > On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > > > > > > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > > > > > > > > > > > >Hi LIst, > > > > > > > > > > > > > >how to check IPA <-> Active directory trust relationship . i > just > > > want > > > > > to > > > > > > >confirm my ipa server is working fine. > > > > > > > > > > > > On an IPA server or client machine: > > > > > > $ kinit adusername at ADDOMAIN.COM > > > > > > Password: aduserpassword > > > > > > > > > > > > If there are no AD users yet, you can try with > > > > > administrator at ADDOMAIN.COM > > > > > > assuming you have the AD admin password. > > > > > > > > > > Additionally you have to check if the AD user can get a ticket for > an > > > IPA > > > > > service e.g. after calling kinit with the AD user call > > > > > > > > > > kvno ldap/ipaserver.ipa.domain at IPA.DOMAIN > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > >Regards, > > > > > > >Ben > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > Go To http://freeipa.org for more info on the project > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > Go To http://freeipa.org for more info on the project > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Tue Jan 6 18:27:41 2015 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 6 Jan 2015 10:27:41 -0800 Subject: [Freeipa-users] trust non-IPA certificate client In-Reply-To: <54A6DD39.3080601@redhat.com> References: <54A6DD39.3080601@redhat.com> Message-ID: On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden wrote: > Stephen Ingram wrote: > > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram > > wrote: > > > > I have one client using a certificate issued by a third party > > provider such that any secure (TLS) LDAP queries are refused since > > the certificates were not issued by IPA. Since there are only a few > > clients with foreign certificates, can the CA simply be added to the > > NSS database used by the 389 directory server so IPA will establish > > a secure connection with them? > > > > > > I should have added, "or do I have to somehow add the certificate to the > > IPA directory?" > > Need a little more context here. IPA doesn't use SSL client > authentication so it shouldn't be an issue. Can you provide more details > on what the client side is doing and what errors you are seeing? Thanks Rob. I imported the CA into both the httpd and ldap NSS databases and it works. Interestingly, I'm currently using version 3.0 of IPA which still has the split directories. The CA imported properly into the main IPA directory, but would not import into the PKI directory without errors on restart. As I only really needed it in the main directory, I'm OK for now, however, I'm wondering if this will be a problem when we move to version 3.3 and the two directories are combined. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jan 6 18:49:14 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jan 2015 13:49:14 -0500 Subject: [Freeipa-users] trust non-IPA certificate client In-Reply-To: References: <54A6DD39.3080601@redhat.com> Message-ID: <54AC2E2A.8020502@redhat.com> Stephen Ingram wrote: > On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden > wrote: > > Stephen Ingram wrote: > > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram > > >> wrote: > > > > I have one client using a certificate issued by a third party > > provider such that any secure (TLS) LDAP queries are refused since > > the certificates were not issued by IPA. Since there are only > a few > > clients with foreign certificates, can the CA simply be added > to the > > NSS database used by the 389 directory server so IPA will > establish > > a secure connection with them? > > > > > > I should have added, "or do I have to somehow add the certificate > to the > > IPA directory?" > > Need a little more context here. IPA doesn't use SSL client > authentication so it shouldn't be an issue. Can you provide more details > on what the client side is doing and what errors you are seeing? > > > Thanks Rob. I imported the CA into both the httpd and ldap NSS databases > and it works. Interestingly, I'm currently using version 3.0 of IPA > which still has the split directories. The CA imported properly into the > main IPA directory, but would not import into the PKI directory without > errors on restart. As I only really needed it in the main directory, I'm > OK for now, however, I'm wondering if this will be a problem when we > move to version 3.3 and the two directories are combined. I'd need to see the errors you were getting. I don't see why the existence of a trusted CA cert would cause a service to not start. rob From bentech4you at gmail.com Tue Jan 6 20:32:49 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 23:32:49 +0300 Subject: [Freeipa-users] ipa host-add and service add command to add solaris 10 Message-ID: HI i was trying to ass solaris 10 client from command line. Host add comand went successfully and service add for /host is giving error. please check below output and help me to solve this [root at kwtpocpbis01 ~]# ipa host-add --force --ip-address=172.16.107.107 kwttestsolaris10.solipa.local ------------------------------------------ Added host "kwttestsolaris10.solipa.local" ------------------------------------------ Host name: kwttestsolaris10.solipa.local Principal name: host/kwttestsolaris10.solipa.local at SOLIPA.LOCAL Password: False Keytab: False Managed by: kwttestsolaris10.solipa.local [root at kwtpocpbis01 ~]# ipa service-add host/kwttestsolaris10.solipa.local ipa: ERROR: You must enroll a host in order to create a host service what this means "ipa: ERROR: You must enroll a host in order to create a host service" . I can see the host from IPA web front end. that means host is added noe.? or this is pointing to another service Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jan 6 20:35:59 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jan 2015 15:35:59 -0500 Subject: [Freeipa-users] ipa host-add and service add command to add solaris 10 In-Reply-To: References: Message-ID: <54AC472F.1060005@redhat.com> Ben .T.George wrote: > > HI > > i was trying to ass solaris 10 client from command line. Host add comand > went successfully and service add for /host is giving error. > > please check below output and help me to solve this > > [root at kwtpocpbis01 ~]# ipa host-add --force --ip-address=172.16.107.107 > kwttestsolaris10.solipa.local > ------------------------------------------ > Added host "kwttestsolaris10.solipa.local" > ------------------------------------------ > Host name: kwttestsolaris10.solipa.local > Principal name: host/kwttestsolaris10.solipa.local at SOLIPA.LOCAL > Password: False > Keytab: False > Managed by: kwttestsolaris10.solipa.local > > [root at kwtpocpbis01 ~]# ipa service-add host/kwttestsolaris10.solipa.local > ipa: ERROR: You must enroll a host in order to create a host service > > what this means "ipa: ERROR: You must enroll a host in order to create a > host service" . I can see the host from IPA web front end. that means > host is added noe.? or this is pointing to another service The host service is implicit and lives within the host. You don't need to (nor can you) add it. If you want to get a keytab for it just use ipa-getkeytab to fetch it. rob From bentech4you at gmail.com Tue Jan 6 20:44:44 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 6 Jan 2015 23:44:44 +0300 Subject: [Freeipa-users] ipa host-add and service add command to add solaris 10 In-Reply-To: <54AC472F.1060005@redhat.com> References: <54AC472F.1060005@redhat.com> Message-ID: HI thanks for the replay. i was trying for keytab and getting below error. [root at kwtpocpbis01 ~]# ipa-getkeytab -s kwtpocpbis01.solipa.local -p host/kwttestsolaris10.solipa.local -k /tmp/krb5.keytab -e des-cbc-crc Operation failed! All enctypes provided are unsupported my krb5.conf looks like below: [libdefaults] default_realm = SOLIPA.LOCAL dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true what will be issue with my command? Regards, Ben On Tue, Jan 6, 2015 at 11:35 PM, Rob Crittenden wrote: > Ben .T.George wrote: > > > > HI > > > > i was trying to ass solaris 10 client from command line. Host add comand > > went successfully and service add for /host is giving error. > > > > please check below output and help me to solve this > > > > [root at kwtpocpbis01 ~]# ipa host-add --force --ip-address=172.16.107.107 > > kwttestsolaris10.solipa.local > > ------------------------------------------ > > Added host "kwttestsolaris10.solipa.local" > > ------------------------------------------ > > Host name: kwttestsolaris10.solipa.local > > Principal name: host/kwttestsolaris10.solipa.local at SOLIPA.LOCAL > > Password: False > > Keytab: False > > Managed by: kwttestsolaris10.solipa.local > > > > [root at kwtpocpbis01 ~]# ipa service-add > host/kwttestsolaris10.solipa.local > > ipa: ERROR: You must enroll a host in order to create a host service > > > > what this means "ipa: ERROR: You must enroll a host in order to create a > > host service" . I can see the host from IPA web front end. that means > > host is added noe.? or this is pointing to another service > > The host service is implicit and lives within the host. You don't need > to (nor can you) add it. > > If you want to get a keytab for it just use ipa-getkeytab to fetch it. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From desantis at mail.usf.edu Tue Jan 6 20:50:45 2015 From: desantis at mail.usf.edu (John Desantis) Date: Tue, 6 Jan 2015 15:50:45 -0500 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 Message-ID: Hello all, Looking at the various online documentation regarding certificate renewals: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 http://www.freeipa.org/page/Certmonger https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html I have to admit that I am completely confused on how to proceed given that the links above reference external CA's. The certificate was created in house (no external issuer) from what I can tell (openssl x509 -issuer and via IPA GUI). Thankfully(?), none of the certificates listed via 'getcert list' have a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". I'll paste the contents below, sanitized of couse. # getcert list Number of certificates and requests being tracked: 8. Request ID '20130110185936': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa.example.com,O=EXAMPLE.COM expires: 2015-01-11 18:59:35 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes Request ID '20130110190008': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa.example.com,O=EXAMPLE.COM expires: 2015-01-11 19:00:07 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130110190034': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa.example.com,O=EXAMPLE.COM expires: 2015-01-11 19:00:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20130410022007': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='377154649534' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2014-12-31 18:58:42 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130410022008': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='377154649534' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2014-12-31 18:58:41 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130410022009': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='377154649534' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2014-12-31 18:58:41 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130410022010': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2014-12-31 18:59:24 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130410022011': status: NEED_CSR stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='377154649534' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa.example.com,O=EXAMPLE.COM expires: 2014-12-31 18:58:41 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes This issue was manifest when I attempted to re-provision a client node. I'll paste the errors reported by Apache: [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 Certificate has expired [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: Not accepted by client!? FWIW, all IPA services are running for now. Any guidance would certainly be appreciated! If more information is required, let me know and I'll paste it in a reply. Thank you, John DeSantis From bentech4you at gmail.com Wed Jan 7 11:11:44 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 7 Jan 2015 14:11:44 +0300 Subject: [Freeipa-users] clarification regarding krb5.conf file Message-ID: Hi List correct me if i am wrong. currently my client krb5.conf holding AD details. and my client is Solaris here is my file. bash-3.2# more /etc/krb5/krb5.conf [libdefaults] default_realm = KWTTESTDC.COM [realms] KWTTESTDC.COM = { kdc = kwttestdc001.kwttestdc.com:88 admin_server = kwttestdc001.kwttestdc.com:749 } [domain_realm] .kwttestdc.com = KWTTESTDC.COM kwttestdc.com = KWTTESTDC.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } please anyone varify this is right or wrong Regards, Ben -- Yours Sincerely *#!/usr/bin/env python #Mysignature.py :)* Signature = " " " Ben.T.George \n Senior Technical Engineer \n M.H Alshaya Co. W.L.L \n kuwait \n Phone : +965 - 50629829 \n " " " Print Signature *" Live like you will die tomorrow, learn like you will live forever "* -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jan 7 11:17:55 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Jan 2015 12:17:55 +0100 Subject: [Freeipa-users] FreeIPA Planet - blog aggregator - as alive! Message-ID: <54AD15E3.6090601@redhat.com> Hello all, With increasing number of blogs and articles about FreeIPA, it is sometimes difficult to keep track of all of them. To help you - users interested in the FreeIPA project - we started a brand new FreeIPA Planet blog aggregator: http://planet.freeipa.org/ On this page, you can periodically check for new articles from various blogs related to the FreeIPA project or simply add the aggregated feed to your favorite RSS reader! Now comes the fun part. While the initial Planet incarnation already contains a decent list of sources, mostly blogs of FreeIPA developers, we would also like adding *your* FreeIPA related blogs to the list! Please just send as a link to the RSS feed of your blog (or rather category/tag devoted to the FreeIPA project) and we will add it to the list. Enjoy! -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From bentech4you at gmail.com Wed Jan 7 11:36:21 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 7 Jan 2015 14:36:21 +0300 Subject: [Freeipa-users] clarification regarding krb5.conf file In-Reply-To: References: Message-ID: HI If i check IPA client machine enrolled with ipa-client, the krb5.conf file looks like below: [root at kwttestmrbs001 krb5.include.d]# more /etc/krb5.conf #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = SOLIPA.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] SOLIPA.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .solipa.local = SOLIPA.LOCAL solipa.local = SOLIPA.LOCAL and the includedir /var/lib/sss/pubconf/krb5.include.d/ is including : [root at kwttestmrbs001 krb5.include.d]# more domain_realm_solipa_local [domain_realm] .kwttestdc.com = KWTTESTDC.COM kwttestdc.com = KWTTESTDC.COM anyone please help me to prepare proper krb5.conf file for solaris box IPA Server is : kwtpocpbis01.solipa.local Solaris (client) : kwttestsolaris10.solipa.local Active Directory: kwttestdc001.kwttestdc.com Regards, Ben On Wed, Jan 7, 2015 at 2:11 PM, Ben .T.George wrote: > Hi List > > correct me if i am wrong. > > currently my client krb5.conf holding AD details. and my client is Solaris > > here is my file. > > bash-3.2# more /etc/krb5/krb5.conf > [libdefaults] > default_realm = KWTTESTDC.COM > > [realms] > KWTTESTDC.COM = { > kdc = kwttestdc001.kwttestdc.com:88 > admin_server = kwttestdc001.kwttestdc.com:749 > } > > [domain_realm] > .kwttestdc.com = KWTTESTDC.COM > kwttestdc.com = KWTTESTDC.COM > > [logging] > default = FILE:/var/krb5/kdc.log > kdc = FILE:/var/krb5/kdc.log > kdc_rotate = { > period = 1d > versions = 10 > } > > [appdefaults] > kinit = { > renewable = true > forwardable= true > } > > > please anyone varify this is right or wrong > > Regards, > Ben > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Jan 7 13:51:04 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 07 Jan 2015 05:51:04 -0800 Subject: [Freeipa-users] a fix - fedora domain vs rhel domain Message-ID: <54AD39C8.6080802@gmail.com> Hello fellow IPAers I know this has been written about before - the python scripts and fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a permanent fix yet? I continue to run into it during installs and have to edit python files to get the client install to not error out duruing the server install. This is of course with CentOS 7 and IPA 4.1.2. Any options/comments? Thank you Janelle -------------------------------- (install snippet) Done. Restarting the directory server Restarting the KDC Restarting the certificate server Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'another.com' '--server' 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' returned non-zero exit status 1 From chin at juniper.net Wed Jan 7 15:17:49 2015 From: chin at juniper.net (Andrew Chin) Date: Wed, 7 Jan 2015 15:17:49 +0000 Subject: [Freeipa-users] Switch to 3rd party SSL Message-ID: <6A8B3831-4E21-4877-AC25-98999536DC5D@juniper.net> Hello, I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says "The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.? Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA < 4.1? Thanks, Andrew Chin From mkosek at redhat.com Wed Jan 7 15:19:49 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Jan 2015 16:19:49 +0100 Subject: [Freeipa-users] a fix - fedora domain vs rhel domain In-Reply-To: <54AD39C8.6080802@gmail.com> References: <54AD39C8.6080802@gmail.com> Message-ID: <54AD4E95.4000105@redhat.com> On 01/07/2015 02:51 PM, Janelle wrote: > Hello fellow IPAers > > I know this has been written about before - the python scripts and > fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a > permanent fix yet? I continue to run into it during installs and have to edit > python files to get the client install to not error out duruing the server > install. This is of course with CentOS 7 and IPA 4.1.2. > > Any options/comments? > Thank you > Janelle > > -------------------------------- > (install snippet) > Done. > Restarting the directory server > Restarting the KDC > Restarting the certificate server > Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db > Restarting the web server > Configuration of client side components failed! > ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' > '--on-master' '--unattended' '--domain' 'another.com' '--server' > 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' > returned non-zero exit status 1 > Hi Janelle, Yes, this should have been resolved in https://fedorahosted.org/freeipa/ticket/4562 CCing Jan. Are you sure it is caused by this problem? Can you add a snippet of the ipaclient-install.log with the actual failures? Your install snippet does not help that much. Can you please also check that you have the right FreeIPA platform file loaded? At least giving us output from this grep should help: $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py Thanks, Martin From janellenicole80 at gmail.com Wed Jan 7 15:42:01 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 07 Jan 2015 07:42:01 -0800 Subject: [Freeipa-users] a fix - fedora domain vs rhel domain In-Reply-To: <54AD4E95.4000105@redhat.com> References: <54AD39C8.6080802@gmail.com> <54AD4E95.4000105@redhat.com> Message-ID: <54AD53C9.7010507@gmail.com> Indeed you are correct - it was NOT the problem. Double checking the logs - showed an old ca.crt file from a previous install (something that should be done in the "uninstall" jobs - remove ALL the old folders, including /etc/ipa which has old certs, etc.) Thanks for the tip to look elsewhere - I made a bad assumption. Janelle On 1/7/15 7:19 AM, Martin Kosek wrote: > On 01/07/2015 02:51 PM, Janelle wrote: >> Hello fellow IPAers >> >> I know this has been written about before - the python scripts and >> fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a >> permanent fix yet? I continue to run into it during installs and have to edit >> python files to get the client install to not error out duruing the server >> install. This is of course with CentOS 7 and IPA 4.1.2. >> >> Any options/comments? >> Thank you >> Janelle >> >> -------------------------------- >> (install snippet) >> Done. >> Restarting the directory server >> Restarting the KDC >> Restarting the certificate server >> Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db >> Restarting the web server >> Configuration of client side components failed! >> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >> '--on-master' '--unattended' '--domain' 'another.com' '--server' >> 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' >> returned non-zero exit status 1 >> > Hi Janelle, > > Yes, this should have been resolved in > https://fedorahosted.org/freeipa/ticket/4562 > CCing Jan. > > Are you sure it is caused by this problem? Can you add a snippet of the > ipaclient-install.log with the actual failures? Your install snippet does not > help that much. > > Can you please also check that you have the right FreeIPA platform file loaded? > At least giving us output from this grep should help: > > $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py > > Thanks, > Martin From janellenicole80 at gmail.com Wed Jan 7 15:52:39 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 07 Jan 2015 07:52:39 -0800 Subject: [Freeipa-users] a fix - fedora domain vs rhel domain In-Reply-To: <54AD4E95.4000105@redhat.com> References: <54AD39C8.6080802@gmail.com> <54AD4E95.4000105@redhat.com> Message-ID: <54AD5647.4050004@gmail.com> Here is the snippet with the error: 2015-01-07T14:04:57Z DEBUG Adding CA certificates to the IPA NSS database. 2015-01-07T14:04:57Z DEBUG Starting external process 2015-01-07T14:04:57Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C' 2015-01-07T14:04:57Z DEBUG Process finished, return code=0 2015-01-07T14:04:57Z DEBUG stdout= 2015-01-07T14:04:57Z DEBUG stderr= 2015-01-07T14:04:57Z DEBUG Starting external process 2015-01-07T14:04:57Z DEBUG args='/usr/bin/update-ca-trust' 2015-01-07T14:04:58Z DEBUG Process finished, return code=1 2015-01-07T14:04:58Z DEBUG stdout= 2015-01-07T14:04:58Z DEBUG stderr=p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable 2015-01-07T14:04:58Z ERROR Could not update systemwide CA trust database: Command ''/usr/bin/update-ca-trust'' returned non-zero exit status 1 2015-01-07T14:04:58Z DEBUG Attempting to add CA certificates to the default NSS database. 2015-01-07T14:04:58Z DEBUG Starting external process 2015-01-07T14:04:58Z DEBUG args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C' 2015-01-07T14:04:58Z DEBUG Process finished, return code=255 2015-01-07T14:04:58Z DEBUG stdout= 2015-01-07T14:04:58Z DEBUG stderr=certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. 2015-01-07T14:04:58Z ERROR Failed to add ANOTHER.COM IPA CA to the default NSS database. 2015-01-07T14:04:58Z WARNING Installation failed. As this is IPA server, changes will not be rolled back. On 1/7/15 7:19 AM, Martin Kosek wrote: > On 01/07/2015 02:51 PM, Janelle wrote: >> Hello fellow IPAers >> >> I know this has been written about before - the python scripts and >> fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a >> permanent fix yet? I continue to run into it during installs and have to edit >> python files to get the client install to not error out duruing the server >> install. This is of course with CentOS 7 and IPA 4.1.2. >> >> Any options/comments? >> Thank you >> Janelle >> >> -------------------------------- >> (install snippet) >> Done. >> Restarting the directory server >> Restarting the KDC >> Restarting the certificate server >> Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db >> Restarting the web server >> Configuration of client side components failed! >> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >> '--on-master' '--unattended' '--domain' 'another.com' '--server' >> 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' >> returned non-zero exit status 1 >> > Hi Janelle, > > Yes, this should have been resolved in > https://fedorahosted.org/freeipa/ticket/4562 > CCing Jan. > > Are you sure it is caused by this problem? Can you add a snippet of the > ipaclient-install.log with the actual failures? Your install snippet does not > help that much. > > Can you please also check that you have the right FreeIPA platform file loaded? > At least giving us output from this grep should help: > > $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py > > Thanks, > Martin From mkosek at redhat.com Wed Jan 7 16:25:59 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Jan 2015 17:25:59 +0100 Subject: [Freeipa-users] a fix - fedora domain vs rhel domain In-Reply-To: <54AD53C9.7010507@gmail.com> References: <54AD39C8.6080802@gmail.com> <54AD4E95.4000105@redhat.com> <54AD53C9.7010507@gmail.com> Message-ID: <54AD5E17.6030906@redhat.com> On 01/07/2015 04:42 PM, Janelle wrote: > Indeed you are correct - it was NOT the problem. Good! > Double checking the logs - > showed an old ca.crt file from a previous install (something that should be > done in the "uninstall" jobs - remove ALL the old folders, including /etc/ipa > which has old certs, etc.) The certificate is supposed to be removed during client uninstall, since FreeIPA 3.2. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3537 If you reproduce the problem with current versions, it is a bug... > Thanks for the tip to look elsewhere - I made a bad assumption. > Janelle > > > On 1/7/15 7:19 AM, Martin Kosek wrote: >> On 01/07/2015 02:51 PM, Janelle wrote: >>> Hello fellow IPAers >>> >>> I know this has been written about before - the python scripts and >>> fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a >>> permanent fix yet? I continue to run into it during installs and have to edit >>> python files to get the client install to not error out duruing the server >>> install. This is of course with CentOS 7 and IPA 4.1.2. >>> >>> Any options/comments? >>> Thank you >>> Janelle >>> >>> -------------------------------- >>> (install snippet) >>> Done. >>> Restarting the directory server >>> Restarting the KDC >>> Restarting the certificate server >>> Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db >>> Restarting the web server >>> Configuration of client side components failed! >>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>> '--on-master' '--unattended' '--domain' 'another.com' '--server' >>> 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' >>> returned non-zero exit status 1 >>> >> Hi Janelle, >> >> Yes, this should have been resolved in >> https://fedorahosted.org/freeipa/ticket/4562 >> CCing Jan. >> >> Are you sure it is caused by this problem? Can you add a snippet of the >> ipaclient-install.log with the actual failures? Your install snippet does not >> help that much. >> >> Can you please also check that you have the right FreeIPA platform file loaded? >> At least giving us output from this grep should help: >> >> $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py >> >> Thanks, >> Martin > From CWhite at skytouchtechnology.com Wed Jan 7 17:32:27 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Wed, 7 Jan 2015 17:32:27 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> Message-ID: Still struggling with this... $ sudo /sbin/service pe-puppet restart [sudo] password for rundeck: Stopping puppet: [ OK ] Starting puppet: [ OK ] So it asks for the password even though, via FreeIPA it isn't required... $ sudo -l Matching Defaults entries for rundeck on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User rundeck may run the following commands on this host: (root) ALL (ALL) NOPASSWD: ALL And all of the info is provided previously/below that should be needed including the sudo debug log in yesterday's email if anyone has the time to help me figure out what is going wrong here. -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Craig White Sent: Tuesday, January 06, 2015 10:17 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sudo !requiretty !authenticate -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Tuesday, January 06, 2015 3:11 AM To: Craig White Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sudo !requiretty !authenticate On (06/01/15 10:21), Pavel B?ezina wrote: >On 01/05/2015 07:32 PM, Craig White wrote: >>Hi - reply at bottom >> >>-----Original Message----- >>From: Martin Kosek [mailto:mkosek at redhat.com] >>Sent: Monday, January 05, 2015 4:33 AM >>To: Craig White; freeipa-users at redhat.com; Pavel Brezina >>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >>On 01/02/2015 07:47 PM, Craig White wrote: >>>Subject pretty much says it all. >>> >>>Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. >>> >>>But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? >>> >>>Craig White >>>System Administrator >>>O 623-201-8179 M 602-377-9752 >>> >>>[cid:image001.png at 01CF86FE.42D51630] >>> >>>SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 >> >>CCing Pavel to advise. >> >> From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? >>Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. >> >>Martin >>---- >>Thanks Martin >> >>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. >> >>$ ipa sudorule-show --all >>Rule name: rundeck >> dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local >> Rule name: rundeck >> Enabled: TRUE >> Host category: all >> Command category: all >> RunAs User category: all >> Users: rundeck >> Sudo Option: !requiretty, !authenticate >> ipauniqueid: XXXXXX >> objectclass: ipaassociation, ipasudorule >> >>At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... >> >>sudo: sorry, you must have a tty to run sudo :-( >> >>(client system) >># rpm -qa | egrep 'ipa|sssd' >>sssd-ldap-1.11.6-30.el6.x86_64 >>libipa_hbac-1.11.6-30.el6.x86_64 >>python-sssdconfig-1.11.6-30.el6.noarch >>sssd-ipa-1.11.6-30.el6.x86_64 >>sssd-client-1.11.6-30.el6.x86_64 >>sssd-common-1.11.6-30.el6.x86_64 >>sssd-ad-1.11.6-30.el6.x86_64 >>sssd-1.11.6-30.el6.x86_64 >>python-iniparse-0.3.1-2.1.el6.noarch >>libipa_hbac-python-1.11.6-30.el6.x86_64 >>sssd-krb5-common-1.11.6-30.el6.x86_64 >>sssd-krb5-1.11.6-30.el6.x86_64 >>sssd-common-pac-1.11.6-30.el6.x86_64 >>ipa-python-3.0.0-42.el6.x86_64 >>sssd-proxy-1.11.6-30.el6.x86_64 >>ipa-client-3.0.0-42.el6.x86_64 > >Hi, >just to be sure that the problem is indeed in options - the rule >without any sudoOption and with only one of them does work, right? > >Can you send us sudo debug log? You can enable debug log by putting the >following line in /etc/sudo.conf: > >Debug sudo /var/log/sudo.log all at debug > It will help as well if you provide your sssd and nsswitch configuration files. (/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly. ---- OK - changed the sudo rule to only !authenticate and then logged in manually... ssh -tt rundeck@$MY_SERVER thus removing the 'requiretty' problem and then when I ran my sudo command, it still asked me for a password. I have the sudo debug log attached to this email. I can however, ssh as myself and 'sudo su -' on this server (a different sudo rule without any 'options' so it seems that the problem is sudo options only. sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = app001.stt.local chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa001.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt-internal.local [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] nsswitch.conf (removed commented/empty lines) passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus sudoers: files sss From desantis at mail.usf.edu Wed Jan 7 17:43:43 2015 From: desantis at mail.usf.edu (John Desantis) Date: Wed, 7 Jan 2015 12:43:43 -0500 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: References: Message-ID: Hello all, Just an update on this issue for anyone else who experiences a similar issue. It looks like the automatic renewal of the certificates failed on our master due the certmonger service being "stuck". I stopped the service, stopped IPA services, and then reset the date to a few days prior to the expiration. I then (following a mailing list post) restarted IPA and then certmonger. At this point, I checked the status of the certificates and saw that they were changing. Only the "Server-Cert" in /etc/httpd/alias was complaining this time of not being able to contact the CA. Another certmonger service restart corrected the issue. I can now re-provision nodes accordingly! The only remaining hiccup is now the replica's certmonger service keeps dying while failing to re-issue the "ipaCert" in /etc/httpd/alias. Log snippets are below: Jan 7 12:17:02 python: certmonger restarted httpd Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" is no longer valid. Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA but not saved. The IPA services are running and the machine can be accessed (queries issued, web GUI, etc.) Would anyone have an idea of why a replica would have issues renewing the "ipaCert"? Thank you, John DeSantis 2015-01-06 15:50 GMT-05:00 John Desantis : > Hello all, > > Looking at the various online documentation regarding certificate renewals: > > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 > http://www.freeipa.org/page/Certmonger > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html > > I have to admit that I am completely confused on how to proceed given > that the links above reference external CA's. > > The certificate was created in house (no external issuer) from what I > can tell (openssl x509 -issuer and via IPA GUI). > > Thankfully(?), none of the certificates listed via 'getcert list' have > a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". > I'll paste the contents below, sanitized of couse. > > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20130110185936': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipa.example.com,O=EXAMPLE.COM > expires: 2015-01-11 18:59:35 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM > track: yes > auto-renew: yes > Request ID '20130110190008': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipa.example.com,O=EXAMPLE.COM > expires: 2015-01-11 19:00:07 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130110190034': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipa.example.com,O=EXAMPLE.COM > expires: 2015-01-11 19:00:34 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130410022007': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='377154649534' > certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Audit,O=EXAMPLE.COM > expires: 2014-12-31 18:58:42 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130410022008': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='377154649534' > certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > expires: 2014-12-31 18:58:41 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130410022009': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='377154649534' > certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Subsystem,O=EXAMPLE.COM > expires: 2014-12-31 18:58:41 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130410022010': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expires: 2014-12-31 18:59:24 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130410022011': > status: NEED_CSR > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='377154649534' > certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipa.example.com,O=EXAMPLE.COM > expires: 2014-12-31 18:58:41 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > This issue was manifest when I attempted to re-provision a client > node. I'll paste the errors reported by Apache: > > [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 > [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 > Certificate has expired > [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: > Not accepted by client!? > > FWIW, all IPA services are running for now. > > Any guidance would certainly be appreciated! If more information is > required, let me know and I'll paste it in a reply. > > Thank you, > John DeSantis From brad at monetra.com Wed Jan 7 18:22:36 2015 From: brad at monetra.com (Brad House) Date: Wed, 07 Jan 2015 13:22:36 -0500 Subject: [Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows Message-ID: <54AD796C.7040503@monetra.com> I have a need to 'kinit' from within a cygwin environment in order to perform an svn checkout over ssh. However, I can't figure out how to get this to work properly with FreeIPA. We had a MIT kerberos/ OpenLDAP authentication system prior to using FreeIPA and we had it working there. The windows machine itself is kerberized as per http://www.freeipa.org/page/Windows_authentication_against_FreeIPA so I can log in using the kerberos user via the standard windows login, however I don't believe that is relevant to cygwin since it uses its own config. Next, I generated an /etc/krb5.conf file within cygwin as appropriate for my domain (DNS SRV records don't appear to work so I had to fully configure it with my ipa servers listed, etc ... which is basically an identical config just with some new URLs to what was previously working). It was derived originally from here: http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab from the FreeIPA windows config docs (linked earlier). Initially I received these errors: Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse at XXXX for krbtgt/XXXX at XXXX, KDC has no support for encryption type It appeared the kerberos within cygwin is only advertising des encryption types even though stronger ones are configured in my krb5.conf. Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following the same procedure as from this mailing list entry (which was for a different purpose): https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html Which appears similar to the NFS workarounds but also includes modifications for krb5kdc.conf: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html Now I'm receiving these errors in the logs: Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response And on the cygwin console I get: $ kinit bhouse Password for bhouse at XXXX: kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials So I think this is _better_, however I don't know where to go from here. Any help would be greatly appreciated, I'm not finding anything when trying to research cygwin with FreeIPA. Thanks! -Brad From sbose at redhat.com Wed Jan 7 19:21:00 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 7 Jan 2015 20:21:00 +0100 Subject: [Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows In-Reply-To: <54AD796C.7040503@monetra.com> References: <54AD796C.7040503@monetra.com> Message-ID: <20150107192100.GU23112@localhost.localdomain> On Wed, Jan 07, 2015 at 01:22:36PM -0500, Brad House wrote: > I have a need to 'kinit' from within a cygwin environment in order to > perform an svn checkout over ssh. However, I can't figure out how to > get this to work properly with FreeIPA. We had a MIT kerberos/ > OpenLDAP authentication system prior to using FreeIPA and we had it > working there. > > The windows machine itself is kerberized as per > http://www.freeipa.org/page/Windows_authentication_against_FreeIPA > so I can log in using the kerberos user via the standard windows login, > however I don't believe that is relevant to cygwin since it uses its own > config. > > Next, I generated an /etc/krb5.conf file within cygwin as appropriate > for my domain (DNS SRV records don't appear to work so I had to fully > configure it with my ipa servers listed, etc ... which is basically > an identical config just with some new URLs to what was previously > working). It was derived originally from here: > http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf > Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab > from the FreeIPA windows config docs (linked earlier). > > Initially I received these errors: > Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse at XXXX for krbtgt/XXXX at XXXX, KDC has no support for encryption type > > It appeared the kerberos within cygwin is only advertising des encryption > types even though stronger ones are configured in my krb5.conf. > > Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following > the same procedure as from this mailing list entry (which was for a different > purpose): > https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html > Which appears similar to the NFS workarounds but also includes modifications > for krb5kdc.conf: > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html > > Now I'm receiving these errors in the logs: > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response looks like the client is resending as AS_REQ without proper pre-auth data. Which version of cygwin are you using? Can you check with 'klist -V' which Kerberos version is used? bye, Sumit > > And on the cygwin console I get: > $ kinit bhouse > Password for bhouse at XXXX: > kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials > > So I think this is _better_, however I don't know where to go from here. > > Any help would be greatly appreciated, I'm not finding anything when trying to research > cygwin with FreeIPA. > > Thanks! > -Brad > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From brad at monetra.com Wed Jan 7 20:01:05 2015 From: brad at monetra.com (Brad House) Date: Wed, 07 Jan 2015 15:01:05 -0500 Subject: [Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows In-Reply-To: <20150107192100.GU23112@localhost.localdomain> References: <54AD796C.7040503@monetra.com> <20150107192100.GU23112@localhost.localdomain> Message-ID: <54AD9081.6060104@monetra.com> On 01/07/2015 02:21 PM, Sumit Bose wrote: > On Wed, Jan 07, 2015 at 01:22:36PM -0500, Brad House wrote: >> I have a need to 'kinit' from within a cygwin environment in order to >> perform an svn checkout over ssh. However, I can't figure out how to >> get this to work properly with FreeIPA. We had a MIT kerberos/ >> OpenLDAP authentication system prior to using FreeIPA and we had it >> working there. >> >> The windows machine itself is kerberized as per >> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA >> so I can log in using the kerberos user via the standard windows login, >> however I don't believe that is relevant to cygwin since it uses its own >> config. >> >> Next, I generated an /etc/krb5.conf file within cygwin as appropriate >> for my domain (DNS SRV records don't appear to work so I had to fully >> configure it with my ipa servers listed, etc ... which is basically >> an identical config just with some new URLs to what was previously >> working). It was derived originally from here: >> http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf >> Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab >> from the FreeIPA windows config docs (linked earlier). >> >> Initially I received these errors: >> Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse at XXXX for krbtgt/XXXX at XXXX, KDC has no support for encryption type >> >> It appeared the kerberos within cygwin is only advertising des encryption >> types even though stronger ones are configured in my krb5.conf. >> >> Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following >> the same procedure as from this mailing list entry (which was for a different >> purpose): >> https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html >> Which appears similar to the NFS workarounds but also includes modifications >> for krb5kdc.conf: >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html >> >> Now I'm receiving these errors in the logs: >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response >> Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response > > looks like the client is resending as AS_REQ without proper pre-auth > data. Which version of cygwin are you using? Can you check with > 'klist -V' which Kerberos version is used? > > bye, > Sumit Thanks for the reply Sumit, you provided me a clue where to look! klist -V returned 'unknown option -- V' I didn't even think to check to see if there was another kinit on the system. It appears my predecessor had installed a private copy of kinit/klist/kdestroy/ssh in /usr/local/bin that were ancient (and didn't document what he did). Perhaps the original version of cygwin didn't support kerberos properly. After removing those, it works, and DNS SRV records work too. Geez, now I feel silly. Thanks! -Brad >> >> And on the cygwin console I get: >> $ kinit bhouse >> Password for bhouse at XXXX: >> kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials >> >> So I think this is _better_, however I don't know where to go from here. >> >> Any help would be greatly appreciated, I'm not finding anything when trying to research >> cygwin with FreeIPA. >> >> Thanks! >> -Brad >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project > From rcritten at redhat.com Wed Jan 7 20:13:28 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Jan 2015 15:13:28 -0500 Subject: [Freeipa-users] Switch to 3rd party SSL In-Reply-To: <6A8B3831-4E21-4877-AC25-98999536DC5D@juniper.net> References: <6A8B3831-4E21-4877-AC25-98999536DC5D@juniper.net> Message-ID: <54AD9368.2040101@redhat.com> Andrew Chin wrote: > Hello, > I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. > > The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says "The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.? Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA < 4.1? > Thanks, > Andrew Chin That is rather confusing isn't it. IMHO It should really say that the cert is signed by your 3rd party CA. You'll also want to make sure that the issuing CA is trusted in your NSS databases as well. rob From rcritten at redhat.com Wed Jan 7 20:37:08 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Jan 2015 15:37:08 -0500 Subject: [Freeipa-users] ipa host-add and service add command to add solaris 10 In-Reply-To: References: <54AC472F.1060005@redhat.com> Message-ID: <54AD98F4.2070606@redhat.com> Ben .T.George wrote: > HI > > thanks for the replay. > > i was trying for keytab and getting below error. > > [root at kwtpocpbis01 ~]# ipa-getkeytab -s kwtpocpbis01.solipa.local -p > host/kwttestsolaris10.solipa.local -k /tmp/krb5.keytab -e des-cbc-crc > Operation failed! All enctypes provided are unsupported > > my krb5.conf looks like below: > > [libdefaults] > default_realm = SOLIPA.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > default_ccache_name = KEYRING:persistent:%{uid} > allow_weak_crypto = true > > what will be issue with my command? You haven't configured enough. Follow Alexander's instructions here: https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html You'll also need to restart the krb5kdc service. rob > > Regards, > Ben > > On Tue, Jan 6, 2015 at 11:35 PM, Rob Crittenden > wrote: > > Ben .T.George wrote: > > > > HI > > > > i was trying to ass solaris 10 client from command line. Host add > comand > > went successfully and service add for /host is giving error. > > > > please check below output and help me to solve this > > > > [root at kwtpocpbis01 ~]# ipa host-add --force > --ip-address=172.16.107.107 > > kwttestsolaris10.solipa.local > > ------------------------------------------ > > Added host "kwttestsolaris10.solipa.local" > > ------------------------------------------ > > Host name: kwttestsolaris10.solipa.local > > Principal name: host/kwttestsolaris10.solipa.local at SOLIPA.LOCAL > > Password: False > > Keytab: False > > Managed by: kwttestsolaris10.solipa.local > > > > [root at kwtpocpbis01 ~]# ipa service-add > host/kwttestsolaris10.solipa.local > > ipa: ERROR: You must enroll a host in order to create a host service > > > > what this means "ipa: ERROR: You must enroll a host in order to > create a > > host service" . I can see the host from IPA web front end. that means > > host is added noe.? or this is pointing to another service > > The host service is implicit and lives within the host. You don't need > to (nor can you) add it. > > If you want to get a keytab for it just use ipa-getkeytab to fetch it. > > rob > > From dpal at redhat.com Wed Jan 7 20:46:09 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 07 Jan 2015 15:46:09 -0500 Subject: [Freeipa-users] clarification regarding krb5.conf file In-Reply-To: References: Message-ID: <54AD9B11.1050608@redhat.com> On 01/07/2015 06:36 AM, Ben .T.George wrote: > HI > > If i check IPA client machine enrolled with ipa-client, the krb5.conf > file looks like below: > > [root at kwttestmrbs001 krb5.include.d]# more /etc/krb5.conf > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = SOLIPA.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > SOLIPA.LOCAL = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .solipa.local = SOLIPA.LOCAL > solipa.local = SOLIPA.LOCAL > > > and the includedir /var/lib/sss/pubconf/krb5.include.d/ is including : > > [root at kwttestmrbs001 krb5.include.d]# more domain_realm_solipa_local > [domain_realm] > .kwttestdc.com = KWTTESTDC.COM > > kwttestdc.com = KWTTESTDC.COM > > > > anyone please help me to prepare proper krb5.conf file for solaris box > > IPA Server is : kwtpocpbis01.solipa.local > Solaris (client) : kwttestsolaris10.solipa.local > Active Directory: kwttestdc001.kwttestdc.com > > > > Regards, > Ben > > On Wed, Jan 7, 2015 at 2:11 PM, Ben .T.George > wrote: > > Hi List > > correct me if i am wrong. > > currently my client krb5.conf holding AD details. and my client is > Solaris > > here is my file. > > bash-3.2# more /etc/krb5/krb5.conf > [libdefaults] > default_realm = KWTTESTDC.COM > > [realms] > KWTTESTDC.COM = { > kdc = kwttestdc001.kwttestdc.com:88 > > admin_server = kwttestdc001.kwttestdc.com:749 > > } > > [domain_realm] > .kwttestdc.com = KWTTESTDC.COM > > kwttestdc.com = KWTTESTDC.COM > > > [logging] > default = FILE:/var/krb5/kdc.log > kdc = FILE:/var/krb5/kdc.log > kdc_rotate = { > period = 1d > versions = 10 > } > > [appdefaults] > kinit = { > renewable = true > forwardable= true > } > > > please anyone varify this is right or wrong > > Regards, > Ben > > > > > OK, there seems to be a confusion at least on my side. I see several option in this situation. Option 1: You use your Solaris box with AD directly. I do not think this is what you are trying to do. AFAIR you are trying to connect it to IPA and use trusts. But direct connection should be possible. Option 2: Connect Solaris to IPA while it is in trust with AD In this case you need to use LDAP for authentication and identity lookup and point your client to compat tree. You can't use Kerberos. Kerberos on Solaris does not know anything about the trust. If you make it use Kerberos from IPA then you would be able to use only users from IPA. If you need to use kerberos then we return to option 1. Option 3. Create a split brain configuration: authentication using kerberos will go to AD directly while identity will come from IPA's compat tree. This is potentially possible but this is an uncharted and not recommended territory. Option 4: Try to build SSSD for Solaris. If it were easy we would have done it ourselves but patches are always welcome . :-) Option 5: Stop using Solaris. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Thu Jan 8 09:01:50 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Thu, 8 Jan 2015 10:01:50 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos Message-ID: Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Thu Jan 8 09:45:42 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Thu, 08 Jan 2015 10:45:42 +0100 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> Message-ID: <54AE51C6.4020405@redhat.com> On 01/07/2015 06:32 PM, Craig White wrote: > Still struggling with this... > > $ sudo /sbin/service pe-puppet restart > [sudo] password for rundeck: > Stopping puppet: [ OK ] > Starting puppet: [ OK ] > > So it asks for the password even though, via FreeIPA it isn't required... > > $ sudo -l > Matching Defaults entries for rundeck on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User rundeck may run the following commands on this host: > (root) ALL > (ALL) NOPASSWD: ALL Hi, thank you, I was just going to ask you for sudo -l. I believe that the problem is that (root) ALL rule takes precedence. Or to be more precise, the first rule that matches is always applied, unless sudoOrder attribute is present (but that is not supported by IPA, is it?). Try removing the rule (root) ALL, restarting sssd and wait until the cache is refreshed and see if that works. > > And all of the info is provided previously/below that should be needed including the sudo debug log in yesterday's email if anyone has the time to help me figure out what is going wrong here. > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Craig White > Sent: Tuesday, January 06, 2015 10:17 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > -----Original Message----- > From: Lukas Slebodnik [mailto:lslebodn at redhat.com] > Sent: Tuesday, January 06, 2015 3:11 AM > To: Craig White > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > On (06/01/15 10:21), Pavel B?ezina wrote: >> On 01/05/2015 07:32 PM, Craig White wrote: >>> Hi - reply at bottom >>> >>> -----Original Message----- >>> From: Martin Kosek [mailto:mkosek at redhat.com] >>> Sent: Monday, January 05, 2015 4:33 AM >>> To: Craig White; freeipa-users at redhat.com; Pavel Brezina >>> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >>> >>> On 01/02/2015 07:47 PM, Craig White wrote: >>>> Subject pretty much says it all. >>>> >>>> Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands. >>>> >>>> But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking? >>>> >>>> Craig White >>>> System Administrator >>>> O 623-201-8179 M 602-377-9752 >>>> >>>> [cid:image001.png at 01CF86FE.42D51630] >>>> >>>> SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 >>> >>> CCing Pavel to advise. >>> >>> From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly? >>> Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. >>> >>> Martin >>> ---- >>> Thanks Martin >>> >>> Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. >>> >>> $ ipa sudorule-show --all >>> Rule name: rundeck >>> dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local >>> Rule name: rundeck >>> Enabled: TRUE >>> Host category: all >>> Command category: all >>> RunAs User category: all >>> Users: rundeck >>> Sudo Option: !requiretty, !authenticate >>> ipauniqueid: XXXXXX >>> objectclass: ipaassociation, ipasudorule >>> >>> At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... >>> >>> sudo: sorry, you must have a tty to run sudo :-( >>> >>> (client system) >>> # rpm -qa | egrep 'ipa|sssd' >>> sssd-ldap-1.11.6-30.el6.x86_64 >>> libipa_hbac-1.11.6-30.el6.x86_64 >>> python-sssdconfig-1.11.6-30.el6.noarch >>> sssd-ipa-1.11.6-30.el6.x86_64 >>> sssd-client-1.11.6-30.el6.x86_64 >>> sssd-common-1.11.6-30.el6.x86_64 >>> sssd-ad-1.11.6-30.el6.x86_64 >>> sssd-1.11.6-30.el6.x86_64 >>> python-iniparse-0.3.1-2.1.el6.noarch >>> libipa_hbac-python-1.11.6-30.el6.x86_64 >>> sssd-krb5-common-1.11.6-30.el6.x86_64 >>> sssd-krb5-1.11.6-30.el6.x86_64 >>> sssd-common-pac-1.11.6-30.el6.x86_64 >>> ipa-python-3.0.0-42.el6.x86_64 >>> sssd-proxy-1.11.6-30.el6.x86_64 >>> ipa-client-3.0.0-42.el6.x86_64 >> >> Hi, >> just to be sure that the problem is indeed in options - the rule >> without any sudoOption and with only one of them does work, right? >> >> Can you send us sudo debug log? You can enable debug log by putting the >> following line in /etc/sudo.conf: >> >> Debug sudo /var/log/sudo.log all at debug >> > It will help as well if you provide your sssd and nsswitch configuration files. > (/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly. > ---- > OK - changed the sudo rule to only !authenticate and then logged in manually... > > ssh -tt rundeck@$MY_SERVER > > thus removing the 'requiretty' problem and then when I ran my sudo command, it still asked me for a password. I have the sudo debug log attached to this email. > > I can however, ssh as myself and 'sudo su -' on this server (a different sudo rule without any 'options' so it seems that the problem is sudo options only. > > sssd.conf > [domain/stt.local] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = stt.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = app001.stt.local > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, ipa001.stt.local > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = stt-internal.local > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > nsswitch.conf (removed commented/empty lines) > passwd: files sss > shadow: files sss > group: files sss > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > netgroup: files sss > publickey: nisplus > automount: files sss > aliases: files nisplus > sudoers: files sss > > From mkosek at redhat.com Thu Jan 8 12:30:13 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 08 Jan 2015 13:30:13 +0100 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <54AE51C6.4020405@redhat.com> References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> Message-ID: <54AE7855.4000402@redhat.com> On 01/08/2015 10:45 AM, Pavel B?ezina wrote: > On 01/07/2015 06:32 PM, Craig White wrote: >> Still struggling with this... >> >> $ sudo /sbin/service pe-puppet restart >> [sudo] password for rundeck: >> Stopping puppet: [ OK ] >> Starting puppet: [ OK ] >> >> So it asks for the password even though, via FreeIPA it isn't required... >> >> $ sudo -l >> Matching Defaults entries for rundeck on this host: >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> >> User rundeck may run the following commands on this host: >> (root) ALL >> (ALL) NOPASSWD: ALL > > Hi, > thank you, I was just going to ask you for sudo -l. I believe that the problem > is that (root) ALL rule takes precedence. Or to be more precise, the first rule > that matches is always applied, unless sudoOrder attribute is present (but that > is not supported by IPA, is it?). JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). Martin From mkosek at redhat.com Thu Jan 8 13:10:43 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 08 Jan 2015 14:10:43 +0100 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: References: Message-ID: <54AE81D3.5020901@redhat.com> On 01/07/2015 06:43 PM, John Desantis wrote: > Hello all, > > Just an update on this issue for anyone else who experiences a similar issue. > > It looks like the automatic renewal of the certificates failed on our > master due the certmonger service being "stuck". I stopped the > service, stopped IPA services, and then reset the date to a few days > prior to the expiration. I then (following a mailing list post) > restarted IPA and then certmonger. At this point, I checked the > status of the certificates and saw that they were changing. Only the > "Server-Cert" in /etc/httpd/alias was complaining this time of not > being able to contact the CA. Another certmonger service restart > corrected the issue. > > I can now re-provision nodes accordingly! Ok, good to hear! > > The only remaining hiccup is now the replica's certmonger service > keeps dying while failing to re-issue the "ipaCert" in > /etc/httpd/alias. Log snippets are below: > > Jan 7 12:17:02 python: certmonger restarted httpd > Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS > Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. > Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS > Certificate DB" in database "/etc/httpd/alias" is no longer valid. > Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS > Certificate DB" in database "/etc/httpd/alias" issued by CA but not > saved. > > The IPA services are running and the machine can be accessed (queries > issued, web GUI, etc.) > > Would anyone have an idea of why a replica would have issues renewing > the "ipaCert"? CCing Jan to advise, he is the most experienced in this area. > > Thank you, > John DeSantis > > > 2015-01-06 15:50 GMT-05:00 John Desantis : >> Hello all, >> >> Looking at the various online documentation regarding certificate renewals: >> >> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >> http://www.freeipa.org/page/Certmonger >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html >> >> I have to admit that I am completely confused on how to proceed given >> that the links above reference external CA's. >> >> The certificate was created in house (no external issuer) from what I >> can tell (openssl x509 -issuer and via IPA GUI). >> >> Thankfully(?), none of the certificates listed via 'getcert list' have >> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". >> I'll paste the contents below, sanitized of couse. >> >> # getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20130110185936': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2015-01-11 18:59:35 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM >> track: yes >> auto-renew: yes >> Request ID '20130110190008': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2015-01-11 19:00:07 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130110190034': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2015-01-11 19:00:34 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130410022007': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Audit,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:42 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130410022008': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:41 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130410022009': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:41 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130410022010': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=IPA RA,O=EXAMPLE.COM >> expires: 2014-12-31 18:59:24 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20130410022011': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:41 UTC >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> This issue was manifest when I attempted to re-provision a client >> node. I'll paste the errors reported by Apache: >> >> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 >> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 >> Certificate has expired >> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: >> Not accepted by client!? >> >> FWIW, all IPA services are running for now. >> >> Any guidance would certainly be appreciated! If more information is >> required, let me know and I'll paste it in a reply. >> >> Thank you, >> John DeSantis > From jbaird at follett.com Thu Jan 8 14:34:47 2015 From: jbaird at follett.com (Baird, Josh) Date: Thu, 8 Jan 2015 14:34:47 +0000 Subject: [Freeipa-users] Configure also-notify for freeipa DNS zones Message-ID: Hi, The docs state this: "DNS slaves will transfer the whole zone periodically as is specified in zone's SOA record. DNS masters also send DNS NOTIFY messages to inform slaves about a change asynchronously." I have a need to execute zone transfers from my IPA server(s) to non-IPA slaves and I would like the IPA servers to send notifies each time the zone is updated/reloaded (eg, the "also-notify" option in BIND). Currently, the zone transfer is only executed once the refresh timer in the SOA expires. I don't see an option within IPA to configure the BIND "also-notify" option. How can I make my IPA DNS servers send notify's to my non-IPA slave servers so that zone transfers occur immediately after IPA zone updates? Thanks, Josh From reed.r.lance at gmail.com Thu Jan 8 15:00:20 2015 From: reed.r.lance at gmail.com (Lance Reed) Date: Thu, 8 Jan 2015 10:00:20 -0500 Subject: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA. Message-ID: I am trying to figure out how (or if its even possible) to use wildcard type sudo rules in FreeIPA. I setup Sudo rules usage and so far seems to be working - at least if I setup ALL type rules for Hosts. However it looks like I have to add specifc allowed hosts in the GUI as they either appear in the host list or add them in the External option box. However that makes it messy / non scalable if I want to create a group of users that have access to a large number of host types, say db servers or something. File based sudo rules allow for constructs such as: someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh Which allows someuser to have sudo options on any hostname matching *dbserver* and then run the command allowed. This all currently seems doable in IPA except the wildcard part for hostnames / domains etc. Apologizes if I missed this in the docs. Thanks in advance for any ideas (command line methods?) Running: ipa-server-3.0.0-37 sssd-1.9.2 From dpal at redhat.com Thu Jan 8 15:15:53 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 08 Jan 2015 10:15:53 -0500 Subject: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA. In-Reply-To: References: Message-ID: <54AE9F29.2000405@redhat.com> On 01/08/2015 10:00 AM, Lance Reed wrote: > I am trying to figure out how (or if its even possible) to use > wildcard type sudo rules in FreeIPA. > > I setup Sudo rules usage and so far seems to be working - at least if > I setup ALL type rules for Hosts. > > However it looks like I have to add specifc allowed hosts in the GUI > as they either appear in the host list or add them in the External > option box. However that makes it messy / non scalable if I want to > create a group of users that have access to a large number of host > types, say db servers or something. > > File based sudo rules allow for constructs such as: > > someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh > > Which allows someuser to have sudo options on any hostname matching > *dbserver* and then run the command allowed. This all currently seems > doable in IPA except the wildcard part for hostnames / domains etc. > > Apologizes if I missed this in the docs. > > Thanks in advance for any ideas (command line methods?) I think to solve this problem with IPA you need to define sudo rules for a host group "dbserver" (or whatever name you choose) and then use automemebership [1] rules to automatically manage the membership of you servers in that group. Starting 4.1 automembership rules can be reapplied to already existing entries. [2]. Before that the rules applied only to new entries being created. [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do not think there is an IPA design page but IPA uses DS plugin) [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership HTH Thanks Dmitri > > Running: > ipa-server-3.0.0-37 > sssd-1.9.2 > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From reed.r.lance at gmail.com Thu Jan 8 15:42:10 2015 From: reed.r.lance at gmail.com (Lance Reed) Date: Thu, 8 Jan 2015 10:42:10 -0500 Subject: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA. In-Reply-To: <54AE9F29.2000405@redhat.com> References: <54AE9F29.2000405@redhat.com> Message-ID: Thanks Dmitri! That at least tells me to stop attempting things that are going to not work. I will look into the automember info. Currently I don't think that will work for us since we using IPA essentially as just LDAP and not using the IPA client (but using SSSD on the hosts) and I don't register hosts directly in IPA. We did not really want / need that extra overhead but did like the other integrated components of IPA. Thanks so much for the info. On Thu, Jan 8, 2015 at 10:15 AM, Dmitri Pal wrote: > On 01/08/2015 10:00 AM, Lance Reed wrote: >> >> I am trying to figure out how (or if its even possible) to use >> wildcard type sudo rules in FreeIPA. >> >> I setup Sudo rules usage and so far seems to be working - at least if >> I setup ALL type rules for Hosts. >> >> However it looks like I have to add specifc allowed hosts in the GUI >> as they either appear in the host list or add them in the External >> option box. However that makes it messy / non scalable if I want to >> create a group of users that have access to a large number of host >> types, say db servers or something. >> >> File based sudo rules allow for constructs such as: >> >> someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh >> >> Which allows someuser to have sudo options on any hostname matching >> *dbserver* and then run the command allowed. This all currently seems >> doable in IPA except the wildcard part for hostnames / domains etc. >> >> Apologizes if I missed this in the docs. >> >> Thanks in advance for any ideas (command line methods?) > > > I think to solve this problem with IPA you need to define sudo rules for a > host group "dbserver" (or whatever name you choose) > and then use automemebership [1] rules to automatically manage the > membership of you servers in that group. > Starting 4.1 automembership rules can be reapplied to already existing > entries. [2]. Before that the rules applied only to new entries being > created. > > [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do > not think there is an IPA design page but IPA uses DS plugin) > [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership > > > HTH > Thanks > Dmitri >> >> >> Running: >> ipa-server-3.0.0-37 >> sssd-1.9.2 >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From dpal at redhat.com Thu Jan 8 16:00:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 08 Jan 2015 11:00:51 -0500 Subject: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA. In-Reply-To: References: <54AE9F29.2000405@redhat.com> Message-ID: <54AEA9B3.4070202@redhat.com> On 01/08/2015 10:42 AM, Lance Reed wrote: > Thanks Dmitri! > > That at least tells me to stop attempting things that are going to not work. > I will look into the automember info. > Currently I don't think that will work for us since we using IPA > essentially as just LDAP and not using the IPA client (but using SSSD > on the hosts) and I don't register hosts directly in IPA. We did not > really want / need that extra overhead but did like the other > integrated components of IPA. SSSD is the client. ipa-client is just a configuration script that configures SSSD. Having a host entry has a lot of benefits for access control and policies. It seems that you sort of a bit force limited yourself with the approach you have taken. > > Thanks so much for the info. > > On Thu, Jan 8, 2015 at 10:15 AM, Dmitri Pal wrote: >> On 01/08/2015 10:00 AM, Lance Reed wrote: >>> I am trying to figure out how (or if its even possible) to use >>> wildcard type sudo rules in FreeIPA. >>> >>> I setup Sudo rules usage and so far seems to be working - at least if >>> I setup ALL type rules for Hosts. >>> >>> However it looks like I have to add specifc allowed hosts in the GUI >>> as they either appear in the host list or add them in the External >>> option box. However that makes it messy / non scalable if I want to >>> create a group of users that have access to a large number of host >>> types, say db servers or something. >>> >>> File based sudo rules allow for constructs such as: >>> >>> someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh >>> >>> Which allows someuser to have sudo options on any hostname matching >>> *dbserver* and then run the command allowed. This all currently seems >>> doable in IPA except the wildcard part for hostnames / domains etc. >>> >>> Apologizes if I missed this in the docs. >>> >>> Thanks in advance for any ideas (command line methods?) >> >> I think to solve this problem with IPA you need to define sudo rules for a >> host group "dbserver" (or whatever name you choose) >> and then use automemebership [1] rules to automatically manage the >> membership of you servers in that group. >> Starting 4.1 automembership rules can be reapplied to already existing >> entries. [2]. Before that the rules applied only to new entries being >> created. >> >> [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do >> not think there is an IPA design page but IPA uses DS plugin) >> [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership >> >> >> HTH >> Thanks >> Dmitri >>> >>> Running: >>> ipa-server-3.0.0-37 >>> sssd-1.9.2 >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From mbasti at redhat.com Thu Jan 8 16:11:55 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 08 Jan 2015 17:11:55 +0100 Subject: [Freeipa-users] Configure also-notify for freeipa DNS zones In-Reply-To: References: Message-ID: <54AEAC4B.4010906@redhat.com> On 08/01/15 15:34, Baird, Josh wrote: > Hi, > > The docs state this: > > "DNS slaves will transfer the whole zone periodically as is specified in zone's SOA record. DNS masters also send DNS NOTIFY messages to inform slaves about a change asynchronously." > > I have a need to execute zone transfers from my IPA server(s) to non-IPA slaves and I would like the IPA servers to send notifies each time the zone is updated/reloaded (eg, the "also-notify" option in BIND). Currently, the zone transfer is only executed once the refresh timer in the SOA expires. I don't see an option within IPA to configure the BIND "also-notify" option. > > How can I make my IPA DNS servers send notify's to my non-IPA slave servers so that zone transfers occur immediately after IPA zone updates? > > Thanks, > > Josh > Maybe this will help. https://www.redhat.com/archives/freeipa-users/2014-September/msg00049.html -- Martin Basti From CWhite at skytouchtechnology.com Thu Jan 8 16:19:33 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 8 Jan 2015 16:19:33 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <54AE7855.4000402@redhat.com> References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> <54AE7855.4000402@redhat.com> Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek Sent: Thursday, January 08, 2015 5:30 AM To: Pavel B?ezina; freeipa-users at redhat.com Subject: Re: [Freeipa-users] sudo !requiretty !authenticate On 01/08/2015 10:45 AM, Pavel B?ezina wrote: > On 01/07/2015 06:32 PM, Craig White wrote: >> Still struggling with this... >> >> $ sudo /sbin/service pe-puppet restart >> [sudo] password for rundeck: >> Stopping puppet: [ OK ] >> Starting puppet: [ OK ] >> >> So it asks for the password even though, via FreeIPA it isn't required... >> >> $ sudo -l >> Matching Defaults entries for rundeck on this host: >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> >> User rundeck may run the following commands on this host: >> (root) ALL >> (ALL) NOPASSWD: ALL > > Hi, > thank you, I was just going to ask you for sudo -l. I believe that the > problem is that (root) ALL rule takes precedence. Or to be more > precise, the first rule that matches is always applied, unless > sudoOrder attribute is present (but that is not supported by IPA, is it?). JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). ---- I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package. $ rpm -q ipa-server ipa-server-3.0.0-42.el6.x86_64 $ cat sudoOrder.ldif dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: sudoOrder=%{sudoOrder} $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f sudoOrder.ldif Enter LDAP Password: modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" ldap_modify: No such object (32) additional info: Range Check error bummer :-( $ ldapsearch -x -h `hostname` -D cn="directory manager" -W -b cn=plugins,cn=config '(cn=sudoers)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (cn=sudoers) # requesting: ALL # # sudoers, Schema Compatibility, plugins, config dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=sudoRole schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex ternalUser}") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup) ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\ "uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex ternalHost}") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\" fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr y))\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref(\"memberAllowCmd\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member", "sudoCmd") schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser} schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid") schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory", "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\") ") schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o bjectclass=posixGroup)","cn") cn: sudoers objectClass: top objectClass: extensibleObject schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE ))(!(ipaEnabledFlag=FALSE))) schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn }") schema-compat-search-base: cn=sudorules, cn=sudo, dc=stt-internal,dc=local schema-compat-container-group: ou=SUDOers, dc=stt-internal,dc=local # search result search: 2 result: 0 Success Any hope for me to make this happen on this version or did I just commit to having Puppet manage /etc/sudoers on all of the systems? From rcritten at redhat.com Thu Jan 8 16:32:34 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Jan 2015 11:32:34 -0500 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> <54AE7855.4000402@redhat.com> Message-ID: <54AEB122.2000304@redhat.com> Craig White wrote: > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek > Sent: Thursday, January 08, 2015 5:30 AM > To: Pavel B?ezina; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > On 01/08/2015 10:45 AM, Pavel B?ezina wrote: >> On 01/07/2015 06:32 PM, Craig White wrote: >>> Still struggling with this... >>> >>> $ sudo /sbin/service pe-puppet restart >>> [sudo] password for rundeck: >>> Stopping puppet: [ OK ] >>> Starting puppet: [ OK ] >>> >>> So it asks for the password even though, via FreeIPA it isn't required... >>> >>> $ sudo -l >>> Matching Defaults entries for rundeck on this host: >>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>> >>> User rundeck may run the following commands on this host: >>> (root) ALL >>> (ALL) NOPASSWD: ALL >> >> Hi, >> thank you, I was just going to ask you for sudo -l. I believe that the >> problem is that (root) ALL rule takes precedence. Or to be more >> precise, the first rule that matches is always applied, unless >> sudoOrder attribute is present (but that is not supported by IPA, is it?). > > JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). > > ---- > I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package. > > $ rpm -q ipa-server > ipa-server-3.0.0-42.el6.x86_64 > > $ cat sudoOrder.ldif > dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: sudoOrder=%{sudoOrder} > > $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f sudoOrder.ldif > Enter LDAP Password: > modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" > ldap_modify: No such object (32) > additional info: Range Check error > > bummer :-( You have a typo, suoders instead of sudoers. You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it. > $ ldapsearch -x -h `hostname` -D cn="directory manager" -W -b cn=plugins,cn=config '(cn=sudoers)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (cn=sudoers) > # requesting: ALL > # > > # sudoers, Schema Compatibility, plugins, config > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > schema-compat-entry-attribute: objectclass=sudoRole > schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex > ternalUser}") > schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der > ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") > schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der > ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup) > ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\ > "uid\")") > schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d > eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") > schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de > ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") > schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex > ternalHost}") > schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der > ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") > schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der > ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn > try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\" > fqdn\")") > schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de > ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr > y))\",\"cn\")") > schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de > ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") > schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d > eref(\"memberAllowCmd\",\"sudoCmd\")") > schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d > eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") > schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") > schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member", > "sudoCmd") > schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser} > schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid") > schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory", > "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\") > ") > schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} > schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} > schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o > bjectclass=posixGroup)","cn") > cn: sudoers > objectClass: top > objectClass: extensibleObject > schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE > ))(!(ipaEnabledFlag=FALSE))) > schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn > }") > schema-compat-search-base: cn=sudorules, cn=sudo, dc=stt-internal,dc=local > schema-compat-container-group: ou=SUDOers, dc=stt-internal,dc=local > > # search result > search: 2 > result: 0 Success > > Any hope for me to make this happen on this version or did I just commit to having Puppet manage /etc/sudoers on all of the systems? > From simo at redhat.com Thu Jan 8 17:51:29 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 8 Jan 2015 12:51:29 -0500 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: Message-ID: <20150108125129.31e12bc1@willson.usersys.redhat.com> On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok wrote: > Hello, > > I have a samba share on the freeipa 4.1 server that I want to mount > from another client that is part of the ipa domain > I've tried: > mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 > > Shouldn't I be able to do the mount this way? > > -- john You should be able to, what's the error ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jbaird at follett.com Thu Jan 8 17:54:01 2015 From: jbaird at follett.com (Baird, Josh) Date: Thu, 8 Jan 2015 17:54:01 +0000 Subject: [Freeipa-users] Configure also-notify for freeipa DNS zones Message-ID: I should also note that adding "also-notify { 1.2.3.4; };" to /etc/named.conf on the IPA server does not actually trigger notifys for whatever reason. > -----Original Message----- > From: Baird, Josh > Sent: Thursday, January 08, 2015 9:35 AM > To: freeipa-users at redhat.com > Subject: Configure also-notify for freeipa DNS zones > > Hi, > > The docs state this: > > "DNS slaves will transfer the whole zone periodically as is specified in zone's > SOA record. DNS masters also send DNS NOTIFY messages to inform slaves > about a change asynchronously." > > I have a need to execute zone transfers from my IPA server(s) to non-IPA > slaves and I would like the IPA servers to send notifies each time the zone is > updated/reloaded (eg, the "also-notify" option in BIND). Currently, the zone > transfer is only executed once the refresh timer in the SOA expires. I don't > see an option within IPA to configure the BIND "also-notify" option. > > How can I make my IPA DNS servers send notify's to my non-IPA slave > servers so that zone transfers occur immediately after IPA zone updates? > > Thanks, > > Josh From desantis at mail.usf.edu Thu Jan 8 18:27:26 2015 From: desantis at mail.usf.edu (John Desantis) Date: Thu, 8 Jan 2015 13:27:26 -0500 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: References: <54AE81D3.5020901@redhat.com> Message-ID: Hello all, I didn't reply to the list, so I'll forward in my response. >>> The only remaining hiccup is now the replica's certmonger service >>> keeps dying while failing to re-issue the "ipaCert" in >>> /etc/httpd/alias. Log snippets are below: >>> >>> Jan 7 12:17:02 python: certmonger restarted httpd >>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>> saved. >>> >>> The IPA services are running and the machine can be accessed (queries >>> issued, web GUI, etc.) >>> >>> Would anyone have an idea of why a replica would have issues renewing >>> the "ipaCert"? >> >> CCing Jan to advise, he is the most experienced in this area. > > Would file corruption within the file of the "Request ID" in > /var/lib/certmonger/request have anything to do with this? > > autorenew=1 > monitor=1 > ca_name=dogtag-ipa-retrieve-agent-submit > ca_profile=ipaCert > submitted=20141228050011 > cert=ESC[?1034h-----BEGIN CERTIFICATE----- > > I checked a few other random client nodes (and the master) and none of > them are showing this corruption in their requests. > > I attempted to fix the corruption (editing the file) and subsequently > restart certmonger with no luck. > > Thanks, > John DeSantis > Thanks, John DeSantis 2015-01-08 13:26 GMT-05:00 John Desantis : > Hello all, > >>> The only remaining hiccup is now the replica's certmonger service >>> keeps dying while failing to re-issue the "ipaCert" in >>> /etc/httpd/alias. Log snippets are below: >>> >>> Jan 7 12:17:02 python: certmonger restarted httpd >>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>> saved. >>> >>> The IPA services are running and the machine can be accessed (queries >>> issued, web GUI, etc.) >>> >>> Would anyone have an idea of why a replica would have issues renewing >>> the "ipaCert"? >> >> CCing Jan to advise, he is the most experienced in this area. > > Would file corruption within the file of the "Request ID" in > /var/lib/certmonger/request have anything to do with this? > > autorenew=1 > monitor=1 > ca_name=dogtag-ipa-retrieve-agent-submit > ca_profile=ipaCert > submitted=20141228050011 > cert=ESC[?1034h-----BEGIN CERTIFICATE----- > > I checked a few other random client nodes (and the master) and none of > them are showing this corruption in their requests. > > I attempted to fix the corruption (editing the file) and subsequently > restart certmonger with no luck. > > Thanks, > John DeSantis > > > 2015-01-08 8:10 GMT-05:00 Martin Kosek : >> On 01/07/2015 06:43 PM, John Desantis wrote: >>> Hello all, >>> >>> Just an update on this issue for anyone else who experiences a similar issue. >>> >>> It looks like the automatic renewal of the certificates failed on our >>> master due the certmonger service being "stuck". I stopped the >>> service, stopped IPA services, and then reset the date to a few days >>> prior to the expiration. I then (following a mailing list post) >>> restarted IPA and then certmonger. At this point, I checked the >>> status of the certificates and saw that they were changing. Only the >>> "Server-Cert" in /etc/httpd/alias was complaining this time of not >>> being able to contact the CA. Another certmonger service restart >>> corrected the issue. >>> >>> I can now re-provision nodes accordingly! >> >> Ok, good to hear! >> >>> >>> The only remaining hiccup is now the replica's certmonger service >>> keeps dying while failing to re-issue the "ipaCert" in >>> /etc/httpd/alias. Log snippets are below: >>> >>> Jan 7 12:17:02 python: certmonger restarted httpd >>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>> saved. >>> >>> The IPA services are running and the machine can be accessed (queries >>> issued, web GUI, etc.) >>> >>> Would anyone have an idea of why a replica would have issues renewing >>> the "ipaCert"? >> >> CCing Jan to advise, he is the most experienced in this area. >> >>> >>> Thank you, >>> John DeSantis >>> >>> >>> 2015-01-06 15:50 GMT-05:00 John Desantis : >>>> Hello all, >>>> >>>> Looking at the various online documentation regarding certificate renewals: >>>> >>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >>>> http://www.freeipa.org/page/Certmonger >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html >>>> >>>> I have to admit that I am completely confused on how to proceed given >>>> that the links above reference external CA's. >>>> >>>> The certificate was created in house (no external issuer) from what I >>>> can tell (openssl x509 -issuer and via IPA GUI). >>>> >>>> Thankfully(?), none of the certificates listed via 'getcert list' have >>>> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". >>>> I'll paste the contents below, sanitized of couse. >>>> >>>> # getcert list >>>> Number of certificates and requests being tracked: 8. >>>> Request ID '20130110185936': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>> expires: 2015-01-11 18:59:35 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130110190008': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>> expires: 2015-01-11 19:00:07 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130110190034': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>> expires: 2015-01-11 19:00:34 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130410022007': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>> expires: 2014-12-31 18:58:42 UTC >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "auditSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130410022008': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>> expires: 2014-12-31 18:58:41 UTC >>>> eku: id-kp-OCSPSigning >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130410022009': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>> expires: 2014-12-31 18:58:41 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "subsystemCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130410022010': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>> expires: 2014-12-31 18:59:24 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20130410022011': >>>> status: NEED_CSR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>> expires: 2014-12-31 18:58:41 UTC >>>> eku: id-kp-serverAuth >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>>> >>>> This issue was manifest when I attempted to re-provision a client >>>> node. I'll paste the errors reported by Apache: >>>> >>>> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 >>>> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 >>>> Certificate has expired >>>> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: >>>> Not accepted by client!? >>>> >>>> FWIW, all IPA services are running for now. >>>> >>>> Any guidance would certainly be appreciated! If more information is >>>> required, let me know and I'll paste it in a reply. >>>> >>>> Thank you, >>>> John DeSantis >>> >> From rcritten at redhat.com Thu Jan 8 18:54:49 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Jan 2015 13:54:49 -0500 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: References: <54AE81D3.5020901@redhat.com> Message-ID: <54AED279.9030604@redhat.com> John Desantis wrote: > Hello all, > > I didn't reply to the list, so I'll forward in my response. > >>>> The only remaining hiccup is now the replica's certmonger service >>>> keeps dying while failing to re-issue the "ipaCert" in >>>> /etc/httpd/alias. Log snippets are below: >>>> >>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>> saved. >>>> >>>> The IPA services are running and the machine can be accessed (queries >>>> issued, web GUI, etc.) >>>> >>>> Would anyone have an idea of why a replica would have issues renewing >>>> the "ipaCert"? >>> >>> CCing Jan to advise, he is the most experienced in this area. >> >> Would file corruption within the file of the "Request ID" in >> /var/lib/certmonger/request have anything to do with this? >> >> autorenew=1 >> monitor=1 >> ca_name=dogtag-ipa-retrieve-agent-submit >> ca_profile=ipaCert >> submitted=20141228050011 >> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >> >> I checked a few other random client nodes (and the master) and none of >> them are showing this corruption in their requests. >> >> I attempted to fix the corruption (editing the file) and subsequently >> restart certmonger with no luck. >> >> Thanks, >> John DeSantis >> > > Thanks, > John DeSantis > > 2015-01-08 13:26 GMT-05:00 John Desantis : >> Hello all, >> >>>> The only remaining hiccup is now the replica's certmonger service >>>> keeps dying while failing to re-issue the "ipaCert" in >>>> /etc/httpd/alias. Log snippets are below: >>>> >>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>> saved. >>>> >>>> The IPA services are running and the machine can be accessed (queries >>>> issued, web GUI, etc.) >>>> >>>> Would anyone have an idea of why a replica would have issues renewing >>>> the "ipaCert"? >>> >>> CCing Jan to advise, he is the most experienced in this area. >> >> Would file corruption within the file of the "Request ID" in >> /var/lib/certmonger/request have anything to do with this? >> >> autorenew=1 >> monitor=1 >> ca_name=dogtag-ipa-retrieve-agent-submit >> ca_profile=ipaCert >> submitted=20141228050011 >> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >> >> I checked a few other random client nodes (and the master) and none of >> them are showing this corruption in their requests. >> >> I attempted to fix the corruption (editing the file) and subsequently >> restart certmonger with no luck. >> >> Thanks, >> John DeSantis Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064 The change is quite small, you might try manually changing it. Then a certmonger restart might fix it. rob >> >> >> 2015-01-08 8:10 GMT-05:00 Martin Kosek : >>> On 01/07/2015 06:43 PM, John Desantis wrote: >>>> Hello all, >>>> >>>> Just an update on this issue for anyone else who experiences a similar issue. >>>> >>>> It looks like the automatic renewal of the certificates failed on our >>>> master due the certmonger service being "stuck". I stopped the >>>> service, stopped IPA services, and then reset the date to a few days >>>> prior to the expiration. I then (following a mailing list post) >>>> restarted IPA and then certmonger. At this point, I checked the >>>> status of the certificates and saw that they were changing. Only the >>>> "Server-Cert" in /etc/httpd/alias was complaining this time of not >>>> being able to contact the CA. Another certmonger service restart >>>> corrected the issue. >>>> >>>> I can now re-provision nodes accordingly! >>> >>> Ok, good to hear! >>> >>>> >>>> The only remaining hiccup is now the replica's certmonger service >>>> keeps dying while failing to re-issue the "ipaCert" in >>>> /etc/httpd/alias. Log snippets are below: >>>> >>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>> saved. >>>> >>>> The IPA services are running and the machine can be accessed (queries >>>> issued, web GUI, etc.) >>>> >>>> Would anyone have an idea of why a replica would have issues renewing >>>> the "ipaCert"? >>> >>> CCing Jan to advise, he is the most experienced in this area. >>> >>>> >>>> Thank you, >>>> John DeSantis >>>> >>>> >>>> 2015-01-06 15:50 GMT-05:00 John Desantis : >>>>> Hello all, >>>>> >>>>> Looking at the various online documentation regarding certificate renewals: >>>>> >>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >>>>> http://www.freeipa.org/page/Certmonger >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html >>>>> >>>>> I have to admit that I am completely confused on how to proceed given >>>>> that the links above reference external CA's. >>>>> >>>>> The certificate was created in house (no external issuer) from what I >>>>> can tell (openssl x509 -issuer and via IPA GUI). >>>>> >>>>> Thankfully(?), none of the certificates listed via 'getcert list' have >>>>> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". >>>>> I'll paste the contents below, sanitized of couse. >>>>> >>>>> # getcert list >>>>> Number of certificates and requests being tracked: 8. >>>>> Request ID '20130110185936': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >>>>> Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2015-01-11 18:59:35 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130110190008': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>>> Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2015-01-11 19:00:07 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130110190034': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>>> Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2015-01-11 19:00:34 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022007': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:42 UTC >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "auditSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022008': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:41 UTC >>>>> eku: id-kp-OCSPSigning >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "ocspSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022009': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:41 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "subsystemCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022010': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:59:24 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022011': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:41 UTC >>>>> eku: id-kp-serverAuth >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> This issue was manifest when I attempted to re-provision a client >>>>> node. I'll paste the errors reported by Apache: >>>>> >>>>> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 >>>>> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 >>>>> Certificate has expired >>>>> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: >>>>> Not accepted by client!? >>>>> >>>>> FWIW, all IPA services are running for now. >>>>> >>>>> Any guidance would certainly be appreciated! If more information is >>>>> required, let me know and I'll paste it in a reply. >>>>> >>>>> Thank you, >>>>> John DeSantis >>>> >>> > From CWhite at skytouchtechnology.com Thu Jan 8 18:54:47 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 8 Jan 2015 18:54:47 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <54AEB122.2000304@redhat.com> References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> <54AE7855.4000402@redhat.com> <54AEB122.2000304@redhat.com> Message-ID: -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, January 08, 2015 9:33 AM To: Craig White; Martin Kosek; Pavel B?ezina; freeipa-users at redhat.com Subject: Re: [Freeipa-users] sudo !requiretty !authenticate Craig White wrote: > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek > Sent: Thursday, January 08, 2015 5:30 AM > To: Pavel B?ezina; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > On 01/08/2015 10:45 AM, Pavel B?ezina wrote: >> On 01/07/2015 06:32 PM, Craig White wrote: >>> Still struggling with this... >>> >>> $ sudo /sbin/service pe-puppet restart >>> [sudo] password for rundeck: >>> Stopping puppet: [ OK ] >>> Starting puppet: [ OK ] >>> >>> So it asks for the password even though, via FreeIPA it isn't required... >>> >>> $ sudo -l >>> Matching Defaults entries for rundeck on this host: >>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>> >>> User rundeck may run the following commands on this host: >>> (root) ALL >>> (ALL) NOPASSWD: ALL >> >> Hi, >> thank you, I was just going to ask you for sudo -l. I believe that >> the problem is that (root) ALL rule takes precedence. Or to be more >> precise, the first rule that matches is always applied, unless >> sudoOrder attribute is present (but that is not supported by IPA, is it?). > > JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). > > ---- > I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package. > > $ rpm -q ipa-server > ipa-server-3.0.0-42.el6.x86_64 > > $ cat sudoOrder.ldif > dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: sudoOrder=%{sudoOrder} > > $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f > sudoOrder.ldif Enter LDAP Password: > modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" > ldap_modify: No such object (32) > additional info: Range Check error > > bummer :-( You have a typo, suoders instead of sudoers. You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it. ---- Thanks for catching my typo - my bad. This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go. $ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for rundeck: Matching Defaults entries for rundeck on this host: !requiretty User rundeck may run the following commands on this host: (root) ALL (ALL) NOPASSWD: ALL So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now. $ ipa sudorule-show rundeck Rule name: rundeck Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Users: rundeck Sudo Option: !authenticate That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though... $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # sudoers, stt.local dn: ou=sudoers,dc=stt,dc=local objectClass: extensibleObject ou: sudoers # defaults, sudoers, stt.local dn: cn=defaults,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoOption: !requiretty cn: defaults # rundeck, sudoers, stt.local dn: cn=rundeck,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: rundeck sudoHost: ALL sudoCommand: ALL sudoRunAsUser: ALL sudoOption: !authenticate cn: rundeck # puppet, sudoers, stt.local dn: cn=puppet,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: %puppet sudoHost: +puppet sudoCommand: ALL cn: puppet # sysengineers, sudoers, stt.local dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: %sysengineer sudoHost: ALL sudoCommand: ALL cn: sysengineers # sysadmins, sudoers, stt.local dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: %sysadmin sudoHost: ALL sudoCommand: ALL cn: sysadmins # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 From rcritten at redhat.com Thu Jan 8 19:05:54 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Jan 2015 14:05:54 -0500 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> <54AE7855.4000402@redhat.com> <54AEB122.2000304@redhat.com> Message-ID: <54AED512.7070500@redhat.com> Craig White wrote: > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, January 08, 2015 9:33 AM > To: Craig White; Martin Kosek; Pavel B?ezina; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > Craig White wrote: >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek >> Sent: Thursday, January 08, 2015 5:30 AM >> To: Pavel B?ezina; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >> On 01/08/2015 10:45 AM, Pavel B?ezina wrote: >>> On 01/07/2015 06:32 PM, Craig White wrote: >>>> Still struggling with this... >>>> >>>> $ sudo /sbin/service pe-puppet restart >>>> [sudo] password for rundeck: >>>> Stopping puppet: [ OK ] >>>> Starting puppet: [ OK ] >>>> >>>> So it asks for the password even though, via FreeIPA it isn't required... >>>> >>>> $ sudo -l >>>> Matching Defaults entries for rundeck on this host: >>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>>> >>>> User rundeck may run the following commands on this host: >>>> (root) ALL >>>> (ALL) NOPASSWD: ALL >>> >>> Hi, >>> thank you, I was just going to ask you for sudo -l. I believe that >>> the problem is that (root) ALL rule takes precedence. Or to be more >>> precise, the first rule that matches is always applied, unless >>> sudoOrder attribute is present (but that is not supported by IPA, is it?). >> >> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). >> >> ---- >> I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package. >> >> $ rpm -q ipa-server >> ipa-server-3.0.0-42.el6.x86_64 >> >> $ cat sudoOrder.ldif >> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: sudoOrder=%{sudoOrder} >> >> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f >> sudoOrder.ldif Enter LDAP Password: >> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" >> ldap_modify: No such object (32) >> additional info: Range Check error >> >> bummer :-( > > You have a typo, suoders instead of sudoers. > > You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it. > ---- > Thanks for catching my typo - my bad. > > This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go. > > $ sudo -l > > We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > #1) Respect the privacy of others. > #2) Think before you type. > #3) With great power comes great responsibility. > > [sudo] password for rundeck: > Matching Defaults entries for rundeck on this host: > !requiretty > > User rundeck may run the following commands on this host: > (root) ALL > (ALL) NOPASSWD: ALL > > So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now. > $ ipa sudorule-show rundeck > Rule name: rundeck > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > RunAs Group category: all > Users: rundeck > Sudo Option: !authenticate > > That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though... What groups is rundeck a member of? rob > > $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # sudoers, stt.local > dn: ou=sudoers,dc=stt,dc=local > objectClass: extensibleObject > ou: sudoers > > # defaults, sudoers, stt.local > dn: cn=defaults,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoOption: !requiretty > cn: defaults > > # rundeck, sudoers, stt.local > dn: cn=rundeck,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: rundeck > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: ALL > sudoOption: !authenticate > cn: rundeck > > # puppet, sudoers, stt.local > dn: cn=puppet,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %puppet > sudoHost: +puppet > sudoCommand: ALL > cn: puppet > > # sysengineers, sudoers, stt.local > dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %sysengineer > sudoHost: ALL > sudoCommand: ALL > cn: sysengineers > > # sysadmins, sudoers, stt.local > dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %sysadmin > sudoHost: ALL > sudoCommand: ALL > cn: sysadmins > > # search result > search: 2 > result: 0 Success > > # numResponses: 7 > # numEntries: 6 > From nalin at redhat.com Thu Jan 8 19:07:27 2015 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 8 Jan 2015 14:07:27 -0500 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: References: <54AE81D3.5020901@redhat.com> Message-ID: <20150108190727.GC1548@redhat.com> On Thu, Jan 08, 2015 at 01:27:26PM -0500, John Desantis wrote: > > Would file corruption within the file of the "Request ID" in > > /var/lib/certmonger/request have anything to do with this? > > > > autorenew=1 > > monitor=1 > > ca_name=dogtag-ipa-retrieve-agent-submit > > ca_profile=ipaCert > > submitted=20141228050011 > > cert=ESC[?1034h-----BEGIN CERTIFICATE----- > > > > I checked a few other random client nodes (and the master) and none of > > them are showing this corruption in their requests. > > > > I attempted to fix the corruption (editing the file) and subsequently > > restart certmonger with no luck. Yes, that'd do it. The file is saved when the daemon exits, so you'd need to shut it down before editing it, as Rob suggested. Alternately, you could update certmonger to at least 0.69 and use getcert resubmit -d /etc/httpd/alias -d ipaCert to force it to re-fetch the data in a way that should avoid triggering the bug in the ticket Rob linked (which was also #1032760 in Red Hat bugzilla). HTH, Nalin From pbrezina at redhat.com Thu Jan 8 19:15:47 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Thu, 08 Jan 2015 20:15:47 +0100 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> <54AE7855.4000402@redhat.com> <54AEB122.2000304@redhat.com> Message-ID: <54AED763.1030305@redhat.com> On 01/08/2015 07:54 PM, Craig White wrote: > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, January 08, 2015 9:33 AM > To: Craig White; Martin Kosek; Pavel B?ezina; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > Craig White wrote: >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek >> Sent: Thursday, January 08, 2015 5:30 AM >> To: Pavel B?ezina; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >> On 01/08/2015 10:45 AM, Pavel B?ezina wrote: >>> On 01/07/2015 06:32 PM, Craig White wrote: >>>> Still struggling with this... >>>> >>>> $ sudo /sbin/service pe-puppet restart >>>> [sudo] password for rundeck: >>>> Stopping puppet: [ OK ] >>>> Starting puppet: [ OK ] >>>> >>>> So it asks for the password even though, via FreeIPA it isn't required... >>>> >>>> $ sudo -l >>>> Matching Defaults entries for rundeck on this host: >>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>>> >>>> User rundeck may run the following commands on this host: >>>> (root) ALL >>>> (ALL) NOPASSWD: ALL >>> >>> Hi, >>> thank you, I was just going to ask you for sudo -l. I believe that >>> the problem is that (root) ALL rule takes precedence. Or to be more >>> precise, the first rule that matches is always applied, unless >>> sudoOrder attribute is present (but that is not supported by IPA, is it?). >> >> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). >> >> ---- >> I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package. >> >> $ rpm -q ipa-server >> ipa-server-3.0.0-42.el6.x86_64 >> >> $ cat sudoOrder.ldif >> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: sudoOrder=%{sudoOrder} >> >> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f >> sudoOrder.ldif Enter LDAP Password: >> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" >> ldap_modify: No such object (32) >> additional info: Range Check error >> >> bummer :-( > > You have a typo, suoders instead of sudoers. > > You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it. > ---- > Thanks for catching my typo - my bad. > > This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go. > > $ sudo -l > > We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > #1) Respect the privacy of others. > #2) Think before you type. > #3) With great power comes great responsibility. > > [sudo] password for rundeck: > Matching Defaults entries for rundeck on this host: > !requiretty > > User rundeck may run the following commands on this host: > (root) ALL > (ALL) NOPASSWD: ALL > > So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now. Hi, !authenticate does show up. It shows up as word NOPASSWD, in the rule list. > $ ipa sudorule-show rundeck > Rule name: rundeck > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > RunAs Group category: all > Users: rundeck > Sudo Option: !authenticate > > That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though... It may come from all of the rules below expect rundeck. What groups is the user you are running sudo as member of? If he is member of one of the groups puppet, sysadmin, sysengineer that the rules below containing sudoCommand: ALL and not containing sudoRunAsUser: ALL shows up as (root): ALL. > > $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # sudoers, stt.local > dn: ou=sudoers,dc=stt,dc=local > objectClass: extensibleObject > ou: sudoers > > # defaults, sudoers, stt.local > dn: cn=defaults,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoOption: !requiretty > cn: defaults > > # rundeck, sudoers, stt.local > dn: cn=rundeck,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: rundeck > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: ALL > sudoOption: !authenticate > cn: rundeck > > # puppet, sudoers, stt.local > dn: cn=puppet,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %puppet > sudoHost: +puppet > sudoCommand: ALL > cn: puppet > > # sysengineers, sudoers, stt.local > dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %sysengineer > sudoHost: ALL > sudoCommand: ALL > cn: sysengineers > > # sysadmins, sudoers, stt.local > dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %sysadmin > sudoHost: ALL > sudoCommand: ALL > cn: sysadmins > > # search result > search: 2 > result: 0 Success > > # numResponses: 7 > # numEntries: 6 > From mkosek at redhat.com Thu Jan 8 19:16:13 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 08 Jan 2015 20:16:13 +0100 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: <54AED279.9030604@redhat.com> References: <54AE81D3.5020901@redhat.com> <54AED279.9030604@redhat.com> Message-ID: <54AED77D.2000201@redhat.com> On 01/08/2015 07:54 PM, Rob Crittenden wrote: > John Desantis wrote: >> Hello all, >> >> I didn't reply to the list, so I'll forward in my response. >> >>>>> The only remaining hiccup is now the replica's certmonger service >>>>> keeps dying while failing to re-issue the "ipaCert" in >>>>> /etc/httpd/alias. Log snippets are below: >>>>> >>>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>>> saved. >>>>> >>>>> The IPA services are running and the machine can be accessed (queries >>>>> issued, web GUI, etc.) >>>>> >>>>> Would anyone have an idea of why a replica would have issues renewing >>>>> the "ipaCert"? >>>> >>>> CCing Jan to advise, he is the most experienced in this area. >>> >>> Would file corruption within the file of the "Request ID" in >>> /var/lib/certmonger/request have anything to do with this? >>> >>> autorenew=1 >>> monitor=1 >>> ca_name=dogtag-ipa-retrieve-agent-submit >>> ca_profile=ipaCert >>> submitted=20141228050011 >>> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >>> >>> I checked a few other random client nodes (and the master) and none of >>> them are showing this corruption in their requests. >>> >>> I attempted to fix the corruption (editing the file) and subsequently >>> restart certmonger with no luck. >>> >>> Thanks, >>> John DeSantis >>> >> >> Thanks, >> John DeSantis >> >> 2015-01-08 13:26 GMT-05:00 John Desantis : >>> Hello all, >>> >>>>> The only remaining hiccup is now the replica's certmonger service >>>>> keeps dying while failing to re-issue the "ipaCert" in >>>>> /etc/httpd/alias. Log snippets are below: >>>>> >>>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>>> saved. >>>>> >>>>> The IPA services are running and the machine can be accessed (queries >>>>> issued, web GUI, etc.) >>>>> >>>>> Would anyone have an idea of why a replica would have issues renewing >>>>> the "ipaCert"? >>>> >>>> CCing Jan to advise, he is the most experienced in this area. >>> >>> Would file corruption within the file of the "Request ID" in >>> /var/lib/certmonger/request have anything to do with this? >>> >>> autorenew=1 >>> monitor=1 >>> ca_name=dogtag-ipa-retrieve-agent-submit >>> ca_profile=ipaCert >>> submitted=20141228050011 >>> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >>> >>> I checked a few other random client nodes (and the master) and none of >>> them are showing this corruption in their requests. >>> >>> I attempted to fix the corruption (editing the file) and subsequently >>> restart certmonger with no luck. >>> >>> Thanks, >>> John DeSantis > > Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064 > > The change is quite small, you might try manually changing it. > > Then a certmonger restart might fix it. > > rob Ah, yes, this one is nasty. As Rob said, this is likely https://bugzilla.redhat.com/show_bug.cgi?id=1040009 I would suggest updating to RHEL-6, at least IPA (ipa-3.0.0-38.el6 or later), certmonger and selinux-policy as there were related fixes. HTH, Martin From john.obaterspok at gmail.com Thu Jan 8 19:31:38 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Thu, 8 Jan 2015 20:31:38 +0100 Subject: [Freeipa-users] Problem starting IPA after reboot Message-ID: Hello, I was trying out cifs mount when I ran into some problem where smb failed to load. What I've done was: 1) ipa-getkeytab -s ipaserver -p cifs/ipaserver.my.lan -k /etc/krb5.keytab 2) pdbedit -L on ipaserver (which failed since I'm using registry) Then I got strange errors and tried reboot. Now initially smb failed to start, then after a minute or two ipa + kadmin also fails. I've noticed selinux complains about: - SELinux is preventing /usr/sbin/krb5kdc from write access on the sock_file /var/lib/sss/pipes/pac. - SELinux is preventing /usr/sbin/krb5kdc from connectto access on the unix_stream_socket /var/lib/sss/pipes/pac. I see the following in journal -b 20:19:44 smbd[2065]: [2015/01/08 20:19:44.736247, 0] ../source3/smbd/server.c:1269(main) 20:19:44 smbd[2065]: standard input is not a socket, assuming -D option 20:19:44 systemd[1]: smb.service: Supervising process 2066 which is not our child. We'll most likely not notice when it exits. 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803085, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:44 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803985, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) 20:19:44 smbd[2066]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-MY-LAN.socket with dn="[Anonymous bind]" Error: Local error 20:19:44 smbd[2066]: (unknown) 20:19:45 smbd[2066]: [2015/01/08 20:19:45.815968, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:45 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:46 smbd[2066]: [2015/01/08 20:19:46.826820, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:46 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:47 smbd[2066]: [2015/01/08 20:19:47.837775, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:47 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:48 smbd[2066]: [2015/01/08 20:19:48.848497, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:48 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:49 smbd[2066]: [2015/01/08 20:19:49.859177, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:49 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:50 smbd[2066]: [2015/01/08 20:19:50.869958, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:50 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:51 smbd[2066]: [2015/01/08 20:19:51.880575, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:51 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:52 smbd[2066]: [2015/01/08 20:19:52.890531, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:52 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:53 smbd[2066]: [2015/01/08 20:19:53.901092, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:53 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:54 smbd[2066]: [2015/01/08 20:19:54.912209, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:54 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:55 smbd[2066]: [2015/01/08 20:19:55.922373, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:55 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:56 smbd[2066]: [2015/01/08 20:19:56.932368, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:56 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:57 smbd[2066]: [2015/01/08 20:19:57.942731, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:57 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:58 smbd[2066]: [2015/01/08 20:19:58.953319, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:58 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed (0x04091068) 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal: Error = 0x000000C0 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed (0x04091068) 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal: Error = 0x000000C0 20:19:59 smbd[2066]: [2015/01/08 20:19:59.963057, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:59 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:20:00 smbd[2066]: [2015/01/08 20:20:00.964313, 0] ipa_sam.c:4440(pdb_init_ipasam) 20:20:00 smbd[2066]: Failed to get base DN. 20:20:00 smbd[2066]: [2015/01/08 20:20:00.964644, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) 20:20:00 smbd[2066]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-LAN.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) 20:20:00 systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE 20:20:00 systemd[1]: Failed to start Samba SMB Daemon. 20:20:00 systemd[1]: Unit smb.service entered failed state. 20:20:00 systemd[1]: smb.service failed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Thu Jan 8 19:52:14 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 8 Jan 2015 19:52:14 +0000 Subject: [Freeipa-users] sudo !requiretty !authenticate In-Reply-To: <54AED512.7070500@redhat.com> References: <54AA767B.7030404@redhat.com> <54ABA901.8050703@redhat.com> <20150106101031.GA4718@mail.corp.redhat.com> <54AE51C6.4020405@redhat.com> <54AE7855.4000402@redhat.com> <54AEB122.2000304@redhat.com> <54AED512.7070500@redhat.com> Message-ID: > That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though... What groups is rundeck a member of? ----- Bingo! Thanks Pavel/Rob Turns out that I had long forgotten that I added rundeck user to sysadmin group for HBAC reasons, inherited the sudo rules for that group which were killing me. Rundeck now workee! From desantis at mail.usf.edu Thu Jan 8 20:12:27 2015 From: desantis at mail.usf.edu (John Desantis) Date: Thu, 8 Jan 2015 15:12:27 -0500 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: <54AED77D.2000201@redhat.com> References: <54AE81D3.5020901@redhat.com> <54AED279.9030604@redhat.com> <54AED77D.2000201@redhat.com> Message-ID: Martin, Rob, and Nalin, The patch worked for me (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=1357eade4c5086e6c837a49f3008616317f88e5f), thank you so much for the assistance! The process was simple. I'll quickly outline it for other users faced with the same issue. 1.) Apply patch. 2.) Ensure certmonger wasn't running (in my case it just crashed after a few minutes); 3.) Edit the request in question in /var/lib/certmonger/requests to remove the corruption; 4.) Restart certmonger. Again, I really appreciate the assistance on such a great product. Obviously, there would be pizza and beer if you were all local! Thanks, John DeSantis 2015-01-08 14:16 GMT-05:00 Martin Kosek : > On 01/08/2015 07:54 PM, Rob Crittenden wrote: >> >> John Desantis wrote: >>> >>> Hello all, >>> >>> I didn't reply to the list, so I'll forward in my response. >>> >>>>>> The only remaining hiccup is now the replica's certmonger service >>>>>> keeps dying while failing to re-issue the "ipaCert" in >>>>>> /etc/httpd/alias. Log snippets are below: >>>>>> >>>>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>>>> saved. >>>>>> >>>>>> The IPA services are running and the machine can be accessed (queries >>>>>> issued, web GUI, etc.) >>>>>> >>>>>> Would anyone have an idea of why a replica would have issues renewing >>>>>> the "ipaCert"? >>>>> >>>>> >>>>> CCing Jan to advise, he is the most experienced in this area. >>>> >>>> >>>> Would file corruption within the file of the "Request ID" in >>>> /var/lib/certmonger/request have anything to do with this? >>>> >>>> autorenew=1 >>>> monitor=1 >>>> ca_name=dogtag-ipa-retrieve-agent-submit >>>> ca_profile=ipaCert >>>> submitted=20141228050011 >>>> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >>>> >>>> I checked a few other random client nodes (and the master) and none of >>>> them are showing this corruption in their requests. >>>> >>>> I attempted to fix the corruption (editing the file) and subsequently >>>> restart certmonger with no luck. >>>> >>>> Thanks, >>>> John DeSantis >>>> >>> >>> Thanks, >>> John DeSantis >>> >>> 2015-01-08 13:26 GMT-05:00 John Desantis : >>>> >>>> Hello all, >>>> >>>>>> The only remaining hiccup is now the replica's certmonger service >>>>>> keeps dying while failing to re-issue the "ipaCert" in >>>>>> /etc/httpd/alias. Log snippets are below: >>>>>> >>>>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>>>> saved. >>>>>> >>>>>> The IPA services are running and the machine can be accessed (queries >>>>>> issued, web GUI, etc.) >>>>>> >>>>>> Would anyone have an idea of why a replica would have issues renewing >>>>>> the "ipaCert"? >>>>> >>>>> >>>>> CCing Jan to advise, he is the most experienced in this area. >>>> >>>> >>>> Would file corruption within the file of the "Request ID" in >>>> /var/lib/certmonger/request have anything to do with this? >>>> >>>> autorenew=1 >>>> monitor=1 >>>> ca_name=dogtag-ipa-retrieve-agent-submit >>>> ca_profile=ipaCert >>>> submitted=20141228050011 >>>> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >>>> >>>> I checked a few other random client nodes (and the master) and none of >>>> them are showing this corruption in their requests. >>>> >>>> I attempted to fix the corruption (editing the file) and subsequently >>>> restart certmonger with no luck. >>>> >>>> Thanks, >>>> John DeSantis >> >> >> Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064 >> >> The change is quite small, you might try manually changing it. >> >> Then a certmonger restart might fix it. >> >> rob > > > Ah, yes, this one is nasty. As Rob said, this is likely > https://bugzilla.redhat.com/show_bug.cgi?id=1040009 > > I would suggest updating to RHEL-6, at least IPA (ipa-3.0.0-38.el6 or > later), certmonger and selinux-policy as there were related fixes. > > HTH, > Martin From mkosek at redhat.com Thu Jan 8 20:17:06 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 08 Jan 2015 21:17:06 +0100 Subject: [Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64 In-Reply-To: References: <54AE81D3.5020901@redhat.com> <54AED279.9030604@redhat.com> <54AED77D.2000201@redhat.com> Message-ID: <54AEE5C2.8030808@redhat.com> On 01/08/2015 09:12 PM, John Desantis wrote: > Martin, Rob, and Nalin, > > The patch worked for me > (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=1357eade4c5086e6c837a49f3008616317f88e5f), > thank you so much for the assistance! > > The process was simple. I'll quickly outline it for other users faced > with the same issue. > > 1.) Apply patch. > 2.) Ensure certmonger wasn't running (in my case it just crashed > after a few minutes); > 3.) Edit the request in question in /var/lib/certmonger/requests to > remove the corruption; > 4.) Restart certmonger. Great to hear! But as I said, this fix is part of RHEL-6.6, so alternative for 1) is "update IPA to RHEL-6.6" Not sure if steps 2-4 are required though, I would hope that just update&resubmit is enough. > Again, I really appreciate the assistance on such a great product. > Obviously, there would be pizza and beer if you were all local! Heh... Come to next DevConf (http://www.devconf.cz/) and you will have a chance to meet (most of) us, if you are interested! ;-) From john.obaterspok at gmail.com Thu Jan 8 21:22:48 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Thu, 8 Jan 2015 22:22:48 +0100 Subject: [Freeipa-users] Problem starting IPA after reboot In-Reply-To: References: Message-ID: okay, I see. the below line caused a *new* keytab to be created and caused smb from starting. 1) ipa-getkeytab -s ipaserver -p cifs/ipaserver.my.lan -k /etc/krb5.keytab I've fixed this and now ipa starts fine again. 2015-01-08 20:31 GMT+01:00 John Obaterspok : > Hello, > > I was trying out cifs mount when I ran into some problem where smb failed > to load. What I've done was: > > 1) ipa-getkeytab -s ipaserver -p cifs/ipaserver.my.lan -k /etc/krb5.keytab > > 2) pdbedit -L on ipaserver (which failed since I'm using registry) > > Then I got strange errors and tried reboot. Now initially smb failed to > start, then after a minute or two ipa + kadmin also fails. > > I've noticed selinux complains about: > - SELinux is preventing /usr/sbin/krb5kdc from write access on the > sock_file /var/lib/sss/pipes/pac. > - SELinux is preventing /usr/sbin/krb5kdc from connectto access on the > unix_stream_socket /var/lib/sss/pipes/pac. > > I see the following in journal -b > > 20:19:44 smbd[2065]: [2015/01/08 20:19:44.736247, 0] > ../source3/smbd/server.c:1269(main) > 20:19:44 smbd[2065]: standard input is not a socket, assuming -D option > 20:19:44 systemd[1]: smb.service: Supervising process 2066 which is not > our child. We'll most likely not notice when it exits. > 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803085, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:44 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803985, 0] > ../source3/lib/smbldap.c:998(smbldap_connect_system) > 20:19:44 smbd[2066]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-MY-LAN.socket with dn="[Anonymous bind]" > Error: Local error > 20:19:44 smbd[2066]: (unknown) > 20:19:45 smbd[2066]: [2015/01/08 20:19:45.815968, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:45 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:46 smbd[2066]: [2015/01/08 20:19:46.826820, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:46 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:47 smbd[2066]: [2015/01/08 20:19:47.837775, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:47 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:48 smbd[2066]: [2015/01/08 20:19:48.848497, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:48 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:49 smbd[2066]: [2015/01/08 20:19:49.859177, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:49 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:50 smbd[2066]: [2015/01/08 20:19:50.869958, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:50 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:51 smbd[2066]: [2015/01/08 20:19:51.880575, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:51 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:52 smbd[2066]: [2015/01/08 20:19:52.890531, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:52 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:53 smbd[2066]: [2015/01/08 20:19:53.901092, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:53 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:54 smbd[2066]: [2015/01/08 20:19:54.912209, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:54 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:55 smbd[2066]: [2015/01/08 20:19:55.922373, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:55 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:56 smbd[2066]: [2015/01/08 20:19:56.932368, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:56 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:57 smbd[2066]: [2015/01/08 20:19:57.942731, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:57 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:58 smbd[2066]: [2015/01/08 20:19:58.953319, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:58 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed > (0x04091068) > 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal: > Error = 0x000000C0 > 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed > (0x04091068) > 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal: > Error = 0x000000C0 > 20:19:59 smbd[2066]: [2015/01/08 20:19:59.963057, 0] > ipa_sam.c:4128(bind_callback_cleanup) > 20:19:59 smbd[2066]: kerberos error: code=-1765328366, message=Clients > credentials have been revoked > 20:20:00 smbd[2066]: [2015/01/08 20:20:00.964313, 0] > ipa_sam.c:4440(pdb_init_ipasam) > 20:20:00 smbd[2066]: Failed to get base DN. > 20:20:00 smbd[2066]: [2015/01/08 20:20:00.964644, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > 20:20:00 smbd[2066]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-MY-LAN.socket did not correctly init > (error was NT_STATUS_UNSUCCESSFUL) > 20:20:00 systemd[1]: smb.service: main process exited, code=exited, > status=1/FAILURE > 20:20:00 systemd[1]: Failed to start Samba SMB Daemon. > 20:20:00 systemd[1]: Unit smb.service entered failed state. > 20:20:00 systemd[1]: smb.service failed. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Thu Jan 8 21:29:00 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Thu, 8 Jan 2015 22:29:00 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: <20150108125129.31e12bc1@willson.usersys.redhat.com> References: <20150108125129.31e12bc1@willson.usersys.redhat.com> Message-ID: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root at ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? -- john 2015-01-08 18:51 GMT+01:00 Simo Sorce : > On Thu, 8 Jan 2015 10:01:50 +0100 > John Obaterspok wrote: > > > Hello, > > > > I have a samba share on the freeipa 4.1 server that I want to mount > > from another client that is part of the ipa domain > > I've tried: > > mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 > > > > Shouldn't I be able to do the mount this way? > > > > -- john > > You should be able to, what's the error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jan 9 09:11:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 9 Jan 2015 11:11:23 +0200 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> Message-ID: <20150109091123.GM16288@redhat.com> On Thu, 08 Jan 2015, John Obaterspok wrote: >Hello, > >I've tried to do the following on the client (and also on the ipaserver >itself) where I want to the the ipaserver share mounted. > >[root at ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 >mountpoint >mount error(126): Required key not available >Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > >(root has an admin ticket aquired) > >Any hints for a newbie? Do you have proper configuration in request-key.conf(5)? On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. -- / Alexander Bokovoy From john.obaterspok at gmail.com Fri Jan 9 10:26:12 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Fri, 9 Jan 2015 11:26:12 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: <20150109091123.GM16288@redhat.com> References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> Message-ID: 2015-01-09 10:11 GMT+01:00 Alexander Bokovoy : > On Thu, 08 Jan 2015, John Obaterspok wrote: > >> Hello, >> >> I've tried to do the following on the client (and also on the ipaserver >> itself) where I want to the the ipaserver share mounted. >> >> [root at ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o >> sec=krb5 >> mountpoint >> mount error(126): Required key not available >> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) >> >> (root has an admin ticket aquired) >> >> Any hints for a newbie? >> > Do you have proper configuration in request-key.conf(5)? I didn't know about those files, so if there are no defaults then I guess I don't have a proper configuration. > On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and > /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch > Kerberos keys and map IDs of CIFS identities. These configurations are > part of cifs-utils package which also supplies mount.cifs. > > Thanks Alexander, -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jan 9 11:23:05 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 09 Jan 2015 12:23:05 +0100 Subject: [Freeipa-users] Configure also-notify for freeipa DNS zones In-Reply-To: References: Message-ID: <54AFBA19.2070108@redhat.com> On 8.1.2015 18:54, Baird, Josh wrote: > I should also note that adding "also-notify { 1.2.3.4; };" to /etc/named.conf on the IPA server does not actually trigger notifys for whatever reason. AFAIK also-notify specification in options {} section is not supported by bind-dyndb-ldap. Feel free to open feature request here: https://fedorahosted.org/bind-dyndb-ldap/newticket If you are RHEL customer then please contact your support representative, too. Have a nice day! Petr^2 Spacek >> -----Original Message----- >> From: Baird, Josh >> Sent: Thursday, January 08, 2015 9:35 AM >> To: freeipa-users at redhat.com >> Subject: Configure also-notify for freeipa DNS zones >> >> Hi, >> >> The docs state this: >> >> "DNS slaves will transfer the whole zone periodically as is specified in zone's >> SOA record. DNS masters also send DNS NOTIFY messages to inform slaves >> about a change asynchronously." >> >> I have a need to execute zone transfers from my IPA server(s) to non-IPA >> slaves and I would like the IPA servers to send notifies each time the zone is >> updated/reloaded (eg, the "also-notify" option in BIND). Currently, the zone >> transfer is only executed once the refresh timer in the SOA expires. I don't >> see an option within IPA to configure the BIND "also-notify" option. >> >> How can I make my IPA DNS servers send notify's to my non-IPA slave >> servers so that zone transfers occur immediately after IPA zone updates? >> >> Thanks, >> >> Josh > -- Petr^2 Spacek From chin at juniper.net Fri Jan 9 16:21:24 2015 From: chin at juniper.net (Andrew Chin) Date: Fri, 9 Jan 2015 16:21:24 +0000 Subject: [Freeipa-users] Switch to 3rd party SSL In-Reply-To: <54AD9368.2040101@redhat.com> References: <6A8B3831-4E21-4877-AC25-98999536DC5D@juniper.net> <54AD9368.2040101@redhat.com> Message-ID: Thanks Rob, I?ll give it a try! Andrew Chin > On Jan 7, 2015, at 2:13 PM, Rob Crittenden wrote: > > Andrew Chin wrote: >> Hello, >> I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. >> >> The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says "The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.? Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA < 4.1? >> Thanks, >> Andrew Chin > > That is rather confusing isn't it. IMHO It should really say that the > cert is signed by your 3rd party CA. > > You'll also want to make sure that the issuing CA is trusted in your NSS > databases as well. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From john.obaterspok at gmail.com Fri Jan 9 16:38:31 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Fri, 9 Jan 2015 17:38:31 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> Message-ID: > > > 2015-01-09 10:11 GMT+01:00 Alexander Bokovoy : >> >> On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and >> /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch >> Kerberos keys and map IDs of CIFS identities. These configurations are >> part of cifs-utils package which also supplies mount.cifs. >> >> > I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to be there? This is what I have: [root at ipaserver etc]# cat request-key.conf ############################################################################### # .... snip .... ################################################################################ #OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... #====== ======= =============== =============== =============================== create dns_resolver * * /sbin/key.dns_resolver %k create user debug:* negate /bin/keyctl negate %k 30 %S create user debug:* rejected /bin/keyctl reject %k 30 %c %S create user debug:* expired /bin/keyctl reject %k 30 %c %S create user debug:* revoked /bin/keyctl reject %k 30 %c %S create user debug:loop:* * |/bin/cat create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S negate * * * /bin/keyctl negate %k 30 %S [root at ipaserver etc]# ls request-key.d/ cifs.idmap.conf cifs.spnego.conf id_resolver.conf [root at ipaserver etc]# cat request-key.d/cifs.idmap.conf create cifs.idmap * * /usr/sbin/cifs.idmap %k [root at ipaserver etc]# cat request-key.d/cifs.spnego.conf create cifs.spnego * * /usr/sbin/cifs.upcall %k -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jan 9 17:12:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 9 Jan 2015 19:12:01 +0200 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> Message-ID: <20150109171201.GN16288@redhat.com> On Fri, 09 Jan 2015, John Obaterspok wrote: >> >> >> 2015-01-09 10:11 GMT+01:00 Alexander Bokovoy : >>> >>> On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and >>> /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch >>> Kerberos keys and map IDs of CIFS identities. These configurations are >>> part of cifs-utils package which also supplies mount.cifs. >>> >>> >> >I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to >be there? No, it was my fault, forgetting the actual name -- it is cifs.spnego.conf that you have listed below: >This is what I have: > >[root at ipaserver etc]# cat request-key.conf >############################################################################### ># .... snip .... >################################################################################ > >#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... >#====== ======= =============== =============== >=============================== >create dns_resolver * * /sbin/key.dns_resolver %k >create user debug:* negate /bin/keyctl negate %k 30 %S >create user debug:* rejected /bin/keyctl reject %k 30 %c >%S >create user debug:* expired /bin/keyctl reject %k 30 %c >%S >create user debug:* revoked /bin/keyctl reject %k 30 %c >%S >create user debug:loop:* * |/bin/cat >create user debug:* * >/usr/share/keyutils/request-key-debug.sh %k %d %c %S >negate * * * /bin/keyctl negate %k 30 %S > >[root at ipaserver etc]# ls request-key.d/ >cifs.idmap.conf cifs.spnego.conf id_resolver.conf > >[root at ipaserver etc]# cat request-key.d/cifs.idmap.conf >create cifs.idmap * * /usr/sbin/cifs.idmap %k > >[root at ipaserver etc]# cat request-key.d/cifs.spnego.conf >create cifs.spnego * * /usr/sbin/cifs.upcall %k So if you have all these configs right, can you add --verbose to mount.cifs arguments _before_ -o options? mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 and you can enable debugging before mounting in /proc/fs/cifs/, see https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting -- / Alexander Bokovoy From notify.sina at gmail.com Fri Jan 9 19:23:09 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Fri, 9 Jan 2015 20:23:09 +0100 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation Message-ID: Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM... [ OK ] Starting dirsrv: MYDOM-COM... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named: [ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Thanks! From rcritten at redhat.com Fri Jan 9 19:33:36 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Jan 2015 14:33:36 -0500 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation In-Reply-To: References: Message-ID: <54B02D10.7020807@redhat.com> Sina Owolabi wrote: > Hi List, > > I've seen this happen on two occasions, now, in two different > environments, one with RHEL6.6 and RHEL 6.3. > > I have issues with a replica sever, I delete the replication > agreement, remove the server from ipa dns, run ipa-server-install > --uninstall -U. > Reboot the server, create new replication settings from the existing > master, and restore the replica. > Running ipactl status, I see: > > ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > > No DNS service listed. Named is not running. > > ipactl restart > Restarting Directory Service > Shutting down dirsrv: > MYDOM-COM... [ OK ] > Starting dirsrv: > MYDOM-COM... [ OK ] > Restarting KDC Service > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached: [ OK ] > Starting ipa_memcached: [ OK ] > Restarting HTTP Service > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > > Checking on named: > service named status > rndc: connect failed: 127.0.0.1#953: connection refused > named is stopped > # service named start > Starting named: [ OK ] > # service named status > version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 > CPUs found: 2 > worker threads: 2 > number of zones: 19 > debug level: 0 > xfers running: 0 > xfers deferred: 0 > soa queries in progress: 0 > query logging is OFF > recursive clients: 0/0/1000 > tcp clients: 0/100 > server is up and running > named (pid 25017) is running... > > But it does not resolve. Please what is happening and how can I fix this? > I don't know what logs to provide, but please let me know what is > necessary and I'll make them available. Bind is an optional service. You can either configure it at the time you install replica using the --setup-dns option or afterward using ipa-dns-install. rob From simo at redhat.com Fri Jan 9 20:49:30 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 9 Jan 2015 15:49:30 -0500 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> Message-ID: <20150109154930.74d22397@willson.usersys.redhat.com> On Thu, 8 Jan 2015 22:29:00 +0100 John Obaterspok wrote: > Hello, > > I've tried to do the following on the client (and also on the > ipaserver itself) where I want to the the ipaserver share mounted. > > [root at ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o > sec=krb5 mountpoint > mount error(126): Required key not available > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > > (root has an admin ticket aquired) > > Any hints for a newbie? What does klist say ? and what version of cifs-utils ? Simo. > -- john > > 2015-01-08 18:51 GMT+01:00 Simo Sorce : > > > On Thu, 8 Jan 2015 10:01:50 +0100 > > John Obaterspok wrote: > > > > > Hello, > > > > > > I have a samba share on the freeipa 4.1 server that I want to > > > mount from another client that is part of the ipa domain > > > I've tried: > > > mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 > > > > > > Shouldn't I be able to do the mount this way? > > > > > > -- john > > > > You should be able to, what's the error ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > -- Simo Sorce * Red Hat, Inc * New York From john.obaterspok at gmail.com Fri Jan 9 21:52:35 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Fri, 9 Jan 2015 22:52:35 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: <20150109171201.GN16288@redhat.com> References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> Message-ID: 2015-01-09 18:12 GMT+01:00 Alexander Bokovoy > > So if you have all these configs right, can you add --verbose to > mount.cifs arguments _before_ -o options? > > mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 > > and you can enable debugging before mounting in /proc/fs/cifs/, see > https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting > -- > [john at ipaserver ~]$ rpm -q cifs-utils cifs-utils-6.4-2.fc21.x86_64 [john at ipaserver mnt]# su root [root at ipaserver mnt]# kdestroy [root at ipaserver mnt]# kinit admin [root at ipaserver mnt]# klist Ticket cache: KEYRING:persistent:1434400004:krb_ccache_As3C1bl Default principal: admin at MY.LAN Valid starting Expires Service principal 2015-01-09 22:40:37 2015-01-10 22:40:32 krbtgt/MY.LAN at MY.LAN [root at ipaserver mnt]# [root at ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 mointpoint mount.cifs kernel mount options: ip=192.168.0.103,unc=\\ipaserver.MY.LAN\TheShare,sec=krb5,user=john,pass=******** mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [fre jan 9 22:40:15 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:15 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:40:49 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:49 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:42:30 2015] fs/cifs/cifsfs.c: Devname: //ipaserver.MY.LAN/TheShare flags: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Username: john [fre jan 9 22:42:30 2015] fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 6 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: UNC: \\ipaserver.MY.LAN\TheShare [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Socket created [fre jan 9 22:42:30 2015] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0xffff88007a28dc00/0xffff8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 7 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Existing smb sess not found [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Requesting extended security. [fre jan 9 22:42:30 2015] fs/cifs/transport.c: For smb_command 114 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: Sending smb: smb_len=78 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Demultiplex PID: 20875 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: RFC1002 header 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/misc.c: checkSMB Length: 0xb9, smb_buf_length: 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Dialect: 2 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: negprot rc 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8080f3fd TimeAdjust: -3600 [fre jan 9 22:42:30 2015] fs/cifs/sess.c: sess setup type 5 [fre jan 9 22:42:30 2015] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=ipaserver.MY.LAN;ip4=192.168.0.103;sec=krb5;uid=0x0;creduid=0x0;user=john;pid=0x5188 [fre jan 9 22:42:30 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 7) rc = -126 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0xffff88007a28dc00/0xffff8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 6) rc = -126 [fre jan 9 22:42:30 2015] CIFS VFS: cifs_mount failed w/return code = -126 Is it okay that the verbose output says sec=krb5,user=john,pass=******** I did su from john... -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Sat Jan 10 09:22:21 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 10 Jan 2015 10:22:21 +0100 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation In-Reply-To: <54B02D10.7020807@redhat.com> References: <54B02D10.7020807@redhat.com> Message-ID: I did run it with --setup-dns. [root at services01 ~]# ipa-replica-install --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 replica-info-services01.mydom.com.gpg How can I fix this, please? On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden wrote: > Sina Owolabi wrote: >> Hi List, >> >> I've seen this happen on two occasions, now, in two different >> environments, one with RHEL6.6 and RHEL 6.3. >> >> I have issues with a replica sever, I delete the replication >> agreement, remove the server from ipa dns, run ipa-server-install >> --uninstall -U. >> Reboot the server, create new replication settings from the existing >> master, and restore the replica. >> Running ipactl status, I see: >> >> ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> >> No DNS service listed. Named is not running. >> >> ipactl restart >> Restarting Directory Service >> Shutting down dirsrv: >> MYDOM-COM... [ OK ] >> Starting dirsrv: >> MYDOM-COM... [ OK ] >> Restarting KDC Service >> Stopping Kerberos 5 KDC: [ OK ] >> Starting Kerberos 5 KDC: [ OK ] >> Restarting KPASSWD Service >> Stopping Kerberos 5 Admin Server: [ OK ] >> Starting Kerberos 5 Admin Server: [ OK ] >> Restarting MEMCACHE Service >> Stopping ipa_memcached: [ OK ] >> Starting ipa_memcached: [ OK ] >> Restarting HTTP Service >> Stopping httpd: [ OK ] >> Starting httpd: [ OK ] >> >> Checking on named: >> service named status >> rndc: connect failed: 127.0.0.1#953: connection refused >> named is stopped >> # service named start >> Starting named: [ OK ] >> # service named status >> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 >> CPUs found: 2 >> worker threads: 2 >> number of zones: 19 >> debug level: 0 >> xfers running: 0 >> xfers deferred: 0 >> soa queries in progress: 0 >> query logging is OFF >> recursive clients: 0/0/1000 >> tcp clients: 0/100 >> server is up and running >> named (pid 25017) is running... >> >> But it does not resolve. Please what is happening and how can I fix this? >> I don't know what logs to provide, but please let me know what is >> necessary and I'll make them available. > > Bind is an optional service. You can either configure it at the time you > install replica using the --setup-dns option or afterward using > ipa-dns-install. > > rob > From notify.sina at gmail.com Sat Jan 10 09:41:20 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 10 Jan 2015 10:41:20 +0100 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation In-Reply-To: References: <54B02D10.7020807@redhat.com> Message-ID: I've run ipa-dns-install after the fact now, and named is setup. Strange, it used to work without me having to do this manually (whenever I needed to take down a replica). However when I ran dnsconfig-mod on the new replica, I get: ipa dnsconfig-mod ipa: ERROR: cert validation failed for "CN=services01.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cert validation failed for "CN=services.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml, https://services.mydom.com/ipa/xml On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi wrote: > I did run it with --setup-dns. > > [root at services01 ~]# ipa-replica-install --setup-dns > --forwarder=8.8.8.8 --forwarder=8.8.4.4 > replica-info-services01.mydom.com.gpg > > How can I fix this, please? > > On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden wrote: >> Sina Owolabi wrote: >>> Hi List, >>> >>> I've seen this happen on two occasions, now, in two different >>> environments, one with RHEL6.6 and RHEL 6.3. >>> >>> I have issues with a replica sever, I delete the replication >>> agreement, remove the server from ipa dns, run ipa-server-install >>> --uninstall -U. >>> Reboot the server, create new replication settings from the existing >>> master, and restore the replica. >>> Running ipactl status, I see: >>> >>> ipactl status >>> Directory Service: RUNNING >>> KDC Service: RUNNING >>> KPASSWD Service: RUNNING >>> MEMCACHE Service: RUNNING >>> HTTP Service: RUNNING >>> >>> No DNS service listed. Named is not running. >>> >>> ipactl restart >>> Restarting Directory Service >>> Shutting down dirsrv: >>> MYDOM-COM... [ OK ] >>> Starting dirsrv: >>> MYDOM-COM... [ OK ] >>> Restarting KDC Service >>> Stopping Kerberos 5 KDC: [ OK ] >>> Starting Kerberos 5 KDC: [ OK ] >>> Restarting KPASSWD Service >>> Stopping Kerberos 5 Admin Server: [ OK ] >>> Starting Kerberos 5 Admin Server: [ OK ] >>> Restarting MEMCACHE Service >>> Stopping ipa_memcached: [ OK ] >>> Starting ipa_memcached: [ OK ] >>> Restarting HTTP Service >>> Stopping httpd: [ OK ] >>> Starting httpd: [ OK ] >>> >>> Checking on named: >>> service named status >>> rndc: connect failed: 127.0.0.1#953: connection refused >>> named is stopped >>> # service named start >>> Starting named: [ OK ] >>> # service named status >>> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 >>> CPUs found: 2 >>> worker threads: 2 >>> number of zones: 19 >>> debug level: 0 >>> xfers running: 0 >>> xfers deferred: 0 >>> soa queries in progress: 0 >>> query logging is OFF >>> recursive clients: 0/0/1000 >>> tcp clients: 0/100 >>> server is up and running >>> named (pid 25017) is running... >>> >>> But it does not resolve. Please what is happening and how can I fix this? >>> I don't know what logs to provide, but please let me know what is >>> necessary and I'll make them available. >> >> Bind is an optional service. You can either configure it at the time you >> install replica using the --setup-dns option or afterward using >> ipa-dns-install. >> >> rob >> From gianluca.cecchi at gmail.com Sat Jan 10 12:32:35 2015 From: gianluca.cecchi at gmail.com (Gianluca Cecchi) Date: Sat, 10 Jan 2015 13:32:35 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> Message-ID: To get the whole root environment you have to run su - root did you try with it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jan 10 21:39:21 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 10 Jan 2015 16:39:21 -0500 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation In-Reply-To: References: <54B02D10.7020807@redhat.com> Message-ID: <54B19C09.1000209@redhat.com> On 01/10/2015 04:41 AM, Sina Owolabi wrote: > I've run ipa-dns-install after the fact now, and named is setup. > Strange, it used to work without me having to do this manually > (whenever I needed to take down a replica). > However when I ran dnsconfig-mod on the new replica, I get: > > ipa dnsconfig-mod > ipa: ERROR: cert validation failed for > "CN=services01.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) > Peer's certificate issuer has been marked as not trusted by the user.) > ipa: ERROR: cert validation failed for > "CN=services.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) > Peer's certificate issuer has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to Gettext('any of the configured servers', > domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml, > https://services.mydom.com/ipa/xml Can it be that your certs have expired and were not properly renewed? How long have you been running this setup? More than two years? Have you been upgrading since early versions? > > On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi wrote: >> I did run it with --setup-dns. >> >> [root at services01 ~]# ipa-replica-install --setup-dns >> --forwarder=8.8.8.8 --forwarder=8.8.4.4 >> replica-info-services01.mydom.com.gpg >> >> How can I fix this, please? >> >> On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden wrote: >>> Sina Owolabi wrote: >>>> Hi List, >>>> >>>> I've seen this happen on two occasions, now, in two different >>>> environments, one with RHEL6.6 and RHEL 6.3. >>>> >>>> I have issues with a replica sever, I delete the replication >>>> agreement, remove the server from ipa dns, run ipa-server-install >>>> --uninstall -U. >>>> Reboot the server, create new replication settings from the existing >>>> master, and restore the replica. >>>> Running ipactl status, I see: >>>> >>>> ipactl status >>>> Directory Service: RUNNING >>>> KDC Service: RUNNING >>>> KPASSWD Service: RUNNING >>>> MEMCACHE Service: RUNNING >>>> HTTP Service: RUNNING >>>> >>>> No DNS service listed. Named is not running. >>>> >>>> ipactl restart >>>> Restarting Directory Service >>>> Shutting down dirsrv: >>>> MYDOM-COM... [ OK ] >>>> Starting dirsrv: >>>> MYDOM-COM... [ OK ] >>>> Restarting KDC Service >>>> Stopping Kerberos 5 KDC: [ OK ] >>>> Starting Kerberos 5 KDC: [ OK ] >>>> Restarting KPASSWD Service >>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>> Starting Kerberos 5 Admin Server: [ OK ] >>>> Restarting MEMCACHE Service >>>> Stopping ipa_memcached: [ OK ] >>>> Starting ipa_memcached: [ OK ] >>>> Restarting HTTP Service >>>> Stopping httpd: [ OK ] >>>> Starting httpd: [ OK ] >>>> >>>> Checking on named: >>>> service named status >>>> rndc: connect failed: 127.0.0.1#953: connection refused >>>> named is stopped >>>> # service named start >>>> Starting named: [ OK ] >>>> # service named status >>>> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 >>>> CPUs found: 2 >>>> worker threads: 2 >>>> number of zones: 19 >>>> debug level: 0 >>>> xfers running: 0 >>>> xfers deferred: 0 >>>> soa queries in progress: 0 >>>> query logging is OFF >>>> recursive clients: 0/0/1000 >>>> tcp clients: 0/100 >>>> server is up and running >>>> named (pid 25017) is running... >>>> >>>> But it does not resolve. Please what is happening and how can I fix this? >>>> I don't know what logs to provide, but please let me know what is >>>> necessary and I'll make them available. >>> Bind is an optional service. You can either configure it at the time you >>> install replica using the --setup-dns option or afterward using >>> ipa-dns-install. >>> >>> rob >>> -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From notify.sina at gmail.com Sat Jan 10 22:47:49 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 10 Jan 2015 23:47:49 +0100 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation In-Reply-To: <54B19C09.1000209@redhat.com> References: <54B02D10.7020807@redhat.com> <54B19C09.1000209@redhat.com> Message-ID: Yes, I've had this installed more than three years, and I upgrade from time to time, not frequently because I don't want to break anything. I just did an upgrade to the latest RHEL version about a week ago, when the replica started acting up. Directory services would hang indefinitely, and nothing else would function. So I took it down and reinstalled ipa and resynced. Is there a fix I can apply? On Jan 10, 2015 10:42 PM, "Dmitri Pal" wrote: > On 01/10/2015 04:41 AM, Sina Owolabi wrote: > >> I've run ipa-dns-install after the fact now, and named is setup. >> Strange, it used to work without me having to do this manually >> (whenever I needed to take down a replica). >> However when I ran dnsconfig-mod on the new replica, I get: >> >> ipa dnsconfig-mod >> ipa: ERROR: cert validation failed for >> "CN=services01.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's certificate issuer has been marked as not trusted by the user.) >> ipa: ERROR: cert validation failed for >> "CN=services.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's certificate issuer has been marked as not trusted by the user.) >> ipa: ERROR: cannot connect to Gettext('any of the configured servers', >> domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml, >> https://services.mydom.com/ipa/xml >> > > Can it be that your certs have expired and were not properly renewed? > How long have you been running this setup? > More than two years? > Have you been upgrading since early versions? > > > >> On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi >> wrote: >> >>> I did run it with --setup-dns. >>> >>> [root at services01 ~]# ipa-replica-install --setup-dns >>> --forwarder=8.8.8.8 --forwarder=8.8.4.4 >>> replica-info-services01.mydom.com.gpg >>> >>> How can I fix this, please? >>> >>> On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden >>> wrote: >>> >>>> Sina Owolabi wrote: >>>> >>>>> Hi List, >>>>> >>>>> I've seen this happen on two occasions, now, in two different >>>>> environments, one with RHEL6.6 and RHEL 6.3. >>>>> >>>>> I have issues with a replica sever, I delete the replication >>>>> agreement, remove the server from ipa dns, run ipa-server-install >>>>> --uninstall -U. >>>>> Reboot the server, create new replication settings from the existing >>>>> master, and restore the replica. >>>>> Running ipactl status, I see: >>>>> >>>>> ipactl status >>>>> Directory Service: RUNNING >>>>> KDC Service: RUNNING >>>>> KPASSWD Service: RUNNING >>>>> MEMCACHE Service: RUNNING >>>>> HTTP Service: RUNNING >>>>> >>>>> No DNS service listed. Named is not running. >>>>> >>>>> ipactl restart >>>>> Restarting Directory Service >>>>> Shutting down dirsrv: >>>>> MYDOM-COM... [ OK ] >>>>> Starting dirsrv: >>>>> MYDOM-COM... [ OK ] >>>>> Restarting KDC Service >>>>> Stopping Kerberos 5 KDC: [ OK ] >>>>> Starting Kerberos 5 KDC: [ OK ] >>>>> Restarting KPASSWD Service >>>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>>> Starting Kerberos 5 Admin Server: [ OK ] >>>>> Restarting MEMCACHE Service >>>>> Stopping ipa_memcached: [ OK ] >>>>> Starting ipa_memcached: [ OK ] >>>>> Restarting HTTP Service >>>>> Stopping httpd: [ OK ] >>>>> Starting httpd: [ OK ] >>>>> >>>>> Checking on named: >>>>> service named status >>>>> rndc: connect failed: 127.0.0.1#953: connection refused >>>>> named is stopped >>>>> # service named start >>>>> Starting named: [ OK ] >>>>> # service named status >>>>> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 >>>>> CPUs found: 2 >>>>> worker threads: 2 >>>>> number of zones: 19 >>>>> debug level: 0 >>>>> xfers running: 0 >>>>> xfers deferred: 0 >>>>> soa queries in progress: 0 >>>>> query logging is OFF >>>>> recursive clients: 0/0/1000 >>>>> tcp clients: 0/100 >>>>> server is up and running >>>>> named (pid 25017) is running... >>>>> >>>>> But it does not resolve. Please what is happening and how can I fix >>>>> this? >>>>> I don't know what logs to provide, but please let me know what is >>>>> necessary and I'll make them available. >>>>> >>>> Bind is an optional service. You can either configure it at the time you >>>> install replica using the --setup-dns option or afterward using >>>> ipa-dns-install. >>>> >>>> rob >>>> >>>> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jan 10 23:10:31 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 10 Jan 2015 18:10:31 -0500 Subject: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation In-Reply-To: References: <54B02D10.7020807@redhat.com> <54B19C09.1000209@redhat.com> Message-ID: <54B1B167.4050702@redhat.com> On 01/10/2015 05:47 PM, Sina Owolabi wrote: > > Yes, I've had this installed more than three years, and I upgrade from > time to time, not frequently because I don't want to break anything. I > just did an upgrade to the latest RHEL version about a week ago, when > the replica started acting up. Directory services would hang > indefinitely, and nothing else would function. So I took it down and > reinstalled ipa and resynced. > Is there a fix I can apply? > You situation has quite similar symptoms to the case of expired certificates. What most likely happened is that the certificates we not renewed properly or not renewed properly on all servers. Here is the procedure http://www.freeipa.org/page/Howto/CA_Certificate_Renewal there have also been some threads as a lot of people hit this. Check IPA mailing archives. Rob Crittenden is the person who was hand holding other people on the list through this and similar procedures, so look for his posts. But before you go there please check that this is actually the case and your certs in fact expired. Check all your servers. Here is the pointer http://www.freeipa.org/page/Troubleshooting#PKI_Issues > On Jan 10, 2015 10:42 PM, "Dmitri Pal" > wrote: > > On 01/10/2015 04:41 AM, Sina Owolabi wrote: > > I've run ipa-dns-install after the fact now, and named is setup. > Strange, it used to work without me having to do this manually > (whenever I needed to take down a replica). > However when I ran dnsconfig-mod on the new replica, I get: > > ipa dnsconfig-mod > ipa: ERROR: cert validation failed for > "CN=services01.mydom.com > ,O=MYDOM.COM " > ((SEC_ERROR_UNTRUSTED_ISSUER) > Peer's certificate issuer has been marked as not trusted by > the user.) > ipa: ERROR: cert validation failed for > "CN=services.mydom.com ,O=MYDOM.COM > " ((SEC_ERROR_UNTRUSTED_ISSUER) > Peer's certificate issuer has been marked as not trusted by > the user.) > ipa: ERROR: cannot connect to Gettext('any of the configured > servers', > domain='ipa', localedir=None): > https://services01.mydom.com/ipa/xml, > https://services.mydom.com/ipa/xml > > > Can it be that your certs have expired and were not properly renewed? > How long have you been running this setup? > More than two years? > Have you been upgrading since early versions? > > > > On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi > > wrote: > > I did run it with --setup-dns. > > [root at services01 ~]# ipa-replica-install --setup-dns > --forwarder=8.8.8.8 --forwarder=8.8.4.4 > replica-info-services01.mydom.com.gpg > > How can I fix this, please? > > On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden > > wrote: > > Sina Owolabi wrote: > > Hi List, > > I've seen this happen on two occasions, now, in > two different > environments, one with RHEL6.6 and RHEL 6.3. > > I have issues with a replica sever, I delete the > replication > agreement, remove the server from ipa dns, run > ipa-server-install > --uninstall -U. > Reboot the server, create new replication settings > from the existing > master, and restore the replica. > Running ipactl status, I see: > > ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > > No DNS service listed. Named is not running. > > ipactl restart > Restarting Directory Service > Shutting down dirsrv: > MYDOM-COM... [ OK ] > Starting dirsrv: > MYDOM-COM... [ OK ] > Restarting KDC Service > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached: [ OK ] > Starting ipa_memcached: [ OK ] > Restarting HTTP Service > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > > Checking on named: > service named status > rndc: connect failed: 127.0.0.1#953: connection > refused > named is stopped > # service named start > Starting named: [ OK ] > # service named status > version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 > CPUs found: 2 > worker threads: 2 > number of zones: 19 > debug level: 0 > xfers running: 0 > xfers deferred: 0 > soa queries in progress: 0 > query logging is OFF > recursive clients: 0/0/1000 > tcp clients: 0/100 > server is up and running > named (pid 25017) is running... > > But it does not resolve. Please what is happening > and how can I fix this? > I don't know what logs to provide, but please let > me know what is > necessary and I'll make them available. > > Bind is an optional service. You can either configure > it at the time you > install replica using the --setup-dns option or > afterward using > ipa-dns-install. > > rob > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Sun Jan 11 09:01:26 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Sun, 11 Jan 2015 14:31:26 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error Message-ID: Hi, I am having some issues with freeipa. Whenever I change the password for any user, He is not able to change the password. and he gets error "authentication token manipualtion error" Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation error I was able to get this running on another environment not sure whats went wrong here. I have migrated my exisitng users from openldap . Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Sun Jan 11 10:00:16 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Sun, 11 Jan 2015 11:00:16 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> Message-ID: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi : > To get the whole root environment you have to run > su - root > did you try with it? > ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john at ipaserver mountpoint]$ ll test.txt -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john at ipaserver mountpoint]$ id uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john at ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john at ipaserver mountpoint]$ id admin uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins) [john at ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf Default principal: admin at MY.LAN Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN [john at ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Sun Jan 11 15:31:57 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 11 Jan 2015 16:31:57 +0100 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: Message-ID: <20150111153054.GA8082@hendrix.brq.redhat.com> On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am having some issues with freeipa. Whenever I change the password for > any user, > He is not able to change the password. and he gets error "authentication > token manipualtion error" > > Changing password for user hq-testuser. > Current Password: > New password: > Retype new password: > passwd: Authentication token manipulation error > > > I was able to get this running on another environment not sure whats went > wrong here. > > I have migrated my exisitng users from openldap . > > Thanks, > Rakesh What is the sssd version? Is the password changed despite the error (you can test with kinit and either the new or the old password) ? Increasing sssd log verbosity and checking krb5_child.log might help, too. From jhrozek at redhat.com Sun Jan 11 15:33:23 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 11 Jan 2015 16:33:23 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> Message-ID: <20150111153323.GB8082@hendrix.brq.redhat.com> On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi : > > > To get the whole root environment you have to run > > su - root > > did you try with it? > > > > ahh... that works fine Gianluca! > > Final question, if I have a file on the share like: > [john at ipaserver mountpoint]$ ll test.txt > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt > > Should I be able to access it if I aquire an admin ticket? Currently I get > Permission denied > > [john at ipaserver mountpoint]$ id > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > [john at ipaserver mountpoint]$ getfacl test.txt > # file: test.txt > # owner: root > # group: admins > user::rwx > group::r-- > other::--- > > [john at ipaserver mountpoint]$ id admin > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins) > > [john at ipaserver mountpoint]$ klist > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf > Default principal: admin at MY.LAN > > Valid starting Expires Service principal > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN > > [john at ipaserver mountpoint]$ cat test.txt > cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. From dbmacartney at gmail.com Sun Jan 11 21:16:04 2015 From: dbmacartney at gmail.com (Dale Macartney) Date: Mon, 12 Jan 2015 08:16:04 +1100 Subject: [Freeipa-users] Group Policy-like features in FreeIPA Message-ID: Morning folks I am currently working on a little pet project which I think some would find useful. I would like to introduce some group policy like functionality into a FreeIPA domain. For example: In an environment running FreeIPA Server with Fedora or RHEL based workstations, I would like to be able to introduce a few extra features which initially may be pushed via a login script (maybe even configure a dbus session as well, who knows?). My intentions here would be to be able to apply host specific policies as well as have the option for user specific policies which would be applied when the user logs in. Practically speaking, adding an attribute to LDAP to specify a login script file name is easy enough, however actually fetching this is where I am hoping for a bit of brain storming. My thoughts would be the local user would fetch the name of the login script via ldap, and then perhaps fetch the file from a shared resource on the FreeIPA masters in order to be executed locally. LDAP is obviously replicated, however to my knowledge, there is no file synchronization between masters. I am thinking something similar to the MS equivalent of the SYSVOL data that replicates between MS Domain Controllers. One option would be to store all data within LDAP, however I've seen many scenarios where admins store CD ISO's in replicated domain data, so I am not certain this would be the best option. With this replicated data folder, I would be able to store centrally managed scripts which would be used for hosts or users, and then configure the default user template on each workstation (/etc/skel/) to add the login script file name which would be fetched from the users LDAP attributes. Real world usability for what I am thinking of is a way to manage users who can have their corporate email mailbox configured on login, automatically setting the users session to point to an internal SSO enabled proxy server or perhaps any other number of things which an admin may wish to achieve without the need to manually do the work themselves. Has anyone undertaken a similar scenario in their environments or would perhaps have any suggestions on how to manage the centrally accessible file stores? Many thanks Dale -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Mon Jan 12 08:42:58 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Mon, 12 Jan 2015 14:12:58 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: <20150111153054.GA8082@hendrix.brq.redhat.com> References: <20150111153054.GA8082@hendrix.brq.redhat.com> Message-ID: The sssd version is 1.11.6 The password does not get changed, whatever password gets generated by ipa user-mod --random stays valid even after attempting the change. krb5_child.log does not have any contents. Thanks, Rakesh On Sun, Jan 11, 2015 at 9:01 PM, Jakub Hrozek wrote: > On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote: > > Hi, > > > > I am having some issues with freeipa. Whenever I change the password for > > any user, > > He is not able to change the password. and he gets error "authentication > > token manipualtion error" > > > > Changing password for user hq-testuser. > > Current Password: > > New password: > > Retype new password: > > passwd: Authentication token manipulation error > > > > > > I was able to get this running on another environment not sure whats went > > wrong here. > > > > I have migrated my exisitng users from openldap . > > > > Thanks, > > Rakesh > > What is the sssd version? > > Is the password changed despite the error (you can test with kinit and > either the new or the old password) ? > > Increasing sssd log verbosity and checking krb5_child.log might help, > too. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Mon Jan 12 08:46:37 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Mon, 12 Jan 2015 09:46:37 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: <20150111153323.GB8082@hendrix.brq.redhat.com> References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> <20150111153323.GB8082@hendrix.brq.redhat.com> Message-ID: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek : > On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: > > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi : > > > > > To get the whole root environment you have to run > > > su - root > > > did you try with it? > > > > > > > ahh... that works fine Gianluca! > > > > Final question, if I have a file on the share like: > > [john at ipaserver mountpoint]$ ll test.txt > > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt > > > > Should I be able to access it if I aquire an admin ticket? Currently I > get > > Permission denied > > > > [john at ipaserver mountpoint]$ id > > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > [john at ipaserver mountpoint]$ getfacl test.txt > > # file: test.txt > > # owner: root > > # group: admins > > user::rwx > > group::r-- > > other::--- > > > > [john at ipaserver mountpoint]$ id admin > > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins) > > > > [john at ipaserver mountpoint]$ klist > > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf > > Default principal: admin at MY.LAN > > > > Valid starting Expires Service principal > > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN > > > > [john at ipaserver mountpoint]$ cat test.txt > > cat: test.txt: Permission denied > > Looks like your account needs to be in the 'admins' group in order to > access the file. > > Acquiring the admin ticket doesn't switch the user ID nor add you to the > group.. > > I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Mon Jan 12 09:01:37 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 12 Jan 2015 10:01:37 +0100 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> Message-ID: <20150112090136.GA20499@mail.corp.redhat.com> On (12/01/15 14:12), Rakesh Rajasekharan wrote: >The sssd version is 1.11.6 > >The password does not get changed, whatever password gets generated by ipa >user-mod --random stays valid even after attempting the change. > >krb5_child.log does not have any contents. The logging in sssd is dibsabled by default. You need to increase level of verbosity. Put debug_level = 7 into domain section and restart sssd. It is also possible to change debug level on the fly with comand line utility sss_debuglevel (part of pacakge sssd-tools) LS From pspacek at redhat.com Mon Jan 12 09:04:20 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 12 Jan 2015 10:04:20 +0100 Subject: [Freeipa-users] Group Policy-like features in FreeIPA In-Reply-To: References: Message-ID: <54B38E14.6080701@redhat.com> On 11.1.2015 22:16, Dale Macartney wrote: > Morning folks > > I am currently working on a little pet project which I think some would > find useful. > > I would like to introduce some group policy like functionality into a > FreeIPA domain. > > For example: > In an environment running FreeIPA Server with Fedora or RHEL based > workstations, I would like to be able to introduce a few extra features > which initially may be pushed via a login script (maybe even configure a > dbus session as well, who knows?). > > My intentions here would be to be able to apply host specific policies as > well as have the option for user specific policies which would be applied > when the user logs in. > > Practically speaking, adding an attribute to LDAP to specify a login script > file name is easy enough, however actually fetching this is where I am > hoping for a bit of brain storming. My thoughts would be the local user > would fetch the name of the login script via ldap, and then perhaps fetch > the file from a shared resource on the FreeIPA masters in order to be > executed locally. > > LDAP is obviously replicated, however to my knowledge, there is no file > synchronization between masters. I am thinking something similar to the MS > equivalent of the SYSVOL data that replicates between MS Domain > Controllers. One option would be to store all data within LDAP, however > I've seen many scenarios where admins store CD ISO's in replicated domain > data, so I am not certain this would be the best option. > > With this replicated data folder, I would be able to store centrally > managed scripts which would be used for hosts or users, and then configure > the default user template on each workstation (/etc/skel/) to add the login > script file name which would be fetched from the users LDAP attributes. > > > Real world usability for what I am thinking of is a way to manage users who > can have their corporate email mailbox configured on login, automatically > setting the users session to point to an internal SSO enabled proxy server > or perhaps any other number of things which an admin may wish to achieve > without the need to manually do the work themselves. > > Has anyone undertaken a similar scenario in their environments or would > perhaps have any suggestions on how to manage the centrally accessible file > stores? Personally I'm not sure if FreeIPA is the right tool for configuration management. IMHO you would end up re-implementing Puppet/Ansible/other configuration management system. IMHO FreeIPA is the right place to manage policy-kit policies because these are basically access control rules but I would not go much further. (BTW newer versions of policy-kit can express policy as normal javascript code which in theory could call/communicate with a wrapper around LDAP/SSSD.) -- Petr^2 Spacek From abokovoy at redhat.com Mon Jan 12 09:13:43 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Jan 2015 11:13:43 +0200 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> <20150111153323.GB8082@hendrix.brq.redhat.com> Message-ID: <20150112091343.GO16288@redhat.com> On Mon, 12 Jan 2015, John Obaterspok wrote: >2015-01-11 16:33 GMT+01:00 Jakub Hrozek : > >> On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: >> > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi : >> > >> > > To get the whole root environment you have to run >> > > su - root >> > > did you try with it? >> > > >> > >> > ahh... that works fine Gianluca! >> > >> > Final question, if I have a file on the share like: >> > [john at ipaserver mountpoint]$ ll test.txt >> > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt >> > >> > Should I be able to access it if I aquire an admin ticket? Currently I >> get >> > Permission denied >> > >> > [john at ipaserver mountpoint]$ id >> > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) >> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> > >> > [john at ipaserver mountpoint]$ getfacl test.txt >> > # file: test.txt >> > # owner: root >> > # group: admins >> > user::rwx >> > group::r-- >> > other::--- >> > >> > [john at ipaserver mountpoint]$ id admin >> > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins) >> > >> > [john at ipaserver mountpoint]$ klist >> > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf >> > Default principal: admin at MY.LAN >> > >> > Valid starting Expires Service principal >> > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN >> > >> > [john at ipaserver mountpoint]$ cat test.txt >> > cat: test.txt: Permission denied >> >> Looks like your account needs to be in the 'admins' group in order to >> access the file. >> >> Acquiring the admin ticket doesn't switch the user ID nor add you to the >> group.. >> >> >I thought the krb5 mount option would allow ticked based access to the >file. >Is the purpose of the krb5 mount option just used during mounting of the >share? Otherwise I see no difference compared to not using krb5 mount >option!? Its purpose is authentication. After you have been successfully recognized by the server, both client and server need to map your identity while authorizing your access to actual files. In CIFS there are two types of access control which are applied at the same time: - ACLs per file or directory - POSIX access control based on uid/gid of a process that accesses the file or directory Client-side checks in cifs.ko can be switched off by noperm option. In this case server side will be doing actual access enforcement, using the uid/gid mapped on the server side (based on the Kerberos principal), unless CIFS Unix Extensions were negotiated between cifs.ko and the server. In the latter case client will pass uid/gid of a client to the server and server will do the actual check using them instead of discovering them based on the authentication token. In case where there is a common identity store in use with Kerberos, it is often better to use cifs.ko option multiuser which will imply noperm and server will be doing all the checks. -- / Alexander Bokovoy From rakesh.rajasekharan at gmail.com Mon Jan 12 09:55:18 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Mon, 12 Jan 2015 15:25:18 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: <20150112090136.GA20499@mail.corp.redhat.com> References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> Message-ID: This is what I get now a=in the krb5_child.log after setting the debug_level Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test.com at TEST.COM)] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test.com at TEST.COM). (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [main] (0x0400): Will perform password change (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [changepw_child] (0x1000): Password change operation (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik wrote: > On (12/01/15 14:12), Rakesh Rajasekharan wrote: > >The sssd version is 1.11.6 > > > >The password does not get changed, whatever password gets generated by ipa > >user-mod --random stays valid even after attempting the change. > > > >krb5_child.log does not have any contents. > The logging in sssd is dibsabled by default. You need to increase level of > verbosity. > > Put debug_level = 7 into domain section and restart sssd. > It is also possible to change debug level on the fly with comand line > utility > sss_debuglevel (part of pacakge sssd-tools) > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Mon Jan 12 10:31:32 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Mon, 12 Jan 2015 16:01:32 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> Message-ID: under /var/log/secure.. have this error passwd: pam_sss(passwd:chauthtok): Password change failed for user hq-testuser: 22 (Authentication token lock busy) On Mon, Jan 12, 2015 at 3:25 PM, Rakesh Rajasekharan < rakesh.rajasekharan at gmail.com> wrote: > This is what I get now a=in the krb5_child.log after setting the > debug_level > > Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > [/etc/krb5.keytab] > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > qa-dummy-int.test.com at TEST.COM)] > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [match_principal] > (0x1000): Principal matched to the sample (host/ > qa-dummy-int.test.com at TEST.COM). > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [main] (0x0400): > Will perform password change > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [changepw_child] > (0x1000): Password change operation > (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709]]]] [changepw_child] > (0x0400): Attempting kinit for realm [TEST.COM] > > > > On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik > wrote: > >> On (12/01/15 14:12), Rakesh Rajasekharan wrote: >> >The sssd version is 1.11.6 >> > >> >The password does not get changed, whatever password gets generated by >> ipa >> >user-mod --random stays valid even after attempting the change. >> > >> >krb5_child.log does not have any contents. >> The logging in sssd is dibsabled by default. You need to increase level of >> verbosity. >> >> Put debug_level = 7 into domain section and restart sssd. >> It is also possible to change debug level on the fly with comand line >> utility >> sss_debuglevel (part of pacakge sssd-tools) >> >> LS >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Jan 12 11:52:51 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 12 Jan 2015 12:52:51 +0100 Subject: [Freeipa-users] Group Policy-like features in FreeIPA In-Reply-To: <54B38E14.6080701@redhat.com> References: <54B38E14.6080701@redhat.com> Message-ID: <54B3B593.4030409@redhat.com> On 01/12/2015 10:04 AM, Petr Spacek wrote: > On 11.1.2015 22:16, Dale Macartney wrote: >> Morning folks >> >> I am currently working on a little pet project which I think some would >> find useful. >> >> I would like to introduce some group policy like functionality into a >> FreeIPA domain. >> >> For example: >> In an environment running FreeIPA Server with Fedora or RHEL based >> workstations, I would like to be able to introduce a few extra features >> which initially may be pushed via a login script (maybe even configure a >> dbus session as well, who knows?). >> >> My intentions here would be to be able to apply host specific policies as >> well as have the option for user specific policies which would be applied >> when the user logs in. >> >> Practically speaking, adding an attribute to LDAP to specify a login script >> file name is easy enough, however actually fetching this is where I am >> hoping for a bit of brain storming. My thoughts would be the local user >> would fetch the name of the login script via ldap, and then perhaps fetch >> the file from a shared resource on the FreeIPA masters in order to be >> executed locally. >> >> LDAP is obviously replicated, however to my knowledge, there is no file >> synchronization between masters. I am thinking something similar to the MS >> equivalent of the SYSVOL data that replicates between MS Domain >> Controllers. One option would be to store all data within LDAP, however >> I've seen many scenarios where admins store CD ISO's in replicated domain >> data, so I am not certain this would be the best option. >> >> With this replicated data folder, I would be able to store centrally >> managed scripts which would be used for hosts or users, and then configure >> the default user template on each workstation (/etc/skel/) to add the login >> script file name which would be fetched from the users LDAP attributes. >> >> >> Real world usability for what I am thinking of is a way to manage users who >> can have their corporate email mailbox configured on login, automatically >> setting the users session to point to an internal SSO enabled proxy server >> or perhaps any other number of things which an admin may wish to achieve >> without the need to manually do the work themselves. >> >> Has anyone undertaken a similar scenario in their environments or would >> perhaps have any suggestions on how to manage the centrally accessible file >> stores? > > Personally I'm not sure if FreeIPA is the right tool for configuration > management. IMHO you would end up re-implementing Puppet/Ansible/other > configuration management system. Maybe. Though note that this not the first attempt to add a file storage to FreeIPA. It is currently tracked in https://fedorahosted.org/freeipa/ticket/1225, free for takers. I at least added a link to this proposal when the RFE is revisited. Martin From dpal at redhat.com Mon Jan 12 13:26:31 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 12 Jan 2015 08:26:31 -0500 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: Message-ID: <54B3CB87.6090007@redhat.com> On 01/11/2015 04:01 AM, Rakesh Rajasekharan wrote: > Hi, > > I am having some issues with freeipa. Whenever I change the password > for any user, > He is not able to change the password. and he gets error > "authentication token manipualtion error" > > Changing password for user hq-testuser. > Current Password: > New password: > Retype new password: > passwd: Authentication token manipulation error > > > I was able to get this running on another environment not sure whats > went wrong here. > > I have migrated my exisitng users from openldap . Does it happen for all users or only users that you migrated? Can you create a new user and set a password for him? If it does not work I suspect either something is wrong with either krb5.conf or global password policy on the server. If it works for new users but not for migrated ones then compare the entries of such users using ldap command and see what is different. > > Thanks, > Rakesh > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jan 12 13:34:46 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 12 Jan 2015 08:34:46 -0500 Subject: [Freeipa-users] Group Policy-like features in FreeIPA In-Reply-To: <54B3B593.4030409@redhat.com> References: <54B38E14.6080701@redhat.com> <54B3B593.4030409@redhat.com> Message-ID: <54B3CD76.3030808@redhat.com> On 01/12/2015 06:52 AM, Martin Kosek wrote: > On 01/12/2015 10:04 AM, Petr Spacek wrote: >> On 11.1.2015 22:16, Dale Macartney wrote: >>> Morning folks >>> >>> I am currently working on a little pet project which I think some would >>> find useful. >>> >>> I would like to introduce some group policy like functionality into a >>> FreeIPA domain. >>> >>> For example: >>> In an environment running FreeIPA Server with Fedora or RHEL based >>> workstations, I would like to be able to introduce a few extra features >>> which initially may be pushed via a login script (maybe even configure a >>> dbus session as well, who knows?). >>> >>> My intentions here would be to be able to apply host specific policies as >>> well as have the option for user specific policies which would be applied >>> when the user logs in. >>> >>> Practically speaking, adding an attribute to LDAP to specify a login script >>> file name is easy enough, however actually fetching this is where I am >>> hoping for a bit of brain storming. My thoughts would be the local user >>> would fetch the name of the login script via ldap, and then perhaps fetch >>> the file from a shared resource on the FreeIPA masters in order to be >>> executed locally. >>> >>> LDAP is obviously replicated, however to my knowledge, there is no file >>> synchronization between masters. I am thinking something similar to the MS >>> equivalent of the SYSVOL data that replicates between MS Domain >>> Controllers. One option would be to store all data within LDAP, however >>> I've seen many scenarios where admins store CD ISO's in replicated domain >>> data, so I am not certain this would be the best option. >>> >>> With this replicated data folder, I would be able to store centrally >>> managed scripts which would be used for hosts or users, and then configure >>> the default user template on each workstation (/etc/skel/) to add the login >>> script file name which would be fetched from the users LDAP attributes. >>> >>> >>> Real world usability for what I am thinking of is a way to manage users who >>> can have their corporate email mailbox configured on login, automatically >>> setting the users session to point to an internal SSO enabled proxy server >>> or perhaps any other number of things which an admin may wish to achieve >>> without the need to manually do the work themselves. >>> >>> Has anyone undertaken a similar scenario in their environments or would >>> perhaps have any suggestions on how to manage the centrally accessible file >>> stores? >> Personally I'm not sure if FreeIPA is the right tool for configuration >> management. IMHO you would end up re-implementing Puppet/Ansible/other >> configuration management system. > Maybe. Though note that this not the first attempt to add a file storage to > FreeIPA. It is currently tracked in > https://fedorahosted.org/freeipa/ticket/1225, free for takers. > > I at least added a link to this proposal when the RFE is revisited. > > Martin > I would say there are two parts: - The scripts that need to be delivered and run - Information which scripts to run and parameters of the script Storing scripts in IPA is IMO a bad idea. However IPA is a reasonable place for storing information related to a script invocation. Scripts can be delivered with Puppet/Chef/Salt/Ansible or just live on a mount point. IPA can be a good place to store this mount point and identify the script and arguments to run on login from that mount point. 2c. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dbischof at hrz.uni-kassel.de Mon Jan 12 14:53:58 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Mon, 12 Jan 2015 15:53:58 +0100 (CET) Subject: [Freeipa-users] Replica install fails when using --setup-ca In-Reply-To: References: Message-ID: Hi, no ideas about this one? I'm unsure if I did something wrong, but since I installed both systems the same way, I really don't know, what could be wrong. One thing that may be related: The working system (the one that doesn't fail to create a replica with "--setup-ca") went productive in April 2014, the one that fails in September 2014. In between were several updates to the ipa-server package, including one related to Dogtag ("Proxy calls to /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag 10 PKI (#1083878)"). Can this cause errors like the one I observe? Something else I may want to look into? My installations are pretty much standard, except that I use an external DNS and have SELinux disabled. Best regards, --Daniel. On Tue, 6 Jan 2015, dbischof at hrz.uni-kassel.de wrote: > I have two small FreeIPA installations (for two different realms), both > with CentOS 6/FreeIPA 3.0.0-42. After running them both with only one > master server each for a while, I attempted to extend both installations > with one replica each. > > Doing a > > ipa-replica-install --setup-ca /var/lib/ipa/replica-info-... > > worked fine for one of the installations, but failed for the other: > > --- > [...] > > [3/17]: configuring certificate server instance ipa : CRITICAL failed > to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent > ConfigureCA -cs_hostname xxx -cs_port 9445 -client_certdb_dir > /tmp/tmp-YsXvhP -client_certdb_pwd XXXXXXXX -preop_pin > vJl0m3xc9Oz7b1fIgttD -domain_name IPA -admin_user admin -admin_email > root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 -bind_dn > cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name > ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA > -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name > internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY > -ca_server_cert_subject_name CN=xxx,O=YYY > -ca_audit_signing_cert_subject_name CN=CA Audit,O=YYY > -ca_sign_cert_subject_name CN=Certificate Authority,O=YYY -external > false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX > -sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin > -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri > https://mmm:443' returned non-zero exit status 255 > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > --- > > /var/log/ipareplica-install.log: > > --- > [...] > Error in DomainPanel(): updateStatus value is null > ERROR: ConfigureCA: DomainPanel() failure > ERROR: unable to create CA > > ####################################################################### > > 2015-01-06T13:36:25Z DEBUG stderr= > 2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > 2015-01-06T13:36:25Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line > 614, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-replica-install", line 476, in main > (CA, cs) = cainstance.install_replica_ca(config) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 1626, in install_replica_ca > subject_base=config.subject_base) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 626, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line > 358, in start_creation > method() > > File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 888, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > 2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception: > RuntimeError: Configuration of CA failed > --- > > Omitting "--setup-ca" lets me successfully install a working replica > server. > > The problem appears to be my installation (since the other one works) - > however: Both (intended) replica servers are nearly identical (operating > system version, installed packages, etc.). > > My understanding is that a replica without a CA is not a 100%-clone of a > IPA master, right? What are the downsides of having a replica without a > CA? From bpk678 at gmail.com Mon Jan 12 15:31:29 2015 From: bpk678 at gmail.com (brendan kearney) Date: Mon, 12 Jan 2015 10:31:29 -0500 Subject: [Freeipa-users] Getfedora.org ssl cert issue Message-ID: Can someone up-channel an issue with getfedora.org? The site changed URLs, and the cert was not amended to include the new URL as a Subject Alternative Name and now cert mismatches are occurring. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gutter007 at yahoo.com Mon Jan 12 15:35:16 2015 From: gutter007 at yahoo.com (Myles Merrell) Date: Mon, 12 Jan 2015 15:35:16 +0000 (UTC) Subject: [Freeipa-users] Adding/Editing Users/Groups with the same name Message-ID: <235099585.965775.1421076916531.JavaMail.yahoo@jws10676.mail.bf1.yahoo.com> I'm trying to add a 'backup' user AND a 'backup' group. At one point in the past a backup group did exist. I have a backup group. ?I then try to create a new user and get the following error:IPA Error 4024Unable to create private group. A group 'backup' already exists. I also tried creating the backup user first then the group, and I get:IPA Error 4002group with name "backup" already exists How do I create a backup user and backup group, and if not why? thanks.myles. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jan 12 15:52:53 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 12 Jan 2015 16:52:53 +0100 Subject: [Freeipa-users] Getfedora.org ssl cert issue In-Reply-To: References: Message-ID: <54B3EDD5.7010400@redhat.com> On 12.1.2015 16:31, brendan kearney wrote: > Can someone up-channel an issue with getfedora.org? The site changed URLs, > and the cert was not amended to include the new URL as a Subject > Alternative Name and now cert mismatches are occurring. Please open a ticket on https://fedorahosted.org/fedora-infrastructure/ -- Petr^2 Spacek From rcritten at redhat.com Mon Jan 12 15:53:30 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jan 2015 10:53:30 -0500 Subject: [Freeipa-users] Adding/Editing Users/Groups with the same name In-Reply-To: <235099585.965775.1421076916531.JavaMail.yahoo@jws10676.mail.bf1.yahoo.com> References: <235099585.965775.1421076916531.JavaMail.yahoo@jws10676.mail.bf1.yahoo.com> Message-ID: <54B3EDFA.7070606@redhat.com> Myles Merrell wrote: > I'm trying to add a 'backup' user AND a 'backup' group. > > At one point in the past a backup group did exist. > > I have a backup group. I then try to create a new user and get the > following error: > IPA Error 4024 > Unable to create private group. A group 'backup' already exists. > > I also tried creating the backup user first then the group, and I get: > IPA Error 4002 > group with name "backup" already exists > > How do I create a backup user and backup group, and if not why? You need the noprivate option, e.g. $ ipa group-show backup $ ipa user-add --noprivate --first=Backup --last=User --gid= backup rob From CWhite at skytouchtechnology.com Mon Jan 12 16:01:57 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Mon, 12 Jan 2015 16:01:57 +0000 Subject: [Freeipa-users] Group Policy-like features in FreeIPA In-Reply-To: References: Message-ID: From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dale Macartney Sent: Sunday, January 11, 2015 2:16 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] Group Policy-like features in FreeIPA Morning folks I am currently working on a little pet project which I think some would find useful. I would like to introduce some group policy like functionality into a FreeIPA domain. For example: In an environment running FreeIPA Server with Fedora or RHEL based workstations, I would like to be able to introduce a few extra features which initially may be pushed via a login script (maybe even configure a dbus session as well, who knows?). My intentions here would be to be able to apply host specific policies as well as have the option for user specific policies which would be applied when the user logs in. Practically speaking, adding an attribute to LDAP to specify a login script file name is easy enough, however actually fetching this is where I am hoping for a bit of brain storming. My thoughts would be the local user would fetch the name of the login script via ldap, and then perhaps fetch the file from a shared resource on the FreeIPA masters in order to be executed locally. LDAP is obviously replicated, however to my knowledge, there is no file synchronization between masters. I am thinking something similar to the MS equivalent of the SYSVOL data that replicates between MS Domain Controllers. One option would be to store all data within LDAP, however I've seen many scenarios where admins store CD ISO's in replicated domain data, so I am not certain this would be the best option. With this replicated data folder, I would be able to store centrally managed scripts which would be used for hosts or users, and then configure the default user template on each workstation (/etc/skel/) to add the login script file name which would be fetched from the users LDAP attributes. Real world usability for what I am thinking of is a way to manage users who can have their corporate email mailbox configured on login, automatically setting the users session to point to an internal SSO enabled proxy server or perhaps any other number of things which an admin may wish to achieve without the need to manually do the work themselves. Has anyone undertaken a similar scenario in their environments or would perhaps have any suggestions on how to manage the centrally accessible file stores? Many thanks ---- Specifically, I haven?t fully implemented what you are asking but obviously parts and pieces yes. One of the best features of Linux and all of its various toolsets is that one are quite so overarching and the objectives are more focused. String them together and you have a working tool set. As a system administrator, you learn to pipe grep output to awk or sed or cut etc. SYSVOL <=> NFS and if that doesn?t do it for you, check out Unison. I guess one of the temptations of FreeIPA is to try to make it exactly like active directory. The FreeIPA developers are already doing an amazing job without a ton of manpower. Craig -------------- next part -------------- An HTML attachment was scrubbed... URL: From bpk678 at gmail.com Mon Jan 12 16:20:30 2015 From: bpk678 at gmail.com (brendan kearney) Date: Mon, 12 Jan 2015 11:20:30 -0500 Subject: [Freeipa-users] Group Policy-like features in FreeIPA In-Reply-To: References: Message-ID: OpenAFS? On Jan 12, 2015 11:04 AM, "Craig White" wrote: > *From:* freeipa-users-bounces at redhat.com [mailto: > freeipa-users-bounces at redhat.com] *On Behalf Of *Dale Macartney > *Sent:* Sunday, January 11, 2015 2:16 PM > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA > > > > Morning folks > > I am currently working on a little pet project which I think some would > find useful. > > I would like to introduce some group policy like functionality into a > FreeIPA domain. > > For example: > > In an environment running FreeIPA Server with Fedora or RHEL based > workstations, I would like to be able to introduce a few extra features > which initially may be pushed via a login script (maybe even configure a > dbus session as well, who knows?). > > My intentions here would be to be able to apply host specific policies as > well as have the option for user specific policies which would be applied > when the user logs in. > > Practically speaking, adding an attribute to LDAP to specify a login > script file name is easy enough, however actually fetching this is where I > am hoping for a bit of brain storming. My thoughts would be the local user > would fetch the name of the login script via ldap, and then perhaps fetch > the file from a shared resource on the FreeIPA masters in order to be > executed locally. > > LDAP is obviously replicated, however to my knowledge, there is no file > synchronization between masters. I am thinking something similar to the MS > equivalent of the SYSVOL data that replicates between MS Domain > Controllers. One option would be to store all data within LDAP, however > I've seen many scenarios where admins store CD ISO's in replicated domain > data, so I am not certain this would be the best option. > > With this replicated data folder, I would be able to store centrally > managed scripts which would be used for hosts or users, and then configure > the default user template on each workstation (/etc/skel/) to add the login > script file name which would be fetched from the users LDAP attributes. > > Real world usability for what I am thinking of is a way to manage users > who can have their corporate email mailbox configured on login, > automatically setting the users session to point to an internal SSO enabled > proxy server or perhaps any other number of things which an admin may wish > to achieve without the need to manually do the work themselves. > > Has anyone undertaken a similar scenario in their environments or would > perhaps have any suggestions on how to manage the centrally accessible file > stores? > > Many thanks > ---- > > Specifically, I haven?t fully implemented what you are asking but > obviously parts and pieces yes. > > One of the best features of Linux and all of its various toolsets is that > one are quite so overarching and the objectives are more focused. String > them together and you have a working tool set. As a system administrator, > you learn to pipe grep output to awk or sed or cut etc. > > SYSVOL ? NFS and if that doesn?t do it for you, check out Unison. > > I guess one of the temptations of FreeIPA is to try to make it exactly > like active directory. The FreeIPA developers are already doing an amazing > job without a ton of manpower. > > Craig > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jan 12 17:27:18 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 12 Jan 2015 18:27:18 +0100 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> Message-ID: <20150112172718.GH24278@hendrix.lan> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: > under /var/log/secure.. have this error > passwd: pam_sss(passwd:chauthtok): Password change failed for user > hq-testuser: 22 (Authentication token lock busy) It looks like the log was trucated, can you post more context? Authentication token lock busy usually means the kadmin servers were offline.. From rakesh.rajasekharan at gmail.com Mon Jan 12 17:55:16 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Mon, 12 Jan 2015 23:25:16 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: <20150112172718.GH24278@hendrix.lan> References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> Message-ID: This is the full log, Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser from 10.5.68.184 port 54048 ssh2 Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session opened for user hq-testuser by (uid=0) Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user "hq-testuser" does not exist in /etc/passwd Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user "hq-testuser" does not exist in /etc/passwd Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password change failed for user hq-testuser: 22 (Authentication token lock busy) Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 10.5.68.184: 11: disconnected by user Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session closed for user hq-testuser >> Does it happen for all users or only users that you migrated? Yes it happens for all, I created a new user ( hq-testuser) is a fresh one that I created. I found a workaround for this , users are able to successfully change the password by connecting to the IPA master server. So, its only the ipa clients that have the issue. Thanks, Rakesh On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek wrote: > On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: > > under /var/log/secure.. have this error > > passwd: pam_sss(passwd:chauthtok): Password change failed for user > > hq-testuser: 22 (Authentication token lock busy) > > It looks like the log was trucated, can you post more context? > > Authentication token lock busy usually means the kadmin servers were > offline.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jan 12 17:58:38 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 12 Jan 2015 18:58:38 +0100 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> Message-ID: <20150112175838.GJ24278@hendrix.lan> On Mon, Jan 12, 2015 at 11:25:16PM +0530, Rakesh Rajasekharan wrote: > This is the full log, Sorry, I meant the full krb5_child.log ... From sipazzo at yahoo.com Mon Jan 12 18:32:49 2015 From: sipazzo at yahoo.com (sipazzo) Date: Mon, 12 Jan 2015 10:32:49 -0800 Subject: [Freeipa-users] Password policy for admin account not working In-Reply-To: <1414514476.87630.YahooMailBasic@web122501.mail.ne1.yahoo.com> Message-ID: <1421087569.21279.YahooMailBasic@web122502.mail.ne1.yahoo.com> Good morning, I created a "service" password policy that prevents password expiration and gave it a priority of 0. I then created a "service" user group and applied the policy to the group. I added my admin user to this group so their password would not expire. However, it continues to expire anyway. I have other (not built-in) accounts that use this policy successfully so it seems like the priority is not working correctly. I am unable to change the priority on the global_policy. Is my only option to add another policy with the same config as the global policy but a lower priority and assign that to all my users? From dpal at redhat.com Mon Jan 12 19:35:24 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 12 Jan 2015 14:35:24 -0500 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> Message-ID: <54B421FC.8030305@redhat.com> On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote: > This is the full log, > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User > info message: Password expired. Change your password now. > Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for > hq-testuser from 10.5.68.184 port 54048 ssh2 > Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > opened for user hq-testuser by (uid=0) > Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > "hq-testuser" does not exist in /etc/passwd > Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > "hq-testuser" does not exist in /etc/passwd > Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password > change failed for user hq-testuser: 22 (Authentication token lock busy) > Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from > 10.5.68.184 : 11: disconnected by user > Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > closed for user hq-testuser > > > >> Does it happen for all users or only users that you migrated? > Yes it happens for all, I created a new user ( hq-testuser) is a > fresh one that I created. > > I found a workaround for this , users are able to successfully change > the password by connecting to the IPA master server. > So, its only the ipa clients that have the issue. Does it work for the same user from the client if you reset password on the server, authenticate from the client and then force reset again on the server? Can you add a new client and see whether it works there? Have you tried re-installing the client? > > > Thanks, > Rakesh > > On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek > wrote: > > On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: > > under /var/log/secure.. have this error > > passwd: pam_sss(passwd:chauthtok): Password change failed for user > > hq-testuser: 22 (Authentication token lock busy) > > It looks like the log was trucated, can you post more context? > > Authentication token lock busy usually means the kadmin servers were > offline.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 12 19:48:06 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jan 2015 14:48:06 -0500 Subject: [Freeipa-users] Password policy for admin account not working In-Reply-To: <1421087569.21279.YahooMailBasic@web122502.mail.ne1.yahoo.com> References: <1421087569.21279.YahooMailBasic@web122502.mail.ne1.yahoo.com> Message-ID: <54B424F6.2060309@redhat.com> sipazzo wrote: > > Good morning, I created a "service" password policy that prevents password expiration and gave it a priority of 0. I then created a "service" user group and applied the policy to the group. I added my admin user to this group so their password would not expire. However, it continues to expire anyway. I have other (not built-in) accounts that use this policy successfully so it seems like the priority is not working correctly. I am unable to change the priority on the global_policy. Is my only option to add another policy with the same config as the global policy but a lower priority and assign that to all my users? > Password policy for expiration is applied at the time the password is changed/set, not retroactively, so you may just need to reset the password on those accounts. To see what policy will be applied to a give user do: $ ipa pwpolicy-show --user=someuser rob From brian.topping at gmail.com Tue Jan 13 06:56:59 2015 From: brian.topping at gmail.com (Brian Topping) Date: Tue, 13 Jan 2015 13:56:59 +0700 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? Message-ID: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> Hi folks, really pleased with the latest versions of FreeIPA. Very robust, quite impressive! In the process of setting it up, I ended up having to move servers a couple of times. The original server is gone, just replicas that installed cleanly with each other. The problem is I didn't realize I was destroying the CA in the process. Maybe because I didn't promote the CA before the original was blown away. This was about three months ago and now I'm having a hard time recovering. I did use the --setup-ca option every time a replica was made, but I can't tell what was salvaged and what was lost. (Maybe the installer could warn about this for the PBKAC types like myself...) I have a fairly large investment in the configuration of the LDAP (domains, hosts and accounts) and need to maintain those somehow. I'm expecting that my certificates will probably have to be started from scratch though. Can anyone offer advice how to proceed? Thanks kindly, Brian From rakesh.rajasekharan at gmail.com Tue Jan 13 07:18:18 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 13 Jan 2015 12:48:18 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: <54B421FC.8030305@redhat.com> References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> <54B421FC.8030305@redhat.com> Message-ID: >>>Does it work for the same user from the client if you reset password on the server, authenticate from the client and then force reset again on the server? When I force reset a user, he stil faces the same error "token manipulation" when tries to login to a client. However, when he tries getting into the server, he now gets prompted for the password change and is successfully able to get through. So, at this point we have a workaround though something seems not right at the clients. >>>Can you add a new client and see whether it works there? >>Have you tried re-installing the client? Yes, I did try reinstalling but that did not help >>>Sorry, I meant the full krb5_child.log ... This is how I get the logs in krb5_child. when a user tries to authenticate with the random password that I generated, WARNING: Your password has expired. You must change your password now and login again! Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation erro And on the krb5_child.log, these are the entries (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test.com at TEST.COM] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test.com at TEST.COM). (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400): Will perform password change (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] This does not go beyond this. however, when i attempt another login , the logs start moving from this point( the time stamp start from 6:54 AM) WARNING: Your password has expired. You must change your password now and login again! Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation erro now the krb5_child.log adds following lines (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): krb5_child started. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x1000): total buffer size: [134]TEST (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x0100): cmd [241] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test.com at TEST.COM] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test.com at TEST.COM). (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): Will perform online auth (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [TEST.COM] (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] (0x1000): Password was expired (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data] (0x0200): Received error code 1432158213 (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): krb5_child completed successfully (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): krb5_child started. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x1000): total buffer size: [134] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x0100): cmd [247] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test.com at TEST.COM] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test.com at TEST.COM). (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): Will perform password change checks (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x1000): Initial authentication for change password operation successful. (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data] (0x0200): Received error code 0 (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): krb5_child completed successfully (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): krb5_child started. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x1000): total buffer size: [153] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x0100): cmd [246] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test.com at TEST.COM] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test.com at TEST.COM). (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): Will perform password change (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] and again the last line is attempting kinit for realm Thanks, Rakesh On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal wrote: > On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote: > > This is the full log, > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info > message: Password expired. Change your password now. > Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser > from 10.5.68.184 port 54048 ssh2 > Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > opened for user hq-testuser by (uid=0) > Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > "hq-testuser" does not exist in /etc/passwd > Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > "hq-testuser" does not exist in /etc/passwd > Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password > change failed for user hq-testuser: 22 (Authentication token lock busy) > Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from > 10.5.68.184: 11: disconnected by user > Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > closed for user hq-testuser > > > >> Does it happen for all users or only users that you migrated? > Yes it happens for all, I created a new user ( hq-testuser) is a fresh > one that I created. > > I found a workaround for this , users are able to successfully change > the password by connecting to the IPA master server. > So, its only the ipa clients that have the issue. > > > Does it work for the same user from the client if you reset password on > the server, authenticate from the client and then force reset again on the > server? > > Can you add a new client and see whether it works there? > Have you tried re-installing the client? > > > > Thanks, > Rakesh > > On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek wrote: > >> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: >> > under /var/log/secure.. have this error >> > passwd: pam_sss(passwd:chauthtok): Password change failed for user >> > hq-testuser: 22 (Authentication token lock busy) >> >> It looks like the log was trucated, can you post more context? >> >> Authentication token lock busy usually means the kadmin servers were >> offline.. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue Jan 13 08:22:35 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 13 Jan 2015 09:22:35 +0100 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> <54B421FC.8030305@redhat.com> Message-ID: <20150113082235.GE14918@localhost.localdomain> On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote: > >>>Does it work for the same user from the client if you reset password on > the server, authenticate from the client and then force reset again on the > server? > When I force reset a user, he stil faces the same error "token > manipulation" when tries to login to a client. However, when he tries > getting into the server, he now gets prompted for the password change and > is successfully able to get through. > > So, at this point we have a workaround though something seems not right at > the clients. > >>>Can you add a new client and see whether it works there? > > >>Have you tried re-installing the client? > Yes, I did try reinstalling but that did not help > > > >>>Sorry, I meant the full krb5_child.log ... > > This is how I get the logs in krb5_child. > > when a user tries to authenticate with the random password that I generated, > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user hq-testuser. > Current Password: > New password: > Retype new password: > passwd: Authentication token manipulation erro > > And on the krb5_child.log, these are the entries > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > [/etc/krb5.keytab] > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > qa-dummy-int.test.com at TEST.COM] > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal] > (0x1000): Principal matched to the sample (host/ > qa-dummy-int.test.com at TEST.COM). > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400): > Will perform password change > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] > (0x1000): Password change operation > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] > (0x0400): Attempting kinit for realm [TEST.COM] > > > This does not go beyond this. however, when i attempt another login , the > logs start moving from this point( the time stamp start from 6:54 AM) > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user hq-testuser. > Current Password: > New password: > Retype new password: > passwd: Authentication token manipulation erro > > now the krb5_child.log adds following lines > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): > krb5_child started. > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] > (0x1000): total buffer size: [134]TEST > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] > (0x0100): cmd [241] uid [710600001] gid [710600001] validate [true] > enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > [/etc/krb5.keytab] > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > qa-dummy-int.test.com at TEST.COM] > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal] > (0x1000): Principal matched to the sample (host/ > qa-dummy-int.test.com at TEST.COM). > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): > Will perform online auth > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [TEST.COM] > (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] > (0x0020): 981: [-1765328361][Password has expired] > (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] > (0x1000): Password was expired > (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data] > (0x0200): Received error code 1432158213 > (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): > krb5_child completed successfully > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): > krb5_child started. > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] > (0x1000): total buffer size: [134] > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] > (0x0100): cmd [247] uid [710600001] gid [710600001] validate [true] > enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > [/etc/krb5.keytab] > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > qa-dummy-int.test.com at TEST.COM] > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal] > (0x1000): Principal matched to the sample (host/ > qa-dummy-int.test.com at TEST.COM). > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): > Will perform password change checks > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] > (0x1000): Password change operation > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] > (0x0400): Attempting kinit for realm [TEST.COM] > (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child] > (0x1000): Initial authentication for change password operation successful. > (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): > krb5_child completed successfully > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): > krb5_child started. > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] > (0x1000): total buffer size: [153] > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] > (0x0100): cmd [246] uid [710600001] gid [710600001] validate [true] > enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > [/etc/krb5.keytab] > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > qa-dummy-int.test.com at TEST.COM] > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal] > (0x1000): Principal matched to the sample (host/ > qa-dummy-int.test.com at TEST.COM). > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): > Will perform password change > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] > (0x1000): Password change operation > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] > (0x0400): Attempting kinit for realm [TEST.COM] > > and again the last line is attempting kinit for realm according to some earlier log entries your Kerberos server needs some time to respond. Maybe you are hit by the authentication timeout SSSD uses to not wait indefinitely long for a response. The default is 6s. You can increase it by setting krb5_auth_timeout option in the [domain/...] section in sssd.conf to a higher value. See man sssd-krb5 for more details. HTH bye, Sumit > > Thanks, > Rakesh > > > On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal wrote: > > > On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote: > > > > This is the full log, > > > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info > > message: Password expired. Change your password now. > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser > > from 10.5.68.184 port 54048 ssh2 > > Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > > opened for user hq-testuser by (uid=0) > > Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > > "hq-testuser" does not exist in /etc/passwd > > Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > > "hq-testuser" does not exist in /etc/passwd > > Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password > > change failed for user hq-testuser: 22 (Authentication token lock busy) > > Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from > > 10.5.68.184: 11: disconnected by user > > Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > > closed for user hq-testuser > > > > > > >> Does it happen for all users or only users that you migrated? > > Yes it happens for all, I created a new user ( hq-testuser) is a fresh > > one that I created. > > > > I found a workaround for this , users are able to successfully change > > the password by connecting to the IPA master server. > > So, its only the ipa clients that have the issue. > > > > > > Does it work for the same user from the client if you reset password on > > the server, authenticate from the client and then force reset again on the > > server? > > > > Can you add a new client and see whether it works there? > > Have you tried re-installing the client? > > > > > > > > Thanks, > > Rakesh > > > > On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek wrote: > > > >> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: > >> > under /var/log/secure.. have this error > >> > passwd: pam_sss(passwd:chauthtok): Password change failed for user > >> > hq-testuser: 22 (Authentication token lock busy) > >> > >> It looks like the log was trucated, can you post more context? > >> > >> Authentication token lock busy usually means the kadmin servers were > >> offline.. > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go To http://freeipa.org for more info on the project > >> > > > > > > > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From lslebodn at redhat.com Tue Jan 13 08:23:25 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 13 Jan 2015 09:23:25 +0100 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> <54B421FC.8030305@redhat.com> Message-ID: <20150113082325.GB11029@mail.corp.redhat.com> On (13/01/15 12:48), Rakesh Rajasekharan wrote: >This is how I get the logs in krb5_child. > >when a user tries to authenticate with the random password that I generated, > >WARNING: Your password has expired. >You must change your password now and login again! >Changing password for user hq-testuser. >Current Password: >New password: >Retype new password: >passwd: Authentication token manipulation erro > >And on the krb5_child.log, these are the entries > >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer] >(0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: >[/etc/krb5.keytab] >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] >[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] >from environment. >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] >[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >environment. >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] >[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast] >(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ >qa-dummy-int.test.com at TEST.COM] >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal] >(0x1000): Principal matched to the sample (host/ >qa-dummy-int.test.com at TEST.COM). >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache] >(0x0200): FAST TGT is still valid. >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400): >Will perform password change >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] >(0x1000): Password change operation >(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] >(0x0400): Attempting kinit for realm [TEST.COM] > I would expect at least next line: "Received error code" Are you sure there is no crash? Could you look into /var/log/messages? LS From pspacek at redhat.com Tue Jan 13 09:10:23 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 13 Jan 2015 10:10:23 +0100 Subject: [Freeipa-users] Group Policy-like features in FreeIPA In-Reply-To: References: Message-ID: <54B4E0FF.1080907@redhat.com> On 12.1.2015 17:20, brendan kearney wrote: > OpenAFS? If you insist on a replicated FS then try Gluster. Petr^2 Spacek > On Jan 12, 2015 11:04 AM, "Craig White" > wrote: > >> *From:* freeipa-users-bounces at redhat.com [mailto: >> freeipa-users-bounces at redhat.com] *On Behalf Of *Dale Macartney >> *Sent:* Sunday, January 11, 2015 2:16 PM >> *To:* freeipa-users at redhat.com >> *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA >> >> >> >> Morning folks >> >> I am currently working on a little pet project which I think some would >> find useful. >> >> I would like to introduce some group policy like functionality into a >> FreeIPA domain. >> >> For example: >> >> In an environment running FreeIPA Server with Fedora or RHEL based >> workstations, I would like to be able to introduce a few extra features >> which initially may be pushed via a login script (maybe even configure a >> dbus session as well, who knows?). >> >> My intentions here would be to be able to apply host specific policies as >> well as have the option for user specific policies which would be applied >> when the user logs in. >> >> Practically speaking, adding an attribute to LDAP to specify a login >> script file name is easy enough, however actually fetching this is where I >> am hoping for a bit of brain storming. My thoughts would be the local user >> would fetch the name of the login script via ldap, and then perhaps fetch >> the file from a shared resource on the FreeIPA masters in order to be >> executed locally. >> >> LDAP is obviously replicated, however to my knowledge, there is no file >> synchronization between masters. I am thinking something similar to the MS >> equivalent of the SYSVOL data that replicates between MS Domain >> Controllers. One option would be to store all data within LDAP, however >> I've seen many scenarios where admins store CD ISO's in replicated domain >> data, so I am not certain this would be the best option. >> >> With this replicated data folder, I would be able to store centrally >> managed scripts which would be used for hosts or users, and then configure >> the default user template on each workstation (/etc/skel/) to add the login >> script file name which would be fetched from the users LDAP attributes. >> >> Real world usability for what I am thinking of is a way to manage users >> who can have their corporate email mailbox configured on login, >> automatically setting the users session to point to an internal SSO enabled >> proxy server or perhaps any other number of things which an admin may wish >> to achieve without the need to manually do the work themselves. >> >> Has anyone undertaken a similar scenario in their environments or would >> perhaps have any suggestions on how to manage the centrally accessible file >> stores? >> >> Many thanks >> ---- >> >> Specifically, I haven?t fully implemented what you are asking but >> obviously parts and pieces yes. >> >> One of the best features of Linux and all of its various toolsets is that >> one are quite so overarching and the objectives are more focused. String >> them together and you have a working tool set. As a system administrator, >> you learn to pipe grep output to awk or sed or cut etc. >> >> SYSVOL ? NFS and if that doesn?t do it for you, check out Unison. >> >> I guess one of the temptations of FreeIPA is to try to make it exactly >> like active directory. The FreeIPA developers are already doing an amazing >> job without a ton of manpower. >> >> Craig >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > -- Petr^2 Spacek From rakesh.rajasekharan at gmail.com Tue Jan 13 09:25:10 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 13 Jan 2015 14:55:10 +0530 Subject: [Freeipa-users] freeipa authentication token manipulation error In-Reply-To: <20150113082235.GE14918@localhost.localdomain> References: <20150111153054.GA8082@hendrix.brq.redhat.com> <20150112090136.GA20499@mail.corp.redhat.com> <20150112172718.GH24278@hendrix.lan> <54B421FC.8030305@redhat.com> <20150113082235.GE14918@localhost.localdomain> Message-ID: Thanks, that worked.. users now able to get the password changed with any issues... Will do few more testing on this but at this point looks like that was the issue ~Rakesh On Tue, Jan 13, 2015 at 1:52 PM, Sumit Bose wrote: > On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote: > > >>>Does it work for the same user from the client if you reset password > on > > the server, authenticate from the client and then force reset again on > the > > server? > > When I force reset a user, he stil faces the same error "token > > manipulation" when tries to login to a client. However, when he tries > > getting into the server, he now gets prompted for the password change and > > is successfully able to get through. > > > > So, at this point we have a workaround though something seems not right > at > > the clients. > > >>>Can you add a new client and see whether it works there? > > > > >>Have you tried re-installing the client? > > Yes, I did try reinstalling but that did not help > > > > > > >>>Sorry, I meant the full krb5_child.log ... > > > > This is how I get the logs in krb5_child. > > > > when a user tries to authenticate with the random password that I > generated, > > > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user hq-testuser. > > Current Password: > > New password: > > Retype new password: > > passwd: Authentication token manipulation erro > > > > And on the krb5_child.log, these are the entries > > > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer] > > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > > [/etc/krb5.keytab] > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > qa-dummy-int.test.com at TEST.COM] > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal] > > (0x1000): Principal matched to the sample (host/ > > qa-dummy-int.test.com at TEST.COM). > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] > [check_fast_ccache] > > (0x0200): FAST TGT is still valid. > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400): > > Will perform password change > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] > > (0x1000): Password change operation > > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] > > (0x0400): Attempting kinit for realm [TEST.COM] > > > > > > This does not go beyond this. however, when i attempt another login , > the > > logs start moving from this point( the time stamp start from 6:54 AM) > > > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user hq-testuser. > > Current Password: > > New password: > > Retype new password: > > passwd: Authentication token manipulation erro > > > > now the krb5_child.log adds following lines > > > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): > > krb5_child started. > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] > > (0x1000): total buffer size: [134]TEST > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] > > (0x0100): cmd [241] uid [710600001] gid [710600001] validate [true] > > enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] > > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > > [/etc/krb5.keytab] > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > qa-dummy-int.test.com at TEST.COM] > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal] > > (0x1000): Principal matched to the sample (host/ > > qa-dummy-int.test.com at TEST.COM). > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] > [check_fast_ccache] > > (0x0200): FAST TGT is still valid. > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): > > Will perform online auth > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] > > (0x1000): Attempting to get a TGT > > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] > > (0x0400): Attempting kinit for realm [TEST.COM] > > (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] > > (0x0020): 981: [-1765328361][Password has expired] > > (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] > > (0x1000): Password was expired > > (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data] > > (0x0200): Received error code 1432158213 > > (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): > > krb5_child completed successfully > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): > > krb5_child started. > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] > > (0x1000): total buffer size: [134] > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] > > (0x0100): cmd [247] uid [710600001] gid [710600001] validate [true] > > enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] > > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > > [/etc/krb5.keytab] > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > qa-dummy-int.test.com at TEST.COM] > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal] > > (0x1000): Principal matched to the sample (host/ > > qa-dummy-int.test.com at TEST.COM). > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] > [check_fast_ccache] > > (0x0200): FAST TGT is still valid. > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): > > Will perform password change checks > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] > > (0x1000): Password change operation > > (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] > > (0x0400): Attempting kinit for realm [TEST.COM] > > (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child] > > (0x1000): Initial authentication for change password operation > successful. > > (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data] > > (0x0200): Received error code 0 > > (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): > > krb5_child completed successfully > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): > > krb5_child started. > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] > > (0x1000): total buffer size: [153] > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] > > (0x0100): cmd [246] uid [710600001] gid [710600001] validate [true] > > enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM] > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] > > (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: > > [/etc/krb5.keytab] > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > qa-dummy-int.test.com at TEST.COM] > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal] > > (0x1000): Principal matched to the sample (host/ > > qa-dummy-int.test.com at TEST.COM). > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] > [check_fast_ccache] > > (0x0200): FAST TGT is still valid. > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): > > Will perform password change > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] > > (0x1000): Password change operation > > (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] > > (0x0400): Attempting kinit for realm [TEST.COM] > > > > and again the last line is attempting kinit for realm > > according to some earlier log entries your Kerberos server needs some > time to respond. Maybe you are hit by the authentication timeout SSSD > uses to not wait indefinitely long for a response. The default is 6s. > You can increase it by setting krb5_auth_timeout option in the > [domain/...] section in sssd.conf to a higher value. See man sssd-krb5 > for more details. > > HTH > > bye, > Sumit > > > > > Thanks, > > Rakesh > > > > > > On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal wrote: > > > > > On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote: > > > > > > This is the full log, > > > > > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info > > > message: Password expired. Change your password now. > > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for > hq-testuser > > > from 10.5.68.184 port 54048 ssh2 > > > Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > > > opened for user hq-testuser by (uid=0) > > > Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > > > "hq-testuser" does not exist in /etc/passwd > > > Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > > > "hq-testuser" does not exist in /etc/passwd > > > Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password > > > change failed for user hq-testuser: 22 (Authentication token lock busy) > > > Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from > > > 10.5.68.184: 11: disconnected by user > > > Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > > > closed for user hq-testuser > > > > > > > > > >> Does it happen for all users or only users that you migrated? > > > Yes it happens for all, I created a new user ( hq-testuser) is a > fresh > > > one that I created. > > > > > > I found a workaround for this , users are able to successfully change > > > the password by connecting to the IPA master server. > > > So, its only the ipa clients that have the issue. > > > > > > > > > Does it work for the same user from the client if you reset password > on > > > the server, authenticate from the client and then force reset again on > the > > > server? > > > > > > Can you add a new client and see whether it works there? > > > Have you tried re-installing the client? > > > > > > > > > > > > Thanks, > > > Rakesh > > > > > > On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek > wrote: > > > > > >> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: > > >> > under /var/log/secure.. have this error > > >> > passwd: pam_sss(passwd:chauthtok): Password change failed for user > > >> > hq-testuser: 22 (Authentication token lock busy) > > >> > > >> It looks like the log was trucated, can you post more context? > > >> > > >> Authentication token lock busy usually means the kadmin servers were > > >> offline.. > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go To http://freeipa.org for more info on the project > > >> > > > > > > > > > > > > > > > > > > -- > > > Thank you, > > > Dmitri Pal > > > > > > Sr. Engineering Manager IdM portfolio > > > Red Hat, Inc. > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go To http://freeipa.org for more info on the project > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.topping at gmail.com Tue Jan 13 09:38:25 2015 From: brian.topping at gmail.com (Brian Topping) Date: Tue, 13 Jan 2015 16:38:25 +0700 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? In-Reply-To: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> References: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> Message-ID: <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> On Jan 13, 2015, at 1:56 PM, Brian Topping wrote: > > Hi folks, really pleased with the latest versions of FreeIPA. Very robust, quite impressive! > > In the process of setting it up, I ended up having to move servers a couple of times. The original server is gone, just replicas that installed cleanly with each other. Ok, I think I have this sorted -- somewhat. After pawing through the Tomcat configuration for Dogtag, I traced back to the pki-tomcatd at pki-tomcat.service not running. Once that started, the relevant information was available to the UI. There are a sufficient number of certificates that I think everything is in order. Whew. What I realize now is the certificate CRL points to the server that no longer exists and I'd like to get that cleaned up. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master , is that relevant for my situation? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jan 13 11:32:01 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Jan 2015 12:32:01 +0100 Subject: [Freeipa-users] Replica install fails when using --setup-ca In-Reply-To: References: Message-ID: <54B50231.5000000@redhat.com> On 01/12/2015 03:53 PM, dbischof at hrz.uni-kassel.de wrote: > Hi, > > no ideas about this one? > > I'm unsure if I did something wrong, but since I installed both systems the > same way, I really don't know, what could be wrong. > > One thing that may be related: The working system (the one that doesn't fail to > create a replica with "--setup-ca") went productive in April 2014, the one that > fails in September 2014. In between were several updates to the ipa-server > package, including one related to Dogtag ("Proxy calls to > /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag > 10 PKI (#1083878)"). Can this cause errors like the one I observe? That's a good guess. Installing a RHEL/CentOS 7.0 replica with having such server without this update as the master would indeed cause a failure. Did you try updating it? > Something else I may want to look into? My installations are pretty much > standard, except that I use an external DNS and have SELinux disabled. If the referred update does not help, we would need to see full ipareplica-install.log and PKI logs (/var/log/pki/) on replica to continue with debug. > > > Best regards, > > --Daniel. > > On Tue, 6 Jan 2015, dbischof at hrz.uni-kassel.de wrote: > >> I have two small FreeIPA installations (for two different realms), both with >> CentOS 6/FreeIPA 3.0.0-42. After running them both with only one master >> server each for a while, I attempted to extend both installations with one >> replica each. >> >> Doing a >> >> ipa-replica-install --setup-ca /var/lib/ipa/replica-info-... >> >> worked fine for one of the installations, but failed for the other: >> >> --- >> [...] >> >> [3/17]: configuring certificate server instance ipa : CRITICAL failed to >> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA >> -cs_hostname xxx -cs_port 9445 -client_certdb_dir /tmp/tmp-YsXvhP >> -client_certdb_pwd XXXXXXXX -preop_pin vJl0m3xc9Oz7b1fIgttD -domain_name IPA >> -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX >> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> -agent_cert_subject CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 >> -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca >> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA >> -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name >> internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY >> -ca_server_cert_subject_name CN=xxx,O=YYY -ca_audit_signing_cert_subject_name >> CN=CA Audit,O=YYY -ca_sign_cert_subject_name CN=Certificate Authority,O=YYY >> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password >> XXXXXXXX -sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin >> -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://mmm:443' >> returned non-zero exit status 255 >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> --- >> >> /var/log/ipareplica-install.log: >> >> --- >> [...] >> Error in DomainPanel(): updateStatus value is null >> ERROR: ConfigureCA: DomainPanel() failure >> ERROR: unable to create CA >> >> ####################################################################### >> >> 2015-01-06T13:36:25Z DEBUG stderr= >> 2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> 2015-01-06T13:36:25Z INFO File >> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line >> 614, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-replica-install", line 476, in main >> (CA, cs) = cainstance.install_replica_ca(config) >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", >> line 1626, in install_replica_ca >> subject_base=config.subject_base) >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", >> line 626, in configure_instance >> self.start_creation(runtime=210) >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line >> 358, in start_creation >> method() >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", >> line 888, in __configure_instance >> raise RuntimeError('Configuration of CA failed') >> >> 2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception: >> RuntimeError: Configuration of CA failed >> --- >> >> Omitting "--setup-ca" lets me successfully install a working replica server. >> >> The problem appears to be my installation (since the other one works) - >> however: Both (intended) replica servers are nearly identical (operating >> system version, installed packages, etc.). >> >> My understanding is that a replica without a CA is not a 100%-clone of a IPA >> master, right? What are the downsides of having a replica without a CA? > From mkosek at redhat.com Tue Jan 13 11:41:28 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Jan 2015 12:41:28 +0100 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? In-Reply-To: <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> References: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> Message-ID: <54B50468.3080504@redhat.com> On 01/13/2015 10:38 AM, Brian Topping wrote: > On Jan 13, 2015, at 1:56 PM, Brian Topping wrote: >> >> Hi folks, really pleased with the latest versions of FreeIPA. Very robust, quite impressive! Good to hear! :-) >> >> In the process of setting it up, I ended up having to move servers a couple of times. The original server is gone, just replicas that installed cleanly with each other. Hmm, I hoped that after FreeIPA 3.2 (https://fedorahosted.org/freeipa/ticket/2879), FreeIPA should before warn removing the last DNS/CA from the realm. If may indeed be a bug. The point is that it is hard to recover when there is no master with PKI configured and backup to use as some information are only on the PKI masters, like the CA private key or other subsystem cert private keys. > Ok, I think I have this sorted -- somewhat. > > After pawing through the Tomcat configuration for Dogtag, I traced back to the pki-tomcatd at pki-tomcat.service not running. Once that started, the relevant information was available to the UI. There are a sufficient number of certificates that I think everything is in order. Whew. Sounds promising. > What I realize now is the certificate CRL points to the server that no longer exists and I'd like to get that cleaned up. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master , is that relevant for my situation? Yes, this is the procedure to follow for servers older than FreeIPA 4.1. Jan is that correct? If yes, the page deserves a warning/update. From maillists at microdel.org Tue Jan 13 13:52:15 2015 From: maillists at microdel.org (Mike) Date: Tue, 13 Jan 2015 06:52:15 -0700 (MST) Subject: [Freeipa-users] DNS updates from dhcpd refused Message-ID: Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also not sure if TSIG the best, or only way to go. All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved, IPA server and dhcpd are running on the same VM. I followed guide here: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG with one exception, I used "grant dhcpupdate zonesub A;" in the ipa dnszone-mod command. To test I did this: nsupdate -k /tmp/testkey > update add newhost.inside.lan 86400 A 10.16.1.99 > send nsupdate works as expected, both forward and reverse records are added. However updates from dhcpd are rejected, here's a snippet from two log files. Oh and raising the trace level with 'rndc trace 9' didn't reveal anything useful (to me anyway). tail -f /var/log/messages /var/named/data/named.run ==> /var/named/data/named.run <== 12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) ==> /var/log/messages <== Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate: updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203 Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from 52:54:00:4a:44:f7 (nas2) via eth0 Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7 (nas2) via eth0 Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to 10.16.1.203: REFUSED -- Thanks, Mike From pspacek at redhat.com Tue Jan 13 14:44:47 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 13 Jan 2015 15:44:47 +0100 Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: References: Message-ID: <54B52F5F.6020704@redhat.com> On 13.1.2015 14:52, Mike wrote: > Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I > don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also > not sure if TSIG the best, or only way to go. > > All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved, > IPA server and dhcpd are running on the same VM. > > I followed guide here: > http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG > with one exception, I used "grant dhcpupdate zonesub A;" in the ipa > dnszone-mod command. > > To test I did this: > nsupdate -k /tmp/testkey >> update add newhost.inside.lan 86400 A 10.16.1.99 >> send > > nsupdate works as expected, both forward and reverse records are added. > > However updates from dhcpd are rejected, here's a snippet from two log files. > Oh and raising the trace level with 'rndc trace 9' didn't reveal anything > useful (to me anyway). > > tail -f /var/log/messages /var/named/data/named.run > ==> /var/named/data/named.run <== > 12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone > 'inside.lan/IN': update failed: rejected by secure update (REFUSED) > > ==> /var/log/messages <== > Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate: > updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) > Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203 > Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from 52:54:00:4a:44:f7 > (nas2) via eth0 > Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7 (nas2) > via eth0 > Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to > 10.16.1.203: REFUSED dhcpd is supposed to do the same thing as nsupdate so this is weird. You can increase log level in BIND to 8: $ rndc trace 8 to get more information about the failure Alternative is to use tcpdump/wireshark and compare packages send by nsupdate and dhcpd to see where the difference is. Feel free to send me packet captures privately if you don't want to post them to mailing list. Have a nice day! -- Petr^2 Spacek From CWhite at skytouchtechnology.com Tue Jan 13 15:39:54 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Tue, 13 Jan 2015 15:39:54 +0000 Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: References: Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Mike Sent: Tuesday, January 13, 2015 6:52 AM To: freeipa-users at redhat.com Subject: [Freeipa-users] DNS updates from dhcpd refused Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also not sure if TSIG the best, or only way to go. All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved, IPA server and dhcpd are running on the same VM. I followed guide here: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG with one exception, I used "grant dhcpupdate zonesub A;" in the ipa dnszone-mod command. To test I did this: nsupdate -k /tmp/testkey > update add newhost.inside.lan 86400 A 10.16.1.99 send nsupdate works as expected, both forward and reverse records are added. However updates from dhcpd are rejected, here's a snippet from two log files. Oh and raising the trace level with 'rndc trace 9' didn't reveal anything useful (to me anyway). tail -f /var/log/messages /var/named/data/named.run ==> /var/named/data/named.run <== 12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) ==> /var/log/messages <== Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate: updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203 Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from 52:54:00:4a:44:f7 (nas2) via eth0 Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7 (nas2) via eth0 Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to 10.16.1.203: REFUSED ---- Mike, Please be sure to post when you do come to a resolution on this, it may be something I want to do - at least in my home setup. Craig From bram.vandoren at ster.kuleuven.be Tue Jan 13 15:53:31 2015 From: bram.vandoren at ster.kuleuven.be (Bram Vandoren) Date: Tue, 13 Jan 2015 16:53:31 +0100 Subject: [Freeipa-users] invalid cn=CACert,cn=ipa,cn=etc entry Message-ID: <54B53F7B.80006@ster.kuleuven.be> Hi All, We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to complete freeipa-client-install. It fails due to a parsing error of the CA certificate. I tracked down the error and it seems our cn=CACert,cn=ipa,cn=etc entry is invalid. This is the ldif: dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de objectClass: top objectClass: pkiCA objectClass: nsContainer cn: CAcert cACertificate;binary:: (this fields contains base64 encoded data, not binary data) I modified the certstore.py script and changed line 299 from cert = entry.single_value['cACertificate;binary'] to: cert = base64.b64decode(entry.single_value['cACertificate;binary']) after that ipa-client-install completes without a problem. We run FreeIPA for a few years now so perhaps something went wrong with an update of the server at some point and the cn=CACert entry was not updated correctly. What's the valid format of the CACert entry in LDAP? Can we change it to binary without other clients ending up in trouble? Guessing from the get_ca_certs function we also want other attributes like ipaCertSubject, ipaCertIssuerSerial,... These are also missing in our server but perhaps these were only added in later FreeIPA server versions. Thanks, Bram From maillists at microdel.org Tue Jan 13 17:12:45 2015 From: maillists at microdel.org (Mike) Date: Tue, 13 Jan 2015 10:12:45 -0700 (MST) Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: <54B52F5F.6020704@redhat.com> References: <54B52F5F.6020704@redhat.com> Message-ID: On Tue, 13 Jan 2015, Petr Spacek wrote: > On 13.1.2015 14:52, Mike wrote: >> Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I >> don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also >> not sure if TSIG the best, or only way to go. >> >> All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved, >> IPA server and dhcpd are running on the same VM. >> >> I followed guide here: >> http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG >> with one exception, I used "grant dhcpupdate zonesub A;" in the ipa >> dnszone-mod command. >> >> To test I did this: >> nsupdate -k /tmp/testkey >>> update add newhost.inside.lan 86400 A 10.16.1.99 >>> send >> >> nsupdate works as expected, both forward and reverse records are added. >> >> However updates from dhcpd are rejected, here's a snippet from two log files. >> Oh and raising the trace level with 'rndc trace 9' didn't reveal anything >> useful (to me anyway). >> >> tail -f /var/log/messages /var/named/data/named.run >> ==> /var/named/data/named.run <== >> 12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone >> 'inside.lan/IN': update failed: rejected by secure update (REFUSED) >> >> ==> /var/log/messages <== >> Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate: >> updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) >> Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203 >> Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from 52:54:00:4a:44:f7 >> (nas2) via eth0 >> Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7 (nas2) >> via eth0 >> Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to >> 10.16.1.203: REFUSED > > dhcpd is supposed to do the same thing as nsupdate so this is weird. > > You can increase log level in BIND to 8: > $ rndc trace 8 > to get more information about the failure > > Alternative is to use tcpdump/wireshark and compare packages send by nsupdate > and dhcpd to see where the difference is. > > Feel free to send me packet captures privately if you don't want to post them > to mailing list. > > Have a nice day! > Petr - Thanks for the suggestion, that helped me solve the problem. Turns out the difference is that dhcpd is also trying to add a TXT record which nsupdate was not (because I didn't tell it to). So adding "grant dhcpupdate zonesub TXT;" to the "ipa dnszone-mod" command fixes the problem. Actually it appears as though dhcpd tries to add a PTR record if the A and TXT are successful. So I think I need to add "grant dhcpupdate zonesub PTR;" to be complete. -- Thanks again, Mike From maillists at microdel.org Tue Jan 13 17:35:43 2015 From: maillists at microdel.org (Mike) Date: Tue, 13 Jan 2015 10:35:43 -0700 (MST) Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: References: <54B52F5F.6020704@redhat.com> Message-ID: Just a note to anyone else who may be interested. This may be obvious but it wasn't to me at first, The "ipa dnszone-mod ... --update-policy=..." command wipes out the existing BIND update policy. So what would seem to me to be the correct procedure is to do "ipa dnszone-show --all" first to get the existing policy. Then append the new policy to the existing. This is what ultimatley worked for me (all one line). ipa dnszone-mod inside.lan --update-policy="grant INSIDE.LAN krb5-self * A; grant INSIDE.LAN krb5-self * AAAA; grant INSIDE.LAN krb5-self * SSHFP; grant dhcpupdate zonesub A; grant dhcpupdate zonesub TXT; grant dhcpupdate zonesub PTR;" From dpal at redhat.com Tue Jan 13 17:55:27 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 13 Jan 2015 12:55:27 -0500 Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: References: <54B52F5F.6020704@redhat.com> Message-ID: <54B55C0F.3010100@redhat.com> On 01/13/2015 12:35 PM, Mike wrote: > > Just a note to anyone else who may be interested. This may be obvious > but it wasn't to me at first, The "ipa dnszone-mod ... > --update-policy=..." command wipes out the existing BIND update > policy. So what would seem to me to be the correct procedure is to do > "ipa dnszone-show --all" first to get the existing policy. Then append > the new policy to the existing. This is what ultimatley worked for me > (all one line). > > ipa dnszone-mod inside.lan --update-policy="grant INSIDE.LAN krb5-self > * A; grant INSIDE.LAN krb5-self * AAAA; grant INSIDE.LAN krb5-self * > SSHFP; grant dhcpupdate zonesub A; grant dhcpupdate zonesub TXT; grant > dhcpupdate zonesub PTR;" > > > > Would you mind contributing a howto solution to FreeIPA site? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From simo at redhat.com Tue Jan 13 18:15:42 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 13 Jan 2015 13:15:42 -0500 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150108125129.31e12bc1@willson.usersys.redhat.com> <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> <20150111153323.GB8082@hendrix.brq.redhat.com> Message-ID: <20150113131542.40cff962@willson.usersys.redhat.com> On Mon, 12 Jan 2015 09:46:37 +0100 John Obaterspok wrote: > 2015-01-11 16:33 GMT+01:00 Jakub Hrozek : > > > On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: > > > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi > > > : > > > > > > > To get the whole root environment you have to run > > > > su - root > > > > did you try with it? > > > > > > > > > > ahh... that works fine Gianluca! > > > > > > Final question, if I have a file on the share like: > > > [john at ipaserver mountpoint]$ ll test.txt > > > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt > > > > > > Should I be able to access it if I aquire an admin ticket? > > > Currently I > > get > > > Permission denied > > > > > > [john at ipaserver mountpoint]$ id > > > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) > > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > [john at ipaserver mountpoint]$ getfacl test.txt > > > # file: test.txt > > > # owner: root > > > # group: admins > > > user::rwx > > > group::r-- > > > other::--- > > > > > > [john at ipaserver mountpoint]$ id admin > > > uid=1434400000(admin) gid=1434400000(admins) > > > groups=1434400000(admins) > > > > > > [john at ipaserver mountpoint]$ klist > > > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf > > > Default principal: admin at MY.LAN > > > > > > Valid starting Expires Service principal > > > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN > > > > > > [john at ipaserver mountpoint]$ cat test.txt > > > cat: test.txt: Permission denied > > > > Looks like your account needs to be in the 'admins' group in order > > to access the file. > > > > Acquiring the admin ticket doesn't switch the user ID nor add you > > to the group.. > > > > > I thought the krb5 mount option would allow ticked based access to the > file. > Is the purpose of the krb5 mount option just used during mounting of > the share? Otherwise I see no difference compared to not using krb5 > mount option!? You need to pass the 'multiuser' option at mount time for that, the default for cifs.ko is still to just use the mount credentials. See mount.cifs manpage, search for 'multiuser' Simo. -- Simo Sorce * Red Hat, Inc * New York From maillists at microdel.org Tue Jan 13 18:41:50 2015 From: maillists at microdel.org (Mike) Date: Tue, 13 Jan 2015 11:41:50 -0700 (MST) Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: <54B55C0F.3010100@redhat.com> References: <54B52F5F.6020704@redhat.com> <54B55C0F.3010100@redhat.com> Message-ID: On Tue, 13 Jan 2015, Dmitri Pal wrote: > On 01/13/2015 12:35 PM, Mike wrote: >> >> Just a note to anyone else who may be interested. This may be obvious but >> it wasn't to me at first, The "ipa dnszone-mod ... --update-policy=..." >> command wipes out the existing BIND update policy. So what would seem to >> me to be the correct procedure is to do "ipa dnszone-show --all" first to >> get the existing policy. Then append the new policy to the existing. This >> is what ultimatley worked for me (all one line). >> >> ipa dnszone-mod inside.lan --update-policy="grant INSIDE.LAN krb5-self * >> A; grant INSIDE.LAN krb5-self * AAAA; grant INSIDE.LAN krb5-self * SSHFP; >> grant dhcpupdate zonesub A; grant dhcpupdate zonesub TXT; grant dhcpupdate >> zonesub PTR;" >> >> >> >> > Would you mind contributing a howto solution to FreeIPA site? > Wouldn't mind at all however the Howto I used (http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG) is mostly correct, only three errors that I'm aware of. And it is a bit "brief", there are a few things I could add. Should I just follow up off list with updates/changes? -- Mike From nagemnna at gmail.com Tue Jan 13 20:06:16 2015 From: nagemnna at gmail.com (Megan .) Date: Tue, 13 Jan 2015 15:06:16 -0500 Subject: [Freeipa-users] Issues with new install - Configuration of CA failed Message-ID: I am having a very difficult time getting the ipa server installed on our test server. CentOS release 6.6 (Final) Linux test1-vm.example.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ipa-server-3.0.0-42.el6.centos.x86_64 I tried to reinstall pki-selinux, reboot, relabel and that didn't help yum reinstall pki-selinux I reviewed a number of threads and didn't seem to see my issue of Request:java.net.ConnectException: Connection refused at step 2/20 https://www.redhat.com/archives/freeipa-users/2014-April/msg00278.html Any suggestions would be greatly appreciated. I used: ipa-server-install --no-ntp Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w -client_certdb_pwd XXXXXXXX -preop_pin MvLsuha0GPxvJSnYoL5u -domain_name IPA -admin_user admin -admin_email root at localhost -admin_XXXXXXXX XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_XXXXXXXX XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external false -clone false' returned non-zero exit status 255 Configuration of CA failed install log: [root at test1-vm log]# cat ipaserver-install.log 2015-01-13T19:47:59Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-13T19:47:59Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-01-13T19:47:59Z DEBUG httpd is not configured 2015-01-13T19:47:59Z DEBUG kadmin is not configured 2015-01-13T19:47:59Z DEBUG dirsrv is not configured 2015-01-13T19:47:59Z DEBUG pki-cad is not configured 2015-01-13T19:47:59Z DEBUG pki-tomcatd is not configured 2015-01-13T19:47:59Z DEBUG pkids is not configured 2015-01-13T19:47:59Z DEBUG install is not configured 2015-01-13T19:47:59Z DEBUG krb5kdc is not configured 2015-01-13T19:47:59Z DEBUG ntpd is not configured 2015-01-13T19:47:59Z DEBUG named is not configured 2015-01-13T19:47:59Z DEBUG ipa_memcached is not configured 2015-01-13T19:47:59Z DEBUG filestore is tracking no files 2015-01-13T19:47:59Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-01-13T19:47:59Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, 'subject': None, 'no_forwarders': False, 'persistent_search': True, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, 'forwarders': None, 'idstart': 1844800000, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'serial_autoincrement': True, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} 2015-01-13T19:47:59Z DEBUG missing options might be asked for interactively later 2015-01-13T19:47:59Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-01-13T19:47:59Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-13T19:47:59Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2015-01-13T19:47:59Z DEBUG stdout=VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:8443 test1-vm.example.com (/etc/httpd/conf.d/nss.conf:84) 2015-01-13T19:47:59Z DEBUG stderr=Syntax OK 2015-01-13T19:48:02Z DEBUG Check if test1-vm.example.com is a primary hostname for localhost 2015-01-13T19:48:02Z DEBUG Primary hostname for localhost: test1-vm.example.com 2015-01-13T19:48:02Z DEBUG Search DNS for test1-vm.example.com 2015-01-13T19:48:02Z DEBUG Check if test1-vm.example.com. is not a CNAME 2015-01-13T19:48:02Z DEBUG Check reverse address of 123.12.12.166 2015-01-13T19:48:02Z DEBUG Found reverse name: test1-vm.example.com 2015-01-13T19:48:02Z DEBUG will use host_name: test1-vm.example.com 2015-01-13T19:48:03Z DEBUG read domain_name: example.com 2015-01-13T19:48:03Z DEBUG args=/sbin/ip -family inet -oneline address show 2015-01-13T19:48:03Z DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo 2: eth0 inet 123.12.12.166/25 brd 123.12.12.255 scope global eth0 2015-01-13T19:48:03Z DEBUG stderr= 2015-01-13T19:48:03Z DEBUG read realm_name: EXAMPLE.COM 2015-01-13T19:48:11Z DEBUG will use dns_forwarders: () 2015-01-13T19:48:14Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' 2015-01-13T19:48:14Z DEBUG args=klist -V 2015-01-13T19:48:14Z DEBUG stdout=Kerberos 5 version 1.10.3 2015-01-13T19:48:14Z DEBUG stderr= 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' 2015-01-13T19:48:14Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipaserver/install/plugins'... 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/adtrust.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/baseupdate.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/dns.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/fix_replica_agreements.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/rename_managed.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_services.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py' 2015-01-13T19:48:14Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/upload_cacrt.py' 2015-01-13T19:48:15Z DEBUG ds group dirsrv exists 2015-01-13T19:48:15Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-13T19:48:15Z DEBUG Configuring directory server for the CA (pkids): Estimated time 30 seconds 2015-01-13T19:48:15Z DEBUG [1/3]: creating directory server user 2015-01-13T19:48:15Z DEBUG ds user pkisrv exists 2015-01-13T19:48:15Z DEBUG duration: 0 seconds 2015-01-13T19:48:15Z DEBUG [2/3]: creating directory server instance 2015-01-13T19:48:15Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-13T19:48:15Z DEBUG writing inf template 2015-01-13T19:48:15Z DEBUG [General] FullMachineName= test1-vm.example.com SuiteSpotUserID= pkisrv SuiteSpotGroup= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 7389 ServerIdentifier= PKI-IPA Suffix= dc=example,dc=com RootDN= cn=Directory Manager ConfigFile = /usr/share/pki/ca/conf/database.ldif 2015-01-13T19:48:15Z DEBUG calling setup-ds.pl 2015-01-13T19:48:31Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp33xewh 2015-01-13T19:48:31Z DEBUG stdout=[15/01/13:14:48:31] - [Setup] Info Your new DS instance 'PKI-IPA' was successfully created. Your new DS instance 'PKI-IPA' was successfully created. [15/01/13:14:48:31] - [Setup] Success Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2015-01-13T19:48:31Z DEBUG stderr= 2015-01-13T19:48:31Z DEBUG completed creating ds instance 2015-01-13T19:48:31Z DEBUG duration: 15 seconds 2015-01-13T19:48:31Z DEBUG [3/3]: restarting directory server 2015-01-13T19:48:34Z DEBUG args=/sbin/service dirsrv restart PKI-IPA 2015-01-13T19:48:34Z DEBUG stdout=Shutting down dirsrv: PKI-IPA... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] 2015-01-13T19:48:34Z DEBUG stderr= 2015-01-13T19:48:34Z DEBUG args=/sbin/service dirsrv status PKI-IPA 2015-01-13T19:48:34Z DEBUG stdout=dirsrv PKI-IPA (pid 2126) is running... 2015-01-13T19:48:34Z DEBUG stderr= 2015-01-13T19:48:34Z DEBUG wait_for_open_ports: localhost [7389] timeout 300 2015-01-13T19:48:34Z DEBUG args=/sbin/service dirsrv status PKI-IPA 2015-01-13T19:48:34Z DEBUG stdout=dirsrv PKI-IPA (pid 2126) is running... 2015-01-13T19:48:34Z DEBUG stderr= 2015-01-13T19:48:34Z DEBUG duration: 3 seconds 2015-01-13T19:48:34Z DEBUG Done configuring directory server for the CA (pkids). 2015-01-13T19:48:34Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-13T19:48:34Z DEBUG Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds 2015-01-13T19:48:34Z DEBUG [1/20]: creating certificate server user 2015-01-13T19:48:34Z DEBUG ca user pkiuser exists 2015-01-13T19:48:34Z DEBUG duration: 0 seconds 2015-01-13T19:48:34Z DEBUG [2/20]: configuring certificate server instance 2015-01-13T19:48:37Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w -client_certdb_pwd XXXXXXXX -preop_pin MvLsuha0GPxvJSnYoL5u -domain_name IPA -admin_user admin -admin_email root at localhost -admin_XXXXXXXX XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_XXXXXXXX XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external false -clone false 2015-01-13T19:48:37Z DEBUG stdout=libpath=/usr/lib64 ####################################################################### CRYPTO INIT WITH CERTDB:/tmp/tmp-WQ28_w tokenpwd:XXXXXXXX ############################################# Attempting to connect to: test1-vm.example.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ####################################################################### 2015-01-13T19:48:37Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at java.net.Socket.(Socket.java:425) at java.net.Socket.(Socket.java:241) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) 2015-01-13T19:48:37Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w -client_certdb_pwd XXXXXXXX -preop_pin MvLsuha0GPxvJSnYoL5u -domain_name IPA -admin_user admin -admin_email root at localhost -admin_XXXXXXXX XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_XXXXXXXX XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external false -clone false' returned non-zero exit status 255 2015-01-13T19:48:37Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 942, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2015-01-13T19:48:37Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed [root at test1-vm log]# From dpal at redhat.com Tue Jan 13 20:25:40 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 13 Jan 2015 15:25:40 -0500 Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: References: <54B52F5F.6020704@redhat.com> <54B55C0F.3010100@redhat.com> Message-ID: <54B57F44.4020509@redhat.com> On 01/13/2015 01:41 PM, Mike wrote: > On Tue, 13 Jan 2015, Dmitri Pal wrote: > >> On 01/13/2015 12:35 PM, Mike wrote: >>> >>> Just a note to anyone else who may be interested. This may be >>> obvious but >>> it wasn't to me at first, The "ipa dnszone-mod ... >>> --update-policy=..." >>> command wipes out the existing BIND update policy. So what would >>> seem to >>> me to be the correct procedure is to do "ipa dnszone-show --all" >>> first to >>> get the existing policy. Then append the new policy to the >>> existing. This >>> is what ultimatley worked for me (all one line). >>> >>> ipa dnszone-mod inside.lan --update-policy="grant INSIDE.LAN >>> krb5-self * >>> A; grant INSIDE.LAN krb5-self * AAAA; grant INSIDE.LAN krb5-self * >>> SSHFP; >>> grant dhcpupdate zonesub A; grant dhcpupdate zonesub TXT; grant >>> dhcpupdate >>> zonesub PTR;" >>> >>> >>> >>> >> Would you mind contributing a howto solution to FreeIPA site? >> > > Wouldn't mind at all however the Howto I used > (http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG) > is mostly correct, only three errors that I'm aware of. And it is a > bit "brief", there are a few things I could add. Should I just follow > up off list with updates/changes? > > -- Mike > Thanks! Petr, Martin, what do you think is the best approach, for Mike just edit the page or send corrections off list? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From jrichard at placeiq.com Wed Jan 14 01:59:36 2015 From: jrichard at placeiq.com (Jim Richard) Date: Tue, 13 Jan 2015 20:59:36 -0500 Subject: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail Message-ID: Carefully following the instructions here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html I have split one of my Centis 6.6 based replicas from the main cluster of 4 IDM servers, fully disconnected it from current IDM infrastructure, converted it to a master CA, double checked that I have no dangling/tombstone entries pointing back to other cluster members, ipa-replica-manage list and ipa-replica-manage list-ruv both show no other masters, in short, made absolutely sure that this replica is now a standalone. I then applied the schema updates via the python script per the above referenced instructions, did ?ipa-replica-prepare?, deployed a new Centos 7 vm, yum install ipa-server there, scp?d over the replica file. Next up, "ipa-replica-install --setup-ca?. And that?s where the story ends?.. Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed I tried the workaround mentioned here: https://fedorahosted.org/pki/ticket/816 updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install But not luck. Anybody have a clue where I should look? From pki-ca-spawn.20150114014019.log: 2015-01-14 01:40:32 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain installation token from security domain and in /var/log/pki/pki-tomcat/ca/server I have: 2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value more info that might help??. [root at sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca CTu,Cu,Cu Certificate Authority - PLACEIQ.NET CT,c, My CS.cfg is attached. Maybe the fact that my new server is looking at the same DNS and can see the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a problem ?? Of course I have uninstalled and done this a zillion times: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat I?m at a loss, no idea even where to look at this point. Thanks in advance for any clues you can provide. Jim Richard | PlaceIQ | Systems Administrator | jrichard at placeiq.com | +1 (646) 338-8905 <> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: CS.cfg Type: application/octet-stream Size: 72966 bytes Desc: not available URL: -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Wed Jan 14 05:13:17 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Wed, 14 Jan 2015 10:43:17 +0530 Subject: [Freeipa-users] Can I revert back the hostname on client Message-ID: Hi, Freeipa changes the hostname to FQDN. But in our exisitng set up that can cause issues . Can I revert back the hostname to previous value once the client installation is complete. I am fine with server having a FQDN. Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jan 14 08:35:58 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 14 Jan 2015 09:35:58 +0100 Subject: [Freeipa-users] DNS updates from dhcpd refused In-Reply-To: <54B57F44.4020509@redhat.com> References: <54B52F5F.6020704@redhat.com> <54B55C0F.3010100@redhat.com> <54B57F44.4020509@redhat.com> Message-ID: <54B62A6E.2030608@redhat.com> On 13.1.2015 21:25, Dmitri Pal wrote: > On 01/13/2015 01:41 PM, Mike wrote: >> On Tue, 13 Jan 2015, Dmitri Pal wrote: >> >>> On 01/13/2015 12:35 PM, Mike wrote: >>>> >>>> Just a note to anyone else who may be interested. This may be obvious but >>>> it wasn't to me at first, The "ipa dnszone-mod ... --update-policy=..." >>>> command wipes out the existing BIND update policy. So what would seem to >>>> me to be the correct procedure is to do "ipa dnszone-show --all" first to >>>> get the existing policy. Then append the new policy to the existing. This >>>> is what ultimatley worked for me (all one line). >>>> >>>> ipa dnszone-mod inside.lan --update-policy="grant INSIDE.LAN krb5-self * >>>> A; grant INSIDE.LAN krb5-self * AAAA; grant INSIDE.LAN krb5-self * SSHFP; >>>> grant dhcpupdate zonesub A; grant dhcpupdate zonesub TXT; grant dhcpupdate >>>> zonesub PTR;" >>>> >>>> >>>> >>>> >>> Would you mind contributing a howto solution to FreeIPA site? >>> >> >> Wouldn't mind at all however the Howto I used >> (http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG) >> is mostly correct, only three errors that I'm aware of. And it is a bit >> "brief", there are a few things I could add. Should I just follow up off >> list with updates/changes? >> >> -- Mike >> > Thanks! > > Petr, Martin, what do you think is the best approach, for Mike just edit the > page or send corrections off list? Mike, don't hesitate to update the page directly. After all, it has a history so we can review it post-edit. Personally I don't want to set up some heavy-weight review process for wiki :-) -- Petr^2 Spacek From pspacek at redhat.com Wed Jan 14 08:38:48 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 14 Jan 2015 09:38:48 +0100 Subject: [Freeipa-users] Can I revert back the hostname on client In-Reply-To: References: Message-ID: <54B62B18.9020501@redhat.com> Hello, On 14.1.2015 06:13, Rakesh Rajasekharan wrote: > Freeipa changes the hostname to FQDN. But in our exisitng set up that can > cause issues . Could you be more specific? It would help if we had detailed bug reports about this but up to know everybody just said 'I need non-FQDN hostname' but did not add any details :-) What doesn't work? > Can I revert back the hostname to previous value once the client > installation is complete. You might see all sorts of breakages related to Kerberos, sorry. > I am fine with server having a FQDN. -- Petr^2 Spacek From erinn.looneytriggs at gmail.com Wed Jan 14 08:39:35 2015 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 14 Jan 2015 01:39:35 -0700 Subject: [Freeipa-users] SASL GSSAPI behavior change in RHEL 7 Message-ID: <1455640.qz6hf6XekS@scrapy.abaqis.com> This is not exactly the right place to post this message, but I reckon it is close enough. A year or so ago, I wrote up a guide for configuring a Postfix client to use Kerb/GSSAPI to authenticate against a Postfix server acting as a relay. The guide is here: https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ and it is linked somewhere on the FreeIPA pages. It was written for RHEL 6.x Everything worked fine and I forgot everything I ever learned to write the guide :). With the release of RHEL 7 I am again going back through the process of validating that things work as I believe they should etc. Trying to configure up this same setup with RHEL 7 is however, proving to be problematic. The configuration directives have not changed and everything should in theory work, however it simply doesn't. My basic layout is as follows, RHEL 7 Postfix client attempting to relay through a RHEL 6 Postfix server using Kerberos. SASL appears to be bailing when attempting to use GSSAPI for auth with the Postfix server. The specific error is: warning: SASL authentication failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Which means all of nothing to me. However, I found the following bug in Cyrus' bugzilla: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 Essentially mentioning the same thing, and mentioning that this error is cropping up in a few places (autofs is mentioned). The specific commit they reference is here: http://git.cyrusimap.org/cyrus-sasl/commit/?id=080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 I don't know whether this is an incompatibility, I don't know whether running against a RHEL 7 Postfix server will help in any way. I actually don't know much of anything about this, and hence wanted to ask for thoughts from folks who may be more in the know than I am. Any ideas what this is all about? Any thoughts about possible solutions? -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part. URL: From mkosek at redhat.com Wed Jan 14 13:14:19 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Jan 2015 14:14:19 +0100 Subject: [Freeipa-users] invalid cn=CACert,cn=ipa,cn=etc entry In-Reply-To: <54B53F7B.80006@ster.kuleuven.be> References: <54B53F7B.80006@ster.kuleuven.be> Message-ID: <54B66BAB.9050308@redhat.com> On 01/13/2015 04:53 PM, Bram Vandoren wrote: > Hi All, > We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to > complete freeipa-client-install. It fails due to a parsing error of the CA > certificate. I tracked down the error and it seems our cn=CACert,cn=ipa,cn=etc > entry is invalid. This is the ldif: > > dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de > objectClass: top > objectClass: pkiCA > objectClass: nsContainer > cn: CAcert > cACertificate;binary:: (this fields contains base64 encoded data, not binary data) > > I modified the certstore.py script and changed line 299 from > cert = entry.single_value['cACertificate;binary'] > to: > cert = base64.b64decode(entry.single_value['cACertificate;binary']) > > after that ipa-client-install completes without a problem. > > We run FreeIPA for a few years now so perhaps something went wrong with an > update of the server at some point and the cn=CACert entry was not updated > correctly. Hello Bram, Good investigation! You already found the root cause. You are most possibly hitting https://bugzilla.redhat.com/show_bug.cgi?id=948928 that is fixed in ipa-3.0.0-30.el6 or later. > What's the valid format of the CACert entry in LDAP? Can we change it to binary > without other clients ending up in trouble? Yes. It is supposed to be in binary, as even the attribute name cACertificate;binary suggests. If you fixed the certificate or removed the attribute and let LDAP updater do it's job and re-upload it correctly, you should be fine. > Guessing from the get_ca_certs > function we also want other attributes like ipaCertSubject, > ipaCertIssuerSerial,... These are also missing in our server but perhaps these > were only added in later FreeIPA server versions. These were added for FreeIPA 4.1, as part of tickets https://fedorahosted.org/freeipa/ticket/3259 https://fedorahosted.org/freeipa/ticket/3520 You do not need to worry about them for clients/servers older than 4.1. HTH, Martin From mkosek at redhat.com Wed Jan 14 13:26:46 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Jan 2015 14:26:46 +0100 Subject: [Freeipa-users] Issues with new install - Configuration of CA failed In-Reply-To: References: Message-ID: <54B66E96.2040908@redhat.com> On 01/13/2015 09:06 PM, Megan . wrote: > I am having a very difficult time getting the ipa server installed on > our test server. > > > > CentOS release 6.6 (Final) > Linux test1-vm.example.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 > 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > > ipa-server-3.0.0-42.el6.centos.x86_64 > > > I tried to reinstall pki-selinux, reboot, relabel and that didn't help > yum reinstall pki-selinux > > I reviewed a number of threads and didn't seem to see my issue of > Request:java.net.ConnectException: Connection refused at step 2/20 > > https://www.redhat.com/archives/freeipa-users/2014-April/msg00278.html > > > > Any suggestions would be greatly appreciated. > > I used: ipa-server-install --no-ntp > > > Continue to configure the system with these values? [no]: yes > > > The following operations may take some minutes to complete. > > Please wait until the prompt is returned. > > > Configuring directory server for the CA (pkids): Estimated time 30 seconds > > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > > Done configuring directory server for the CA (pkids). > > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w > -client_certdb_pwd XXXXXXXX -preop_pin MvLsuha0GPxvJSnYoL5u > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_XXXXXXXX XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM > -ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory > Manager -bind_XXXXXXXX XXXXXXXX -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 > true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM > -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM > -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM > -external false -clone false' returned non-zero exit status 255 > > Configuration of CA failed > > > > > install log: > > > [root at test1-vm log]# cat ipaserver-install.log > 2015-01-13T19:47:59Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-13T19:47:59Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-01-13T19:47:59Z DEBUG httpd is not configured > 2015-01-13T19:47:59Z DEBUG kadmin is not configured > 2015-01-13T19:47:59Z DEBUG dirsrv is not configured > 2015-01-13T19:47:59Z DEBUG pki-cad is not configured > 2015-01-13T19:47:59Z DEBUG pki-tomcatd is not configured > 2015-01-13T19:47:59Z DEBUG pkids is not configured > 2015-01-13T19:47:59Z DEBUG install is not configured > 2015-01-13T19:47:59Z DEBUG krb5kdc is not configured > 2015-01-13T19:47:59Z DEBUG ntpd is not configured > 2015-01-13T19:47:59Z DEBUG named is not configured > 2015-01-13T19:47:59Z DEBUG ipa_memcached is not configured > 2015-01-13T19:47:59Z DEBUG filestore is tracking no files > 2015-01-13T19:47:59Z DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2015-01-13T19:47:59Z DEBUG /usr/sbin/ipa-server-install was invoked > with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > None, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, > 'subject': None, 'no_forwarders': False, 'persistent_search': True, > 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': > False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': > None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > 'forwarders': None, 'idstart': 1844800000, 'external_ca': False, > 'ip_address': None, 'conf_ssh': True, 'serial_autoincrement': True, > 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > False, 'external_cert_file': None, 'uninstall': False} > 2015-01-13T19:47:59Z DEBUG missing options might be asked for > interactively later > > 2015-01-13T19:47:59Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-01-13T19:47:59Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-13T19:47:59Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS > 2015-01-13T19:47:59Z DEBUG stdout=VirtualHost configuration: > wildcard NameVirtualHosts and _default_ servers: > _default_:8443 test1-vm.example.com (/etc/httpd/conf.d/nss.conf:84) > > 2015-01-13T19:47:59Z DEBUG stderr=Syntax OK > > 2015-01-13T19:48:02Z DEBUG Check if test1-vm.example.com is a primary > hostname for localhost > 2015-01-13T19:48:02Z DEBUG Primary hostname for localhost: test1-vm.example.com > 2015-01-13T19:48:02Z DEBUG Search DNS for test1-vm.example.com > 2015-01-13T19:48:02Z DEBUG Check if test1-vm.example.com. is not a CNAME > 2015-01-13T19:48:02Z DEBUG Check reverse address of 123.12.12.166 > 2015-01-13T19:48:02Z DEBUG Found reverse name: test1-vm.example.com > 2015-01-13T19:48:02Z DEBUG will use host_name: test1-vm.example.com > > 2015-01-13T19:48:03Z DEBUG read domain_name: example.com > > 2015-01-13T19:48:03Z DEBUG args=/sbin/ip -family inet -oneline address show > 2015-01-13T19:48:03Z DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo > 2: eth0 inet 123.12.12.166/25 brd 123.12.12.255 scope global eth0 > > 2015-01-13T19:48:03Z DEBUG stderr= > 2015-01-13T19:48:03Z DEBUG read realm_name: EXAMPLE.COM > > 2015-01-13T19:48:11Z DEBUG will use dns_forwarders: () > > 2015-01-13T19:48:14Z DEBUG importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > 2015-01-13T19:48:14Z DEBUG args=klist -V > 2015-01-13T19:48:14Z DEBUG stdout=Kerberos 5 version 1.10.3 > > 2015-01-13T19:48:14Z DEBUG stderr= > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > 2015-01-13T19:48:14Z DEBUG importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins'... > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/adtrust.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/baseupdate.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/dns.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/fix_replica_agreements.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/rename_managed.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_services.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py' > 2015-01-13T19:48:14Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/upload_cacrt.py' > 2015-01-13T19:48:15Z DEBUG ds group dirsrv exists > 2015-01-13T19:48:15Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-13T19:48:15Z DEBUG Configuring directory server for the CA > (pkids): Estimated time 30 seconds > 2015-01-13T19:48:15Z DEBUG [1/3]: creating directory server user > 2015-01-13T19:48:15Z DEBUG ds user pkisrv exists > 2015-01-13T19:48:15Z DEBUG duration: 0 seconds > 2015-01-13T19:48:15Z DEBUG [2/3]: creating directory server instance > 2015-01-13T19:48:15Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-13T19:48:15Z DEBUG writing inf template > 2015-01-13T19:48:15Z DEBUG > [General] > FullMachineName= test1-vm.example.com > SuiteSpotUserID= pkisrv > SuiteSpotGroup= dirsrv > ServerRoot= /usr/lib64/dirsrv > [slapd] > ServerPort= 7389 > ServerIdentifier= PKI-IPA > Suffix= dc=example,dc=com > RootDN= cn=Directory Manager > ConfigFile = /usr/share/pki/ca/conf/database.ldif > > 2015-01-13T19:48:15Z DEBUG calling setup-ds.pl > 2015-01-13T19:48:31Z DEBUG args=/usr/sbin/setup-ds.pl --silent > --logfile - -f /tmp/tmp33xewh > 2015-01-13T19:48:31Z DEBUG stdout=[15/01/13:14:48:31] - [Setup] Info > Your new DS instance 'PKI-IPA' was successfully created. > Your new DS instance 'PKI-IPA' was successfully created. > [15/01/13:14:48:31] - [Setup] Success Exiting . . . > Log file is '-' > > Exiting . . . > Log file is '-' > > > 2015-01-13T19:48:31Z DEBUG stderr= > 2015-01-13T19:48:31Z DEBUG completed creating ds instance > 2015-01-13T19:48:31Z DEBUG duration: 15 seconds > 2015-01-13T19:48:31Z DEBUG [3/3]: restarting directory server > 2015-01-13T19:48:34Z DEBUG args=/sbin/service dirsrv restart PKI-IPA > 2015-01-13T19:48:34Z DEBUG stdout=Shutting down dirsrv: > PKI-IPA... [ OK ] > Starting dirsrv: > PKI-IPA... [ OK ] > > 2015-01-13T19:48:34Z DEBUG stderr= > 2015-01-13T19:48:34Z DEBUG args=/sbin/service dirsrv status PKI-IPA > 2015-01-13T19:48:34Z DEBUG stdout=dirsrv PKI-IPA (pid 2126) is running... > > 2015-01-13T19:48:34Z DEBUG stderr= > 2015-01-13T19:48:34Z DEBUG wait_for_open_ports: localhost [7389] timeout 300 > 2015-01-13T19:48:34Z DEBUG args=/sbin/service dirsrv status PKI-IPA > 2015-01-13T19:48:34Z DEBUG stdout=dirsrv PKI-IPA (pid 2126) is running... > > 2015-01-13T19:48:34Z DEBUG stderr= > 2015-01-13T19:48:34Z DEBUG duration: 3 seconds > 2015-01-13T19:48:34Z DEBUG Done configuring directory server for the CA (pkids). > 2015-01-13T19:48:34Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-01-13T19:48:34Z DEBUG Configuring certificate server (pki-cad): > Estimated time 3 minutes 30 seconds > 2015-01-13T19:48:34Z DEBUG [1/20]: creating certificate server user > 2015-01-13T19:48:34Z DEBUG ca user pkiuser exists > 2015-01-13T19:48:34Z DEBUG duration: 0 seconds > 2015-01-13T19:48:34Z DEBUG [2/20]: configuring certificate server instance > 2015-01-13T19:48:37Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent > ConfigureCA -cs_hostname test1-vm.example.com -cs_port 9445 > -client_certdb_dir /tmp/tmp-WQ28_w -client_certdb_pwd XXXXXXXX > -preop_pin MvLsuha0GPxvJSnYoL5u -domain_name IPA -admin_user admin > -admin_email root at localhost -admin_XXXXXXXX XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host > test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory Manager > -bind_XXXXXXXX XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 > -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd > XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM > -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM > -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM > -external false -clone false > 2015-01-13T19:48:37Z DEBUG stdout=libpath=/usr/lib64 > ####################################################################### > CRYPTO INIT WITH CERTDB:/tmp/tmp-WQ28_w > tokenpwd:XXXXXXXX > ############################################# > Attempting to connect to: test1-vm.example.com:9445 > Exception in LoginPanel(): java.lang.NullPointerException > ERROR: ConfigureCA: LoginPanel() failure > ERROR: unable to create CA > > ####################################################################### > > 2015-01-13T19:48:37Z DEBUG stderr=Exception: Unable to Send > Request:java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) > at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) > at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > at java.net.Socket.connect(Socket.java:579) > at java.net.Socket.connect(Socket.java:528) > at java.net.Socket.(Socket.java:425) > at java.net.Socket.(Socket.java:241) > at HTTPClient.sslConnect(HTTPClient.java:326) > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > java.lang.NullPointerException > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > > 2015-01-13T19:48:37Z CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w > -client_certdb_pwd XXXXXXXX -preop_pin MvLsuha0GPxvJSnYoL5u > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_XXXXXXXX XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM > -ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory > Manager -bind_XXXXXXXX XXXXXXXX -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 > true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM > -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM > -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM > -external false -clone false' returned non-zero exit status 255 > 2015-01-13T19:48:37Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-server-install", line 942, in main > subject_base=options.subject) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 626, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", > line 358, in start_creation > method() > > File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 888, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > 2015-01-13T19:48:37Z INFO The ipa-server-install command failed, > exception: RuntimeError: Configuration of CA failed > [root at test1-vm log]# > Judging based on the "Connection Refused" error, can it be by any chance https://fedorahosted.org/freeipa/ticket/4564 ? Apache already running before ipa-server-install was known to cause CA installation breakage. Martin From brian.topping at gmail.com Wed Jan 14 13:54:48 2015 From: brian.topping at gmail.com (Brian Topping) Date: Wed, 14 Jan 2015 20:54:48 +0700 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? In-Reply-To: <54B50468.3080504@redhat.com> References: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> <54B50468.3080504@redhat.com> Message-ID: <10B3317E-BC39-4744-9613-7298AB723E19@gmail.com> Hi Martin, thanks for your response! >> What I realize now is the certificate CRL points to the server that no longer exists and I'd like to get that cleaned up. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master , is that relevant for my situation? > > Yes, this is the procedure to follow for servers older than FreeIPA 4.1. Jan is > that correct? If yes, the page deserves a warning/update. > Ooof! I forgot that vendor repos were so far behind. I'm still at 3.3.3-28. Is it reasonable and desirable to run one of my two servers with the image documented at http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos ? I'm interested in integrating Shiro or some other RBAC against IPA at some point in the next few months, but I'd wait if the Docker image is a prelude to 4.x hitting vendor repos soon. Cheers, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Wed Jan 14 17:41:36 2015 From: sipazzo at yahoo.com (sipazzo) Date: Wed, 14 Jan 2015 09:41:36 -0800 Subject: [Freeipa-users] Password policy for admin account not working In-Reply-To: <54B424F6.2060309@redhat.com> Message-ID: <1421257296.69684.YahooMailBasic@web122502.mail.ne1.yahoo.com> Thank you Rob. That makes sense but I could have sworn I changed the policy before expiration. Resetting it did indeed resolve the issue though. Sorry for the headache. -------------------------------------------- On Mon, 1/12/15, Rob Crittenden wrote: Subject: Re: [Freeipa-users] Password policy for admin account not working To: "sipazzo" , "Freeipa-users at redhat.com" Date: Monday, January 12, 2015, 11:48 AM sipazzo wrote: > > Good morning, I created a "service" password policy that prevents password expiration and gave it a priority of 0. I then created a "service" user group and applied the policy to the group. I added my admin user to this group so their password would not expire. However, it continues to expire anyway. I have other (not built-in) accounts that use this policy successfully so it seems like the priority is not working correctly. I am unable to change the priority on the global_policy. Is my only option to add another policy with the same config as the global policy but a lower priority and assign that to all my users? > Password policy for expiration is applied at the time the password is changed/set, not retroactively, so you may just need to reset the password on those accounts. To see what policy will be applied to a give user do: $ ipa pwpolicy-show --user=someuser rob From ejnersan at gmail.com Wed Jan 14 18:11:56 2015 From: ejnersan at gmail.com (Ejner Fergo) Date: Wed, 14 Jan 2015 19:11:56 +0100 Subject: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups Message-ID: Hola, This is a response to: https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html Scott, maybe you already found the solution, but I've been banging my head with the same problem, albeit with a newer version of FreeIPA and OSX. I used this excellent howto to get started: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 Despite initial success, without secondary groups the OSX integration doesn't really make sense. I managed to get it working though, by doing this: In the "Search & Mappings" area of Directory Utility, change the "Search base" of the Groups record type from 'cn=groups,cn=accounts,dc=example,dc=com' to 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. With these settings, doing an 'id user' on OSX shows all secondary groups, even indirect group membership! I still have to test and figure stuff out about ssh and sudo on the OSX side of things, but that isn't as important as having group access control. Hope it helps! Best regards, Ejner Fergo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Jan 14 18:28:38 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Jan 2015 13:28:38 -0500 Subject: [Freeipa-users] Can I revert back the hostname on client In-Reply-To: <54B62B18.9020501@redhat.com> References: <54B62B18.9020501@redhat.com> Message-ID: <54B6B556.4010502@redhat.com> On 01/14/2015 03:38 AM, Petr Spacek wrote: > Hello, > > On 14.1.2015 06:13, Rakesh Rajasekharan wrote: >> Freeipa changes the hostname to FQDN. But in our exisitng set up that can >> cause issues . > Could you be more specific? It would help if we had detailed bug reports about > this but up to know everybody just said 'I need non-FQDN hostname' but did not > add any details :-) > > What doesn't work? > >> Can I revert back the hostname to previous value once the client >> installation is complete. > You might see all sorts of breakages related to Kerberos, sorry. > >> I am fine with server having a FQDN. You can tell SSSD to use a different hostname instead of the one the host actually uses. See SSSD man pages for that. You might also need to do a similar thing with krb5.conf by setting dns_canonicalize_hostname and make sure your DNS can actually resolve the short hostnames to FQDNs -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Wed Jan 14 18:34:37 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Jan 2015 13:34:37 -0500 Subject: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups In-Reply-To: References: Message-ID: <54B6B6BD.7060403@redhat.com> On 01/14/2015 01:11 PM, Ejner Fergo wrote: > Hola, > > This is a response to: > https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html > > Scott, maybe you already found the solution, but I've been banging my > head with the same problem, albeit with a newer version of FreeIPA and > OSX. I used this excellent howto to get started: > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > > Despite initial success, without secondary groups the OSX integration > doesn't really make sense. I managed to get it working though, by > doing this: > > In the "Search & Mappings" area of Directory Utility, change the > "Search base" of the Groups record type from > 'cn=groups,cn=accounts,dc=example,dc=com' to > 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of > accounts). In Groups add the attribute 'GroupMembership' mapped to > 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. > > With these settings, doing an 'id user' on OSX shows all secondary > groups, even indirect group membership! > > I still have to test and figure stuff out about ssh and sudo on the > OSX side of things, but that isn't as important as having group access > control. > > Hope it helps! > > Best regards, > Ejner Fergo > > > > > > Thanks for sharing! So this seems to mean that Mac expects 2307 schema instead of the 2307bis. So yes pointing to compat tree would be the right approach. Can we document it somethere? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From orion at cora.nwra.com Wed Jan 14 21:04:48 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Wed, 14 Jan 2015 14:04:48 -0700 Subject: [Freeipa-users] Broken krb5.conf after ipa-server-install Message-ID: <54B6D9F0.1000603@cora.nwra.com> After running ipa-server-install like this: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXX --http_pkcs12=nwra.com.p12 --http_pin=XXX --idstart=8000 I'm not configuring bind. I ended up with a broken krb5.conf with entries like: [libdefaults] default_realm = # [realms] NWRA.COM = { kdc = server.nwra.com:88 master_kdc = server.nwra.com:88 admin_server = server.nwra.com:749 default_domain = nwra.com pkinit_anchors = FILE:/etc/ipa/ca.crt } # = { kdc = server.nwra.com:88 admin_server = server.nwra.com:749 } [domain_realm] .nwra.com = NWRA.COM nwra.com = NWRA.COM # = # .# = # Any idea where the #'s are coming from? ipa-server-3.3.3-28.el7_0.3.x86_64 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From dpal at redhat.com Wed Jan 14 21:16:02 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Jan 2015 16:16:02 -0500 Subject: [Freeipa-users] Broken krb5.conf after ipa-server-install In-Reply-To: <54B6D9F0.1000603@cora.nwra.com> References: <54B6D9F0.1000603@cora.nwra.com> Message-ID: <54B6DC92.7070909@redhat.com> On 01/14/2015 04:04 PM, Orion Poplawski wrote: > After running ipa-server-install like this: > > ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat > /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt > --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXX --http_pkcs12=nwra.com.p12 > --http_pin=XXX --idstart=8000 > > I'm not configuring bind. > > I ended up with a broken krb5.conf with entries like: > > [libdefaults] > default_realm = # Probably from the krb5.conf template. I suspect it means that host name was empty and replacement did not do anything. Sounds like host name resolution problem to me. > [realms] > NWRA.COM = { > kdc = server.nwra.com:88 > master_kdc = server.nwra.com:88 > admin_server = server.nwra.com:749 > default_domain = nwra.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > # = { > kdc = server.nwra.com:88 > admin_server = server.nwra.com:749 > } > > [domain_realm] > .nwra.com = NWRA.COM > nwra.com = NWRA.COM > > # = # > .# = # > > Any idea where the #'s are coming from? > > ipa-server-3.3.3-28.el7_0.3.x86_64 > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From abokovoy at redhat.com Wed Jan 14 21:16:36 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 14 Jan 2015 23:16:36 +0200 Subject: [Freeipa-users] Broken krb5.conf after ipa-server-install In-Reply-To: <54B6D9F0.1000603@cora.nwra.com> References: <54B6D9F0.1000603@cora.nwra.com> Message-ID: <20150114211636.GA23679@redhat.com> On Wed, 14 Jan 2015, Orion Poplawski wrote: >After running ipa-server-install like this: > >ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat >/etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt >--dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXX --http_pkcs12=nwra.com.p12 >--http_pin=XXX --idstart=8000 > >I'm not configuring bind. > >I ended up with a broken krb5.conf with entries like: > >[libdefaults] > default_realm = # > >[realms] > NWRA.COM = { > kdc = server.nwra.com:88 > master_kdc = server.nwra.com:88 > admin_server = server.nwra.com:749 > default_domain = nwra.com > pkinit_anchors = FILE:/etc/ipa/ca.crt >} > ># = { > kdc = server.nwra.com:88 > admin_server = server.nwra.com:749 >} > >[domain_realm] > .nwra.com = NWRA.COM > nwra.com = NWRA.COM > ># = # >.# = # > >Any idea where the #'s are coming from? > >ipa-server-3.3.3-28.el7_0.3.x86_64 /var/log/ipaserver-install.log and ipaclient-install.log have all the details. You may send them off-list. -- / Alexander Bokovoy From john.obaterspok at gmail.com Wed Jan 14 21:16:46 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Wed, 14 Jan 2015 22:16:46 +0100 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: <20150112091343.GO16288@redhat.com> References: <20150109091123.GM16288@redhat.com> <20150109171201.GN16288@redhat.com> <20150111153323.GB8082@hendrix.brq.redhat.com> <20150112091343.GO16288@redhat.com> Message-ID: 2015-01-12 10:13 GMT+01:00 Alexander Bokovoy : > On Mon, 12 Jan 2015, John Obaterspok wrote: > >> 2015-01-11 16:33 GMT+01:00 Jakub Hrozek : >> >> On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: >>> > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi >> >: >>> > >>> > > To get the whole root environment you have to run >>> > > su - root >>> > > did you try with it? >>> > > >>> > >>> > ahh... that works fine Gianluca! >>> > >>> > Final question, if I have a file on the share like: >>> > [john at ipaserver mountpoint]$ ll test.txt >>> > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt >>> > >>> > Should I be able to access it if I aquire an admin ticket? Currently I >>> get >>> > Permission denied >>> > >>> > [john at ipaserver mountpoint]$ id >>> > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) >>> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > >>> > [john at ipaserver mountpoint]$ getfacl test.txt >>> > # file: test.txt >>> > # owner: root >>> > # group: admins >>> > user::rwx >>> > group::r-- >>> > other::--- >>> > >>> > [john at ipaserver mountpoint]$ id admin >>> > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins) >>> > >>> > [john at ipaserver mountpoint]$ klist >>> > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf >>> > Default principal: admin at MY.LAN >>> > >>> > Valid starting Expires Service principal >>> > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN >>> > >>> > [john at ipaserver mountpoint]$ cat test.txt >>> > cat: test.txt: Permission denied >>> >>> Looks like your account needs to be in the 'admins' group in order to >>> access the file. >>> >>> Acquiring the admin ticket doesn't switch the user ID nor add you to the >>> group.. >>> >>> >>> I thought the krb5 mount option would allow ticked based access to the >> file. >> Is the purpose of the krb5 mount option just used during mounting of the >> share? Otherwise I see no difference compared to not using krb5 mount >> option!? >> > Its purpose is authentication. After you have been successfully > recognized by the server, both client and server need to map your > identity while authorizing your access to actual files. > > In CIFS there are two types of access control which are applied at the > same time: > - ACLs per file or directory > - POSIX access control based on uid/gid of a process that accesses the > file or directory > > Client-side checks in cifs.ko can be switched off by noperm option. In > this case server side will be doing actual access enforcement, using the > uid/gid mapped on the server side (based on the Kerberos principal), > unless CIFS Unix Extensions were negotiated between cifs.ko and the > server. In the latter case client will pass uid/gid of a client to the > server and server will do the actual check using them instead of > discovering them based on the authentication token. > > In case where there is a common identity store in use with Kerberos, it > is often better to use cifs.ko option multiuser which will imply noperm > and server will be doing all the checks. Simo also added that "You need to pass the 'multiuser' option at mount time for that, the default for cifs.ko is still to just use the mount credentials." Well, I were actually using multiuser in the original test where I got "permission denied" but there is something weird going on. mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I also tried -o sec=krb5,multiuser,cache=none) Anyway, it works if I do the mount as root and then as user john gets the admin ticket *before* going to the share. Then it doesn't matter if I do kdestroy, I can still access a file that would require admin ticket. If I remount the share and go to share as john without admin ticket I can't access a file that would require admin ticket. If I get an admin ticket then I'm still not able to access the file. [john at ipaserver mountpoint]$ ll test.txt -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt [john at ipaserver mountpoint]$ cat test.txt Hello World [john at ipaserver mountpoint]$ id john uid=1434400004(john) gid=1434400004(john) groups=1434400004(john),1434400010(mediafiles) [john at ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:1434400004:krb_ccache_Ri45Eiw Default principal: admin at MY.LAN Valid starting Expires Service principal 2015-01-14 21:54:24 2015-01-15 21:53:57 cifs/ipaserver.MY.LAN at MY.LAN 2015-01-14 21:53:59 2015-01-15 21:53:57 krbtgt/MY.LAN at MY.LAN [john at ipaserver mountpoint]$ kdestroy [john at ipaserver mountpoint]$ klist klist: Credentials cache keyring 'persistent:1434400004:krb_ccache_Ri45Eiw' not found [john at ipaserver mountpoint]$ cat test.txt Hello World [john at ipaserver mountpoint]$ klist klist: Credentials cache keyring 'persistent:1434400004:krb_ccache_Ri45Eiw' not found ------------------------------------------------------------- ---------- then remount share. john has non-admin ticket ---- ------------------------------------------------------------- [john at ipaserver mountpoint]$ id uid=1434400004(john) gid=1434400004(john) groups=1434400004(john),1434400010(mediafiles) kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john at ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:1434400004:krb_ccache_RiwpwLT Default principal: john at MY.LAN Valid starting Expires Service principal 2015-01-14 22:16:00 2015-01-15 22:15:55 cifs/ipaserver.MY.LAN at MY.LAN 2015-01-14 22:15:58 2015-01-15 22:15:55 krbtgt/MY.LAN at MY.LAN [john at ipaserver mountpoint]$ ll test.txt -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt [john at ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied [john at ipaserver mountpoint]$ kinit admin Password for admin at MY.LAN: [john at ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied [john at ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:1434400004:krb_ccache_H7RvRpA Default principal: admin at MY.LAN Valid starting Expires Service principal 2015-01-14 22:16:24 2015-01-15 22:16:22 krbtgt/MY.LAN at MY.LAN Any ideas? -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jan 14 21:49:49 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 14 Jan 2015 23:49:49 +0200 Subject: [Freeipa-users] Mount cifs share using kerberos In-Reply-To: References: <20150109171201.GN16288@redhat.com> <20150111153323.GB8082@hendrix.brq.redhat.com> <20150112091343.GO16288@redhat.com> Message-ID: <20150114214949.GB23679@redhat.com> On Wed, 14 Jan 2015, John Obaterspok wrote: >2015-01-12 10:13 GMT+01:00 Alexander Bokovoy : > >> On Mon, 12 Jan 2015, John Obaterspok wrote: >> >>> 2015-01-11 16:33 GMT+01:00 Jakub Hrozek : >>> >>> On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: >>>> > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi >>> >: >>>> > >>>> > > To get the whole root environment you have to run >>>> > > su - root >>>> > > did you try with it? >>>> > > >>>> > >>>> > ahh... that works fine Gianluca! >>>> > >>>> > Final question, if I have a file on the share like: >>>> > [john at ipaserver mountpoint]$ ll test.txt >>>> > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt >>>> > >>>> > Should I be able to access it if I aquire an admin ticket? Currently I >>>> get >>>> > Permission denied >>>> > >>>> > [john at ipaserver mountpoint]$ id >>>> > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john) >>>> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>> > >>>> > [john at ipaserver mountpoint]$ getfacl test.txt >>>> > # file: test.txt >>>> > # owner: root >>>> > # group: admins >>>> > user::rwx >>>> > group::r-- >>>> > other::--- >>>> > >>>> > [john at ipaserver mountpoint]$ id admin >>>> > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins) >>>> > >>>> > [john at ipaserver mountpoint]$ klist >>>> > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf >>>> > Default principal: admin at MY.LAN >>>> > >>>> > Valid starting Expires Service principal >>>> > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN >>>> > >>>> > [john at ipaserver mountpoint]$ cat test.txt >>>> > cat: test.txt: Permission denied >>>> >>>> Looks like your account needs to be in the 'admins' group in order to >>>> access the file. >>>> >>>> Acquiring the admin ticket doesn't switch the user ID nor add you to the >>>> group.. >>>> >>>> >>>> I thought the krb5 mount option would allow ticked based access to the >>> file. >>> Is the purpose of the krb5 mount option just used during mounting of the >>> share? Otherwise I see no difference compared to not using krb5 mount >>> option!? >>> >> Its purpose is authentication. After you have been successfully >> recognized by the server, both client and server need to map your >> identity while authorizing your access to actual files. >> >> In CIFS there are two types of access control which are applied at the >> same time: >> - ACLs per file or directory >> - POSIX access control based on uid/gid of a process that accesses the >> file or directory >> >> Client-side checks in cifs.ko can be switched off by noperm option. In >> this case server side will be doing actual access enforcement, using the >> uid/gid mapped on the server side (based on the Kerberos principal), >> unless CIFS Unix Extensions were negotiated between cifs.ko and the >> server. In the latter case client will pass uid/gid of a client to the >> server and server will do the actual check using them instead of >> discovering them based on the authentication token. >> >> In case where there is a common identity store in use with Kerberos, it >> is often better to use cifs.ko option multiuser which will imply noperm >> and server will be doing all the checks. > > >Simo also added that "You need to pass the 'multiuser' option at mount time >for that, the >default for cifs.ko is still to just use the mount credentials." > >Well, I were actually using multiuser in the original test where I got >"permission denied" but there is something weird going on. Nothing weird (tl;dr). >mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I >also tried -o sec=krb5,multiuser,cache=none) > >Anyway, it works if I do the mount as root and then as user john gets the >admin ticket *before* going to the share. Then it doesn't matter if I do >kdestroy, I can still access a file that would require admin ticket. >If I remount the share and go to share as john without admin ticket I can't >access a file that would require admin ticket. If I get an admin ticket >then I'm still not able to access the file. Kerberos authentication happens when you first access the share as a new user -- cifs.ko will ask userspace to provide Kerberos credentials to the kernel so that negotiation can happen. Once it is done, the credentials are valid until the actual Kerberos ticket expires or until session expires. So when you access file as john while having admin ticket, you get admin ticket used for multiuser access. Destroying ccache does not affect already performed negotiation. When you remount, previous credentials that cifs.ko used are cleaned, thus cannot be used. If you try to access the mount point as 'john' without Kerberos credentials, you'd be negotiating anonymous connection which would only succeed if the share is allowed to connect to anonymously (guest ok = yes). However, you accessed the share with john Kerberos credentials. These credentials were negotiated and will be valid until the connection is dropped or ticket expires, whichever event comes first. In fact, cifs.ko expires sessions periodically but I was unable to find exact expiration time myself. -- / Alexander Bokovoy From edewata at redhat.com Thu Jan 15 01:31:12 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 14 Jan 2015 19:31:12 -0600 Subject: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail In-Reply-To: References: Message-ID: <54B71860.1040606@redhat.com> Hi, I need some information from you. Which versions of the PKI packages that you are using on the CentOS 6.6 and 7.0 machines? Could you email me the PKI CA debug logs (/var/log/pki-ca/debug or /var/log/pki/pki-tomcat/ca/debug) from both machines? There's a possibility it may be related to this ticket: https://fedorahosted.org/pki/ticket/1235 Thanks. -- Endi S. Dewata On 1/13/2015 7:59 PM, Jim Richard wrote: > Carefully following the instructions here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > I have split one of my Centis 6.6 based replicas from the main cluster > of 4 IDM servers, fully disconnected it from current IDM infrastructure, > converted it to a master CA, double checked that I have no > dangling/tombstone entries pointing back to other cluster members, > ipa-replica-manage list and ipa-replica-manage list-ruv both show no > other masters, in short, made absolutely sure that this replica is now a > standalone. > > I then applied the schema updates via the python script per the above > referenced instructions, did ?ipa-replica-prepare?, deployed a new > Centos 7 vm, yum install ipa-server there, scp?d over the replica file. > > Next up, "ipa-replica-install --setup-ca?. > > And that?s where the story ends?.. > > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/19]: creating certificate server user > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1 > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Configuration of CA failed > > > I tried the workaround mentioned here: > > https://fedorahosted.org/pki/ticket/816 > > updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install > > But not luck. > > Anybody have a clue where I should look? > > From pki-ca-spawn.20150114014019.log: > 2015-01-14 01:40:32 pkispawn : ERROR ....... Exception from Java > Configuration Servlet: Failed to obtain installation token from security > domain > > and in /var/log/pki/pki-tomcat/ca/server I have: > > 2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot > build CA chain. Error java.security.cert.CertificateException: > Certificate is not a PKCS #11 certificate > 2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz > instance DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > > > more info that might help??. > > > [root at sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert cert-pki-ca CTu,Cu,Cu > Certificate Authority - PLACEIQ.NET > CT,c, > > My CS.cfg is attached. > > > > Maybe the fact that my new server is looking at the same DNS and can see > the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a > problem ?? > > Of course I have uninstalled and done this a zillion times: > > pkidestroy -s CA -i pki-tomcat > rm -rf /var/log/pki/pki-tomcat > rm -rf /etc/sysconfig/pki-tomcat > rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat > rm -rf /var/lib/pki/pki-tomcat > rm -rf /etc/pki/pki-tomcat > > > I?m at a loss, no idea even where to look at this point. > > > Thanks in advance for any clues you can provide. > > > > > > Jim Richard | PlaceIQ > | > Systems Administrator | jrichard at placeiq.com > | +1 (646) 338-8905 > > > > > > From notify.sina at gmail.com Thu Jan 15 02:34:12 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 15 Jan 2015 02:34:12 +0000 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 Message-ID: Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Thu Jan 15 04:18:02 2015 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 14 Jan 2015 20:18:02 -0800 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container Message-ID: <54B73F7A.3080606@redhat.com> Hi, I'm running into a strange problem related to ntpd when trying to use IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and adelton/freeipa-client:fedora-21 docker images. Basically, the client install hangs when it runs ntpd. This is reproducible on two different docker hosts of mine, so it will probably easily reproduce for others as well. Below are the steps I'm using. Install IPA server in F21 container: -------------------------------------------------------------------- [root at localhost ~]# docker run --name freeipa-server-container -d -h ipa.example.test -e PASSWORD=Secret123 adelton/freeipa-server:fedora-21 875007ab561ff62ea45dde5e8a5e320a209c63b3c8fc52bd4ca7b22561d1bbf0 [root at localhost ~]# docker logs freeipa-server-container ... FreeIPA server configured. Go loop. -------------------------------------------------------------------- Install IPA client in F21 container and link it to the IPA server container. This will hang indefinitely when it tries to run ntpd to sync the time before getting the admin ticket: -------------------------------------------------------------------- [root at localhost ~]# docker run --name client -h client.example.test --link freeipa-server-container:ipa -e PASSWORD=Secret123 -e IPA_CLIENT_INSTALL="--debug" -it adelton/freeipa-client:fedora-21 ... Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.example.test DNS record found: 0 100 123 ipa.example.test. Starting external process args='/usr/sbin/ntpd' '-qgc' '/tmp/tmpRhhyCz' -------------------------------------------------------------------- If I use nsenter to go into the client container and kill ntpd, the install continues and completes. I also confirmed that the ntpd config file that we create in /tmp is correct. From within the client container (via nsenter), running 'ntpd -qgc' with a conf file that points to the IPA server just loops endlessly. I looked into the IPA server container, and ntpd is not running. The ipaserver-install.log shows that it attempts to start (which returns 0), but the service is not active afterwards: -------------------------------------------------------------------- ... 2015-01-14T22:57:02Z DEBUG [4/4]: starting ntpd 2015-01-14T22:57:02Z DEBUG Starting external process 2015-01-14T22:57:02Z DEBUG args='/bin/systemctl' 'start' 'ntpd.service' 2015-01-14T22:57:03Z DEBUG Process finished, return code=0 2015-01-14T22:57:03Z DEBUG stdout= 2015-01-14T22:57:03Z DEBUG stderr= 2015-01-14T22:57:03Z DEBUG Starting external process 2015-01-14T22:57:03Z DEBUG args='/bin/systemctl' 'is-active' 'ntpd.service' 2015-01-14T22:57:04Z DEBUG Process finished, return code=3 2015-01-14T22:57:04Z DEBUG stdout=inactive 2015-01-14T22:57:04Z DEBUG stderr= 2015-01-14T22:57:04Z DEBUG duration: 1 seconds 2015-01-14T22:57:04Z DEBUG Done configuring NTP daemon (ntpd). ... -------------------------------------------------------------------- It seems that this causes ntpd on the F21 client to just loop endlessly since it never sees a response. We use ntpdate on F20, which bails out and skips the time update on a F20 client when the server is unavailable: -------------------------------------------------------------------- ... 2015-01-15T03:29:11Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.example.test 2015-01-15T03:29:11Z DEBUG Process finished, return code=1 2015-01-15T03:29:11Z DEBUG stdout= 2015-01-15T03:29:11Z DEBUG stderr= 2015-01-15T03:29:11Z DEBUG Starting external process 2015-01-15T03:29:11Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.example.test 2015-01-15T03:29:11Z DEBUG Process finished, return code=1 2015-01-15T03:29:11Z DEBUG stdout= 2015-01-15T03:29:11Z DEBUG stderr= 2015-01-15T03:29:11Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. ... -------------------------------------------------------------------- I can do a 'systemctl start ntpd.service' on the IPA server container, and it does start up successfully. It never seems to automatically start though, even if I restart the IPA server docker container. I did confirm that ntpd.service is enabled with systemctl, yet it doesn't start automatically. The /sbin/ipa-server-configure-first entrypoint script for the server image does a 'systemctl start-enabled' to bring up all of the services, which results in this output in /var/log/systemctl.log: -------------------------------------------------------------------- [start-enabled] [start ntpd.service] Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS] Marked pid [15] for [ntpd.service] Marked process name [/usr/sbin/ntpd] for [ntpd.service] ... -------------------------------------------------------------------- This is the same log output that is generated if I manually run 'systemctl start ntpd.service' from within the container, but the ntpd process stays around when I start it this way. It's hard to tell what might be happening to ntpd, as there is no journal in the container. I'm continuing to debug this, but I thought I'd share my findings thus far in case anyone else has seen this or has any ideas for tracking the problem down. Any ideas? Thanks, -NGK From jpazdziora at redhat.com Thu Jan 15 08:01:43 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 15 Jan 2015 09:01:43 +0100 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <54B73F7A.3080606@redhat.com> References: <54B73F7A.3080606@redhat.com> Message-ID: <20150115080143.GA13907@redhat.com> On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: > Hi, > > I'm running into a strange problem related to ntpd when trying to use > IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and > adelton/freeipa-client:fedora-21 docker images. Basically, the client > install hangs when it runs ntpd. This is reproducible on two different > docker hosts of mine, so it will probably easily reproduce for others as [...] > The /sbin/ipa-server-configure-first entrypoint script for the server > image does a 'systemctl start-enabled' to bring up all of the services, > which results in this output in /var/log/systemctl.log: > > -------------------------------------------------------------------- > [start-enabled] > [start ntpd.service] > Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS] > Marked pid [15] for [ntpd.service] > Marked process name [/usr/sbin/ntpd] for [ntpd.service] > ... > -------------------------------------------------------------------- > > This is the same log output that is generated if I manually run > 'systemctl start ntpd.service' from within the container, but the ntpd > process stays around when I start it this way. It's hard to tell what > might be happening to ntpd, as there is no journal in the container. > > I'm continuing to debug this, but I thought I'd share my findings thus > far in case anyone else has seen this or has any ideas for tracking the > problem down. Any ideas? You need to use --cap-add=SYS_TIME when running the server container or ntpd will fail. Even if you do that, SELinux will likely prevent ntpd doing its job but at least it will stay around so that the client can connect to it. What is interesting though is the fact that the client hangs indefinitely instead of reporting that it cannot sync the time and proceeding. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From lslebodn at redhat.com Thu Jan 15 08:06:54 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 15 Jan 2015 09:06:54 +0100 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <20150115080143.GA13907@redhat.com> References: <54B73F7A.3080606@redhat.com> <20150115080143.GA13907@redhat.com> Message-ID: <20150115080653.GD8966@mail.corp.redhat.com> On (15/01/15 09:01), Jan Pazdziora wrote: >On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: >> Hi, >> >> I'm running into a strange problem related to ntpd when trying to use >> IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and >> adelton/freeipa-client:fedora-21 docker images. Basically, the client >> install hangs when it runs ntpd. This is reproducible on two different >> docker hosts of mine, so it will probably easily reproduce for others as > >[...] > >> The /sbin/ipa-server-configure-first entrypoint script for the server >> image does a 'systemctl start-enabled' to bring up all of the services, >> which results in this output in /var/log/systemctl.log: >> >> -------------------------------------------------------------------- >> [start-enabled] >> [start ntpd.service] >> Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS] >> Marked pid [15] for [ntpd.service] >> Marked process name [/usr/sbin/ntpd] for [ntpd.service] >> ... >> -------------------------------------------------------------------- >> >> This is the same log output that is generated if I manually run >> 'systemctl start ntpd.service' from within the container, but the ntpd >> process stays around when I start it this way. It's hard to tell what >> might be happening to ntpd, as there is no journal in the container. >> >> I'm continuing to debug this, but I thought I'd share my findings thus >> far in case anyone else has seen this or has any ideas for tracking the >> problem down. Any ideas? > >You need to use --cap-add=SYS_TIME when running the server container >or ntpd will fail. Could you add this important information to the https://registry.hub.docker.com/u/adelton/freeipa-server/? LS From genadipost at gmail.com Thu Jan 15 08:09:29 2015 From: genadipost at gmail.com (Genadi Postrilko) Date: Thu, 15 Jan 2015 10:09:29 +0200 Subject: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level In-Reply-To: <304872588.3242134.1420359461689.JavaMail.zimbra@redhat.com> References: <304872588.3242134.1420359461689.JavaMail.zimbra@redhat.com> Message-ID: Sorry for the late response. I can confirm that with 3.3.3-28.el7_0.3, i'm able to fetch the sub-domains and to log with its users. Thank you ! 2015-01-04 10:17 GMT+02:00 Alexander Bokovoy : > > > ------------------------------ > > Hello all. > > I'm working on integrating AD trust feature in the forest of a large > organization (Its network is not connected to the internet). > > First I tested the trust in "clean" environment (that i have deployed) to > simulate production forest deployment , in the following configuration: > > > The forest root domain : red.com > > Second Domain tree : blue.com > > IPA : linux.blue.com > > All the AD DCs are 2008 R2 server and 2008 R2 functional level. > > IPA server in installed on RHEL 7. > > ipa-server-3.3.3-28.el7_0.1.x86_64 > > ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64 > > ipa-python-3.3.3-28.el7_0.1.x86_64 > > > > With help of the mailing list, all works fine. Users from both red.com > and blue.com are able to log into IPA domain. > > After the success, I proceeded to test the trust in organization's test > environment. > > The installation of the trust itself has completed successfully. But > although users from *red.com * were able to log into IPA > domain, users from *blue.com * couldn't. > > After checking the sssd logs it seemed as blue.com domain is unknown to > IPA. > > Therefore I ran "*ipa trustdomain-find red.com " *in both > environments, to see if there are any differences. > > And indeed there were: > > While in the "clean" environment, the command returned both *red.com > * and *blue.com * domains, in > organization's test environment it returned only *red.com > *. > > I tried to re fetch the domain with "*ipa trust-fetch-domains red.com > " *but it returned the message - " No new trust domains > were found". > > > > It made me think that maybe the AD is not returning all domains in the > forest. > > I opened wireshark on both environments and ran "*ipa > trust-fetch-domains red.com " *to see what is been sent > from AD to IPA. > > > > In both environments I seen the DsrEnumerateDomainTrusts request and > response. > > Reading the content of response showed that in both environments, the > response contained *red.com * and *blue.com > * domain. > > After inspecting the structures that contain domains information > (DS_DOMAIN_TRUSTS) , I noticed that in both environments the *TrustAttribute > *of red.com is set to 0x0000000. > > But *TrustAttribute *of blue.com is set to 0x00000020 ( > TRUST_ATTRIBUTE_WITHIN_FOREST) in the "clean" environment and to > 0x00800000 in the test environment. > > Reading MSDN for *TrustAttribute*, explains the following: > > http://msdn.microsoft.com/en-us/library/cc223779.aspx > > (TRUST_ATTRIBUTE_WITHIN_FOREST) > > 0x00000020 > > If this bit is set, then the trusted domain is within the same forest. > > Only evaluated on Windows Server 2003, Windows Server 2008, Windows > Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. > > While I couldn't find specific information about 0x00800000, but this: > > 0x00400000 - 0x00800000 > > Previously used trust bits, and are obsolete. > > > > I did not find more information on 0x00800000 or a reason why the > attributes would be different in the two deployments. > > I asked for advice from Microsoft IT guy in the organization. He said that > difference in the *TrustAttribute *is caused by the fact, that the > "clean" environment was created as Windows Server 2008, while the test (and > production) forest was created as windows 2000 servers (about 12 years > ago) and the forest was gradually upgraded to 2003 and 2008 along the years. > > Couldn't find more information on the attribute for windows server > 2000/2003 but the theory sounds quite logical. > > I decided to check if *TrustAttribute *influences IPA's domain fetch. > > fetch_domains function in > /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py > > contains the following lines of code: > > trust_attributes = dict( > > NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001, > > NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002, > > NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004, > > NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008, > > NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010, > > NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, > > NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) > > . > > . > > . > > > > result = [] > > for t in domains.array: > > *if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and* > > * (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):* > > res = dict() > > res['cn'] = unicode(t.dns_name) > > res['ipantflatname'] = unicode(t.netbios_name) > > res['ipanttrusteddomainsid'] = unicode(t.sid) > > res['ipanttrustpartner'] = res['cn'] > > result.append(res) > > The bit-wise operation is preformed to check if the trust attribute is set > to TRUST_ATTRIBUTE_WITHIN_FOREST (0x00000020) and if so, the trust is > added to result array. > > It seems the value of *TrustAttribute *set to 0x00800000 is the reason > the domain wasn't fetched. > > To confirm it I changed the if statement to: > > if ((t.trust_attributes & > trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *|| * > > *(t.trust_attributes & 0x00800000)) *and (t.trust_flags & > trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > > > > Then deleted and recreated the trust and finally ran "*ipa > trust-fetch-domains red.com "-* > > this time the *blue.com * domain did appear! > > I was able to login with users from both red.com and blue.com to IPA > domain. > > > > Checking both upstream 3.3 and 4.1 shows that the if statement was changed > to : > > > > *if* (*not* (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) *and* > > (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): > > > > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039 > > > > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102 > > > > From first sight it looks like blue.com will fetched. > > Haven't yet tested if upstream works in the test environment. > > > > Any thoughts on the subject will be great. > > (I hope i'm not mentioning something that was solved long ago). > > The fix you see in the git repo was released in 3.3.3-28.el7_0.3, as > https://rhn.redhat.com/errata/RHBA-2014-1828.html > > Can you please confirm that this version fixes the issue for you? > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jan 15 08:17:56 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 15 Jan 2015 09:17:56 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: References: Message-ID: <54B777B4.7010402@redhat.com> On 15.1.2015 03:34, Sina Owolabi wrote: > Hi List > > Please is it really possible to have Debian and Ubuntu serve as IPA clients? > I've tried some instructions/guidelines on the list and they always fail > with the IPA client install being halfway completed and sssd's > configuration file moved to .deleted. > I'm really interested in getting this to work and I'll appreciate any help > I can get. Failing that are there any alternatives? Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation If it does not help then please post more information about your problem, namely: - exact package versions (keep in mind that "Wheezy" is a moving target) - /var/log/ipaclient-install.log Have a nice day! -- Petr^2 Spacek From jpazdziora at redhat.com Thu Jan 15 08:25:08 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 15 Jan 2015 09:25:08 +0100 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <20150115080653.GD8966@mail.corp.redhat.com> References: <54B73F7A.3080606@redhat.com> <20150115080143.GA13907@redhat.com> <20150115080653.GD8966@mail.corp.redhat.com> Message-ID: <20150115082508.GC13907@redhat.com> On Thu, Jan 15, 2015 at 09:06:54AM +0100, Lukas Slebodnik wrote: > >> > >> I'm continuing to debug this, but I thought I'd share my findings thus > >> far in case anyone else has seen this or has any ideas for tracking the > >> problem down. Any ideas? > > > >You need to use --cap-add=SYS_TIME when running the server container > >or ntpd will fail. > > Could you add this important information to the > https://registry.hub.docker.com/u/adelton/freeipa-server/? As mentioned, it will not help you due to SELinux, so at this point I'd rather have people notified that the time sync does not happen than to have false assumptions. I'll update the git repo README / image documentation once we know what exactly the plan with SELinux and situation with Fedora 21 client blocking are. It is something I work on right now. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From jcholast at redhat.com Thu Jan 15 08:26:07 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 15 Jan 2015 09:26:07 +0100 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? In-Reply-To: <10B3317E-BC39-4744-9613-7298AB723E19@gmail.com> References: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> <54B50468.3080504@redhat.com> <10B3317E-BC39-4744-9613-7298AB723E19@gmail.com> Message-ID: <54B7799F.1070606@redhat.com> Hi, Dne 14.1.2015 v 14:54 Brian Topping napsal(a): > Hi Martin, thanks for your response! > >>> What I realize now is the certificate CRL points to the server that >>> no longer exists and I'd like to get that cleaned up. I found >>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master , >>> is that relevant for my situation? >> >> Yes, this is the procedure to follow for servers older than FreeIPA >> 4.1. Jan is >> that correct? If yes, the page deserves a warning/update. This is the procedure to follow on IPA < 4.0. On IPA >= 4.0, the information about renewal master is stored in LDAP, but you still have to handle CRL master manually. >> > > Ooof! I forgot that vendor repos were so far behind. I'm still at 3.3.3-28. > > Is it reasonable and desirable to run one of my two servers with the > image documented at > http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos? I'm > interested in integrating Shiro or some other RBAC against IPA at some > point in the next few months, but I'd wait if the Docker image is a > prelude to 4.x hitting vendor repos soon. > > Cheers, Brian Honza -- Jan Cholasta From lslebodn at redhat.com Thu Jan 15 08:36:34 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 15 Jan 2015 09:36:34 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: <54B777B4.7010402@redhat.com> References: <54B777B4.7010402@redhat.com> Message-ID: <20150115083634.GA12148@mail.corp.redhat.com> On (15/01/15 09:17), Petr Spacek wrote: >On 15.1.2015 03:34, Sina Owolabi wrote: >> Hi List >> >> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >> I've tried some instructions/guidelines on the list and they always fail >> with the IPA client install being halfway completed and sssd's >> configuration file moved to .deleted. >> I'm really interested in getting this to work and I'll appreciate any help >> I can get. Failing that are there any alternatives? > >Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation > >If it does not help then please post more information about your problem, namely: >- exact package versions (keep in mind that "Wheezy" is a moving target) What do you mean by moving target? wheezy is codename for the latest release is Debian 7.8. It is also (currently) known as stable The most problematic part is that freeipa-client is not in repositories of debian stable or debian testing (just debian unstable) https://packages.debian.org/sid/freeipa-client The bigger problem with wheezy an Ubuntu 12.04 is that they contain very old version of sssd. debian wheezy 1.8.4-2 https://packages.debian.org/search?suite=wheezy&arch=any&searchon=names&keywords=sssd Ubuntu 12.04 1.8.2-0ubuntu1 http://packages.ubuntu.com/precise/sssd NOTE: They may work but may contains bugs. For Ubuntu 12.04, there is the Timo's ppa repo which contains new sssd. https://launchpad.net/~sssd/+archive/ubuntu/updates LS From mkosek at redhat.com Thu Jan 15 09:23:28 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 15 Jan 2015 10:23:28 +0100 Subject: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups In-Reply-To: <54B6B6BD.7060403@redhat.com> References: <54B6B6BD.7060403@redhat.com> Message-ID: <54B78710.7020005@redhat.com> On 01/14/2015 07:34 PM, Dmitri Pal wrote: > On 01/14/2015 01:11 PM, Ejner Fergo wrote: >> Hola, >> >> This is a response to: >> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html >> >> Scott, maybe you already found the solution, but I've been banging my head >> with the same problem, albeit with a newer version of FreeIPA and OSX. I used >> this excellent howto to get started: >> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 >> >> Despite initial success, without secondary groups the OSX integration doesn't >> really make sense. I managed to get it working though, by doing this: >> >> In the "Search & Mappings" area of Directory Utility, change the "Search >> base" of the Groups record type from >> 'cn=groups,cn=accounts,dc=example,dc=com' to >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In >> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might >> have to map to 'member' in FreeIPA 3.0. >> >> With these settings, doing an 'id user' on OSX shows all secondary groups, >> even indirect group membership! >> >> I still have to test and figure stuff out about ssh and sudo on the OSX side >> of things, but that isn't as important as having group access control. >> >> Hope it helps! >> >> Best regards, >> Ejner Fergo >> >> >> >> >> >> > > Thanks for sharing! > So this seems to mean that Mac expects 2307 schema instead of the 2307bis. > So yes pointing to compat tree would be the right approach. > > Can we document it somethere? I at least added this useful link to http://www.freeipa.org/page/HowTos#UNIX If there is some better place, please feel free to update. Martin From pspacek at redhat.com Thu Jan 15 09:54:27 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 15 Jan 2015 10:54:27 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: <20150115083634.GA12148@mail.corp.redhat.com> References: <54B777B4.7010402@redhat.com> <20150115083634.GA12148@mail.corp.redhat.com> Message-ID: <54B78E53.7000701@redhat.com> On 15.1.2015 09:36, Lukas Slebodnik wrote: >>> >> Hi List >>> >> >>> >> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >>> >> I've tried some instructions/guidelines on the list and they always fail >>> >> with the IPA client install being halfway completed and sssd's >>> >> configuration file moved to .deleted. >>> >> I'm really interested in getting this to work and I'll appreciate any help >>> >> I can get. Failing that are there any alternatives? >> > >> >Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation >> > >> >If it does not help then please post more information about your problem, namely: >> >- exact package versions (keep in mind that "Wheezy" is a moving target) > What do you mean by moving target? > > wheezy is codename for the latest release is Debian 7.8. It is also (currently) > known as stable Sure, but Debian allows packages updates after release - or not? I mean that "Debian Wheezy" does not necessarily identify particular package version. -- Petr^2 Spacek From lslebodn at redhat.com Thu Jan 15 10:04:09 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 15 Jan 2015 11:04:09 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: <54B78E53.7000701@redhat.com> References: <54B777B4.7010402@redhat.com> <20150115083634.GA12148@mail.corp.redhat.com> <54B78E53.7000701@redhat.com> Message-ID: <20150115100408.GE12148@mail.corp.redhat.com> On (15/01/15 10:54), Petr Spacek wrote: >On 15.1.2015 09:36, Lukas Slebodnik wrote: >>>> >> Hi List >>>> >> >>>> >> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >>>> >> I've tried some instructions/guidelines on the list and they always fail >>>> >> with the IPA client install being halfway completed and sssd's >>>> >> configuration file moved to .deleted. >>>> >> I'm really interested in getting this to work and I'll appreciate any help >>>> >> I can get. Failing that are there any alternatives? >>> > >>> >Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation >>> > >>> >If it does not help then please post more information about your problem, namely: >>> >- exact package versions (keep in mind that "Wheezy" is a moving target) >> What do you mean by moving target? >> >> wheezy is codename for the latest release is Debian 7.8. It is also (currently) >> known as stable > >Sure, but Debian allows packages updates after release - or not? Each distributions allows packages updates after release. Where is a difference? LS From pspacek at redhat.com Thu Jan 15 10:06:40 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 15 Jan 2015 11:06:40 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: <20150115100408.GE12148@mail.corp.redhat.com> References: <54B777B4.7010402@redhat.com> <20150115083634.GA12148@mail.corp.redhat.com> <54B78E53.7000701@redhat.com> <20150115100408.GE12148@mail.corp.redhat.com> Message-ID: <54B79130.3020402@redhat.com> On 15.1.2015 11:04, Lukas Slebodnik wrote: > On (15/01/15 10:54), Petr Spacek wrote: >> On 15.1.2015 09:36, Lukas Slebodnik wrote: >>>>>>> Hi List >>>>>>> >>>>>>> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >>>>>>> I've tried some instructions/guidelines on the list and they always fail >>>>>>> with the IPA client install being halfway completed and sssd's >>>>>>> configuration file moved to .deleted. >>>>>>> I'm really interested in getting this to work and I'll appreciate any help >>>>>>> I can get. Failing that are there any alternatives? >>>>> >>>>> Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation >>>>> >>>>> If it does not help then please post more information about your problem, namely: >>>>> - exact package versions (keep in mind that "Wheezy" is a moving target) >>> What do you mean by moving target? >>> >>> wheezy is codename for the latest release is Debian 7.8. It is also (currently) >>> known as stable >> >> Sure, but Debian allows packages updates after release - or not? > Each distributions allows packages updates after release. > Where is a difference? That is exactly the point - you should always include package version in the bug report. Can we please stop bike-shedding now? -- Petr^2 Spacek From ctcard at hotmail.com Thu Jan 15 13:16:55 2015 From: ctcard at hotmail.com (Chris Card) Date: Thu, 15 Jan 2015 13:16:55 +0000 Subject: [Freeipa-users] FreeIPA and RADIUS Message-ID: what's the current status of IPA integration with FreeRADIUS?? This email from 2011,?https://www.redhat.com/archives/freeipa-users/2011-October/msg00026.html, says "Integrating FreeRADIUS with IPA is on the long term roadmap." Is that still the case? Chris From tjaalton at debian.org Thu Jan 15 09:58:56 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 15 Jan 2015 11:58:56 +0200 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: <54B78E53.7000701@redhat.com> References: <54B777B4.7010402@redhat.com> <20150115083634.GA12148@mail.corp.redhat.com> <54B78E53.7000701@redhat.com> Message-ID: <54B78F60.8010209@debian.org> On 15.01.2015 11:54, Petr Spacek wrote: > On 15.1.2015 09:36, Lukas Slebodnik wrote: >>>>>> Hi List >>>>>> >>>>>> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >>>>>> I've tried some instructions/guidelines on the list and they always fail >>>>>> with the IPA client install being halfway completed and sssd's >>>>>> configuration file moved to .deleted. >>>>>> I'm really interested in getting this to work and I'll appreciate any help >>>>>> I can get. Failing that are there any alternatives? >>>> >>>> Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation >>>> >>>> If it does not help then please post more information about your problem, namely: >>>> - exact package versions (keep in mind that "Wheezy" is a moving target) >> What do you mean by moving target? >> >> wheezy is codename for the latest release is Debian 7.8. It is also (currently) >> known as stable > > Sure, but Debian allows packages updates after release - or not? no new upstream releases, unless via $release-backports > I mean that "Debian Wheezy" does not necessarily identify particular package > version. ..so it does, in practise. -- t From bill at pecknet.com Thu Jan 15 14:29:05 2015 From: bill at pecknet.com (Bill Peck) Date: Thu, 15 Jan 2015 09:29:05 -0500 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? In-Reply-To: <54B7799F.1070606@redhat.com> References: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> <54B50468.3080504@redhat.com> <10B3317E-BC39-4744-9613-7298AB723E19@gmail.com> <54B7799F.1070606@redhat.com> Message-ID: On Thu, Jan 15, 2015 at 3:26 AM, Jan Cholasta wrote: > Hi, > > Dne 14.1.2015 v 14:54 Brian Topping napsal(a): > >> Hi Martin, thanks for your response! >> >> What I realize now is the certificate CRL points to the server that >>>> no longer exists and I'd like to get that cleaned up. I found >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >>>> >>> >, >>>> is that relevant for my situation? >>>> >>> >>> Yes, this is the procedure to follow for servers older than FreeIPA >>> 4.1. Jan is >>> that correct? If yes, the page deserves a warning/update. >>> >> > This is the procedure to follow on IPA < 4.0. On IPA >= 4.0, the > information about renewal master is stored in LDAP, but you still have to > handle CRL master manually. > I'm still not clear what needs to be done on IPA >= 4.0 when promoting a new CRL master. Can that page be updated to state these instructions are for IPA < 4.0 and include the manual piece you mention for IPA >= 4.0? Thanks > > >>> >> Ooof! I forgot that vendor repos were so far behind. I'm still at >> 3.3.3-28. >> >> Is it reasonable and desirable to run one of my two servers with the >> image documented at >> http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos? I'm >> interested in integrating Shiro or some other RBAC against IPA at some >> point in the next few months, but I'd wait if the Docker image is a >> prelude to 4.x hitting vendor repos soon. >> >> Cheers, Brian >> > > Honza > > -- > Jan Cholasta > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jan 15 15:49:38 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 15 Jan 2015 10:49:38 -0500 Subject: [Freeipa-users] FreeIPA and RADIUS In-Reply-To: References: Message-ID: <54B7E192.4060401@redhat.com> On 01/15/2015 08:16 AM, Chris Card wrote: > what's the current status of IPA integration with FreeRADIUS? > > This email from 2011, https://www.redhat.com/archives/freeipa-users/2011-October/msg00026.html, says "Integrating FreeRADIUS with IPA is on the long term roadmap." Is that still the case? > > Chris > What kind of integration/use case you are looking for? In the past we thought that managing FreeRADIUS data inside IPA will be valuable but there was not much demand for that kind of integration so we stopped looking into this direction. You can use FreeRADIUS with IPA and manage profile/dictionary data in RADIUS. FreeRADIUS can be pointed to an LDAP server for users and this is how IPA can be used with it. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From rgomes at rvx.is Thu Jan 15 15:56:34 2015 From: rgomes at rvx.is (Rui Gomes) Date: Thu, 15 Jan 2015 15:56:34 +0000 (GMT) Subject: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master Message-ID: <835459293.46262.1421337394847.JavaMail.zimbra@rvx.is> Hello Guys, I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. I tried: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? Regards Rui Gomes From brian.topping at gmail.com Thu Jan 15 16:02:28 2015 From: brian.topping at gmail.com (Brian Topping) Date: Thu, 15 Jan 2015 23:02:28 +0700 Subject: [Freeipa-users] FreeIPA and RADIUS In-Reply-To: <54B7E192.4060401@redhat.com> References: <54B7E192.4060401@redhat.com> Message-ID: +1 for a FreeRADIUS integration. I'd use it to feed the VPN AAA (Vyatta). As it's a very sensitive piece, it would be ideal if all the best practices were packaged up and known to be there on deployment. > On Jan 15, 2015, at 10:49 PM, Dmitri Pal wrote: > > On 01/15/2015 08:16 AM, Chris Card wrote: >> what's the current status of IPA integration with FreeRADIUS? >> >> This email from 2011, https://www.redhat.com/archives/freeipa-users/2011-October/msg00026.html, says "Integrating FreeRADIUS with IPA is on the long term roadmap." Is that still the case? >> >> Chris >> > What kind of integration/use case you are looking for? > In the past we thought that managing FreeRADIUS data inside IPA will be valuable but there was not much demand for that kind of integration so we stopped looking into this direction. > You can use FreeRADIUS with IPA and manage profile/dictionary data in RADIUS. FreeRADIUS can be pointed to an LDAP server for users and this is how IPA can be used with it. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From rcritten at redhat.com Thu Jan 15 16:20:46 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jan 2015 11:20:46 -0500 Subject: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master In-Reply-To: <835459293.46262.1421337394847.JavaMail.zimbra@rvx.is> References: <835459293.46262.1421337394847.JavaMail.zimbra@rvx.is> Message-ID: <54B7E8DE.5060902@redhat.com> Rui Gomes wrote: > Hello Guys, > > I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. > > I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. > > I tried: > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > and: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html > > But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? > > Regards > Rui Gomes > Every server in IPA is a master, the only distinction being whether it has a CA installed or not, and to a lesser extend DNS (all masters have the data, some may just not run the service). So if you have a master with a CA then you have a full IPA master. The only thing that distinguishes one master from another is due to order of installation due to two things that should only be done on one master: generate the CRL and handle CA subsysutem certificate renewal. The first IPA master installed is given these duties. To switch the CRL generator use the first link. The page is going to be updated soon to reflect how renewal should be handled on 4.0+ servers. The renewal master is now stored in LDAP so switching it is a lot easier. rob From rgomes at rvx.is Thu Jan 15 16:46:53 2015 From: rgomes at rvx.is (Rui Gomes) Date: Thu, 15 Jan 2015 16:46:53 +0000 (GMT) Subject: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master In-Reply-To: <54B7E8DE.5060902@redhat.com> References: <835459293.46262.1421337394847.JavaMail.zimbra@rvx.is> <54B7E8DE.5060902@redhat.com> Message-ID: <968023554.47311.1421340413161.JavaMail.zimbra@rvx.is> Hello Rob, Thank you for the quick reply, I will give it a go, I wasn't sure if the links would work since most the of configuration for the dogtag in centos7 is different and commands like: "getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save" Do not apply, I will try to accommodate for the difference in versions, I might bug you guys again :) Regards Rui Gomes ----- Original Message ----- From: "Rob Crittenden" To: "Rui Gomes" , freeipa-users at redhat.com Sent: Thursday, 15 January, 2015 16:20:46 Subject: Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master Rui Gomes wrote: > Hello Guys, > > I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. > > I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. > > I tried: > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > and: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html > > But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? > > Regards > Rui Gomes > Every server in IPA is a master, the only distinction being whether it has a CA installed or not, and to a lesser extend DNS (all masters have the data, some may just not run the service). So if you have a master with a CA then you have a full IPA master. The only thing that distinguishes one master from another is due to order of installation due to two things that should only be done on one master: generate the CRL and handle CA subsysutem certificate renewal. The first IPA master installed is given these duties. To switch the CRL generator use the first link. The page is going to be updated soon to reflect how renewal should be handled on 4.0+ servers. The renewal master is now stored in LDAP so switching it is a lot easier. rob From nkinder at redhat.com Thu Jan 15 16:56:29 2015 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 15 Jan 2015 08:56:29 -0800 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <20150115080143.GA13907@redhat.com> References: <54B73F7A.3080606@redhat.com> <20150115080143.GA13907@redhat.com> Message-ID: <54B7F13D.7060002@redhat.com> On 01/15/2015 12:01 AM, Jan Pazdziora wrote: > On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: >> Hi, >> >> I'm running into a strange problem related to ntpd when trying to use >> IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and >> adelton/freeipa-client:fedora-21 docker images. Basically, the client >> install hangs when it runs ntpd. This is reproducible on two different >> docker hosts of mine, so it will probably easily reproduce for others as > > [...] > >> The /sbin/ipa-server-configure-first entrypoint script for the server >> image does a 'systemctl start-enabled' to bring up all of the services, >> which results in this output in /var/log/systemctl.log: >> >> -------------------------------------------------------------------- >> [start-enabled] >> [start ntpd.service] >> Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS] >> Marked pid [15] for [ntpd.service] >> Marked process name [/usr/sbin/ntpd] for [ntpd.service] >> ... >> -------------------------------------------------------------------- >> >> This is the same log output that is generated if I manually run >> 'systemctl start ntpd.service' from within the container, but the ntpd >> process stays around when I start it this way. It's hard to tell what >> might be happening to ntpd, as there is no journal in the container. >> >> I'm continuing to debug this, but I thought I'd share my findings thus >> far in case anyone else has seen this or has any ideas for tracking the >> problem down. Any ideas? > > You need to use --cap-add=SYS_TIME when running the server container > or ntpd will fail. Thanks for the tip. This works. It would be handy to add this to the README for your freeipa-server container. > > Even if you do that, SELinux will likely prevent ntpd doing its job > but at least it will stay around so that the client can connect to it. > > What is interesting though is the fact that the client hangs > indefinitely instead of reporting that it cannot sync the time and > proceeding. > I think this is simply a behavior difference between ntpdate and ntpd (which we are using now during the client install on f21). This issue should not be specific to using IPA in a container. Hanging indefinitely is never a good thing, so I think it would be nice to add a timeout in ipa-client-install in case we can't reach the server for ntp. I have filed a ticket for this: https://fedorahosted.org/freeipa/ticket/4842 -NGK From tbabej at redhat.com Thu Jan 15 17:07:03 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 15 Jan 2015 18:07:03 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: References: Message-ID: <54B7F3B7.7070907@redhat.com> On 01/15/2015 03:34 AM, Sina Owolabi wrote: > Hi List > > Please is it really possible to have Debian and Ubuntu serve as IPA > clients? > I've tried some instructions/guidelines on the list and they always > fail with the IPA client install being halfway completed and sssd's > configuration file moved to .deleted. > I'm really interested in getting this to work and I'll appreciate any > help I can get. Failing that are there any alternatives? > > Thanks! > > If you're SSSD version is less than 1.9, you could try running ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. This will provide setup instructions to run on the client. HTH, -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Thu Jan 15 17:13:14 2015 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 15 Jan 2015 09:13:14 -0800 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <54B7F13D.7060002@redhat.com> References: <54B73F7A.3080606@redhat.com> <20150115080143.GA13907@redhat.com> <54B7F13D.7060002@redhat.com> Message-ID: <54B7F52A.9040505@redhat.com> On 01/15/2015 08:56 AM, Nathan Kinder wrote: > > > On 01/15/2015 12:01 AM, Jan Pazdziora wrote: ... >> You need to use --cap-add=SYS_TIME when running the server container >> or ntpd will fail. > > Thanks for the tip. This works. It would be handy to add this to the > README for your freeipa-server container. Nevermind. I just saw your reply to Lukas on this. If we can keep the client install from hanging forever, then I agree that it's best to have it be noticeable that time sync is not working in the client installer output vs. hiding that it's not working. > >> >> Even if you do that, SELinux will likely prevent ntpd doing its job >> but at least it will stay around so that the client can connect to it. >> >> What is interesting though is the fact that the client hangs >> indefinitely instead of reporting that it cannot sync the time and >> proceeding. >> > > I think this is simply a behavior difference between ntpdate and ntpd > (which we are using now during the client install on f21). This issue > should not be specific to using IPA in a container. > > Hanging indefinitely is never a good thing, so I think it would be nice > to add a timeout in ipa-client-install in case we can't reach the server > for ntp. I have filed a ticket for this: > > https://fedorahosted.org/freeipa/ticket/4842 > > -NGK > From jpazdziora at redhat.com Thu Jan 15 17:41:48 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 15 Jan 2015 18:41:48 +0100 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <54B7F13D.7060002@redhat.com> References: <54B73F7A.3080606@redhat.com> <20150115080143.GA13907@redhat.com> <54B7F13D.7060002@redhat.com> Message-ID: <20150115174148.GA28871@redhat.com> On Thu, Jan 15, 2015 at 08:56:29AM -0800, Nathan Kinder wrote: > > > Even if you do that, SELinux will likely prevent ntpd doing its job > > but at least it will stay around so that the client can connect to it. > > > > What is interesting though is the fact that the client hangs > > indefinitely instead of reporting that it cannot sync the time and > > proceeding. > > I think this is simply a behavior difference between ntpdate and ntpd > (which we are using now during the client install on f21). This issue > should not be specific to using IPA in a container. The problem is, on Fedora 21 client which is not container and ntpd not running on the server, I was not able to reproduce the issue. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From nkinder at redhat.com Thu Jan 15 18:01:01 2015 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 15 Jan 2015 10:01:01 -0800 Subject: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container In-Reply-To: <20150115174148.GA28871@redhat.com> References: <54B73F7A.3080606@redhat.com> <20150115080143.GA13907@redhat.com> <54B7F13D.7060002@redhat.com> <20150115174148.GA28871@redhat.com> Message-ID: <54B8005D.8040103@redhat.com> On 01/15/2015 09:41 AM, Jan Pazdziora wrote: > On Thu, Jan 15, 2015 at 08:56:29AM -0800, Nathan Kinder wrote: >> >>> Even if you do that, SELinux will likely prevent ntpd doing its job >>> but at least it will stay around so that the client can connect to it. >>> >>> What is interesting though is the fact that the client hangs >>> indefinitely instead of reporting that it cannot sync the time and >>> proceeding. >> >> I think this is simply a behavior difference between ntpdate and ntpd >> (which we are using now during the client install on f21). This issue >> should not be specific to using IPA in a container. > > The problem is, on Fedora 21 client which is not container > and ntpd not running on the server, I was not able to reproduce the > issue. Strange... Does it reproduce for you when using containers for both the server and the client? From dpal at redhat.com Thu Jan 15 18:41:26 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 15 Jan 2015 13:41:26 -0500 Subject: [Freeipa-users] FreeIPA and RADIUS In-Reply-To: References: <54B7E192.4060401@redhat.com> Message-ID: <54B809D6.9090706@redhat.com> On 01/15/2015 11:02 AM, Brian Topping wrote: > +1 for a FreeRADIUS integration. > > I'd use it to feed the VPN AAA (Vyatta). As it's a very sensitive piece, it would be ideal if all the best practices were packaged up and known to be there on deployment. Can you please formulate requirements and use case in more details? How you intend to feed VPN AAA? > >> On Jan 15, 2015, at 10:49 PM, Dmitri Pal wrote: >> >> On 01/15/2015 08:16 AM, Chris Card wrote: >>> what's the current status of IPA integration with FreeRADIUS? >>> >>> This email from 2011, https://www.redhat.com/archives/freeipa-users/2011-October/msg00026.html, says "Integrating FreeRADIUS with IPA is on the long term roadmap." Is that still the case? >>> >>> Chris >>> >> What kind of integration/use case you are looking for? >> In the past we thought that managing FreeRADIUS data inside IPA will be valuable but there was not much demand for that kind of integration so we stopped looking into this direction. >> You can use FreeRADIUS with IPA and manage profile/dictionary data in RADIUS. FreeRADIUS can be pointed to an LDAP server for users and this is how IPA can be used with it. >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From Bill.Quayle at citadel.com Thu Jan 15 17:31:57 2015 From: Bill.Quayle at citadel.com (Quayle, Bill) Date: Thu, 15 Jan 2015 17:31:57 +0000 Subject: [Freeipa-users] migrate-ds aborts Message-ID: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> I am migrating an openLDAP tree into ipa, and when I run ipa migrate-ds, the migration aborts after roughly 36 seconds with: ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': It has transferred 9762 records, but seems to hit a timeout that causes it to stop. I've run it in debug mode, which only provides this: ipa: DEBUG: Starting external process ipa: DEBUG: args=keyctl pupdate 774698354 ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Caught fault 907 from server https://foo.example.com/ipa/session/xml: cannot connect to 'ldap://10.x.x.x:389': ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': Initially, it had transferred 2000 records and stopped, until I set nsslapd-sizelimit in cn=config: nsslapd-sizelimit: 20000 I then re-ran the migration a dozen times, each time it would transfer more records, but would always time out at around the 36 second mark. Now that I'm at 9762 records, it seems to have reached a peak. I suspect this is another tunable, but haven't been able to find it, any document that mentions it, or anyone else hitting this issue. RHEL 7.0 server idM ipa-server-3.3.3-28 source is RHEL 6.5 running openldap-2.4.23-34 command used to migrate: ipa migrate-ds --continue --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com" --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 Cheers, -Bill ________________________________ CONFIDENTIALITY AND SECURITY NOTICE The contents of this message and any attachments may be confidential and proprietary. If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, distributing or copying the contents. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbaird at follett.com Thu Jan 15 19:51:16 2015 From: jbaird at follett.com (Baird, Josh) Date: Thu, 15 Jan 2015 19:51:16 +0000 Subject: [Freeipa-users] DNS Design for FreeIPA4 Message-ID: Hi, We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh From william.muriithi at gmail.com Fri Jan 16 01:07:58 2015 From: william.muriithi at gmail.com (William Muriithi) Date: Thu, 15 Jan 2015 20:07:58 -0500 Subject: [Freeipa-users] DNS Design for FreeIPA4 In-Reply-To: References: Message-ID: <20150116010758.6037648.62018.13438@gmail.com> ?Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa server for it to work reliably? Especially if you plan to point them to AD, it wouldn't work as AD use dns for configuration just like ipa, do there will be conflict.? William We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrwastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 62 ********************************************* From jbaird at follett.com Fri Jan 16 02:30:57 2015 From: jbaird at follett.com (Baird, Josh) Date: Fri, 16 Jan 2015 02:30:57 +0000 Subject: [Freeipa-users] DNS Design for FreeIPA4 In-Reply-To: <20150116010758.6037648.62018.13438@gmail.com> References: <20150116010758.6037648.62018.13438@gmail.com> Message-ID: William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of William Muriithi > Sent: Thursday, January 15, 2015 8:08 PM > To: freeipa-users at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 > > ?Josh, > > You will have problems if you go with below plan in my opinion. I used > arrangements like the one you listed below when I used freeipa 2.2. This > worked for me only when I had users hosted on freeipa. After upgrading to > 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa > server for it to work reliably > > Especially if you plan to point them to AD, it wouldn't work as AD use dns for > configuration just like ipa, do there will be conflict. > > William > > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We > plan on establishing a trust with AD at some point during the POC. An > overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Servers in our environment (even once joined to IPA) continue to use our > current non-IPA DNS infrastructure for name resolution > * Servers in our environment have hostnames in several other non-IPA > domains (not ipa.domain.com) > * IPA DNS is configured to zone-transfer ipa.domain.com to our primary > infrwastructure non-IPA DNS servers > * IPA is configured to forward all non ipa.domain.com requests to our > primary infrastructure non-IPA DNS servers > * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it > is a slave on our primary non-IPA DNS servers > * IPA can resolve our Active Directory DNS (ad.domain.lan) > * Active Directory DNS can resolve IPA DNS (ipa.domain.com) > > Is this a sensible design for DNS? In this configuration, IPA does not appear > to be creating DNS records in ipa.domain.com for the hosts that we add to > IPA. This is presumably because the hosts themselves are in other domains > (not ipa.domain.com) which are not controlled by IPA. Is this going to cause > problems? > > We have a requirement to keep all servers in our environment using our > primary non-IPA DNS servers for resolution. It seemed logical to use IPA- > integrated DNS just so IPA could manage the SRV/LDAP records > automatically within the IPA zone. > > Any advice/tips/suggestions regarding this design would be greatly > appreciated. > > Thanks, > > Josh > > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 78, Issue 62 > ********************************************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From Steven.Jones at vuw.ac.nz Fri Jan 16 03:08:16 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 16 Jan 2015 03:08:16 +0000 Subject: [Freeipa-users] DNS Design for FreeIPA4 In-Reply-To: References: <20150116010758.6037648.62018.13438@gmail.com>, Message-ID: <1421377651563.59806@vuw.ac.nz> Hi, KISS keep it simple and stupid. What we do is, AD domain is domain.com and does all its own DNS and Kerberos, all windows machines point at it etc IPA domain is ipa.domain.com and all IPA's and indeed all Linux servers point at IPA for everything incl NTP. IPA servers use the AD servers as forwarders to get WWW DNS answers etc. regards Steven ________________________________________ From: freeipa-users-bounces at redhat.com on behalf of Baird, Josh Sent: Friday, 16 January 2015 3:30 p.m. To: William Muriithi; freeipa-users at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of William Muriithi > Sent: Thursday, January 15, 2015 8:08 PM > To: freeipa-users at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 > > ?Josh, > > You will have problems if you go with below plan in my opinion. I used > arrangements like the one you listed below when I used freeipa 2.2. This > worked for me only when I had users hosted on freeipa. After upgrading to > 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa > server for it to work reliably > > Especially if you plan to point them to AD, it wouldn't work as AD use dns for > configuration just like ipa, do there will be conflict. > > William > > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We > plan on establishing a trust with AD at some point during the POC. An > overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Servers in our environment (even once joined to IPA) continue to use our > current non-IPA DNS infrastructure for name resolution > * Servers in our environment have hostnames in several other non-IPA > domains (not ipa.domain.com) > * IPA DNS is configured to zone-transfer ipa.domain.com to our primary > infrwastructure non-IPA DNS servers > * IPA is configured to forward all non ipa.domain.com requests to our > primary infrastructure non-IPA DNS servers > * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it > is a slave on our primary non-IPA DNS servers > * IPA can resolve our Active Directory DNS (ad.domain.lan) > * Active Directory DNS can resolve IPA DNS (ipa.domain.com) > > Is this a sensible design for DNS? In this configuration, IPA does not appear > to be creating DNS records in ipa.domain.com for the hosts that we add to > IPA. This is presumably because the hosts themselves are in other domains > (not ipa.domain.com) which are not controlled by IPA. Is this going to cause > problems? > > We have a requirement to keep all servers in our environment using our > primary non-IPA DNS servers for resolution. It seemed logical to use IPA- > integrated DNS just so IPA could manage the SRV/LDAP records > automatically within the IPA zone. > > Any advice/tips/suggestions regarding this design would be greatly > appreciated. > > Thanks, > > Josh > > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 78, Issue 62 > ********************************************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project From mkosek at redhat.com Fri Jan 16 07:43:55 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Jan 2015 08:43:55 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> Message-ID: <54B8C13B.7030903@redhat.com> On 01/15/2015 06:31 PM, Quayle, Bill wrote: > I am migrating an openLDAP tree into ipa, and when I run ipa migrate-ds, the > migration aborts after roughly 36 seconds with: > > ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389?: > > It has transferred 9762 records, but seems to hit a timeout that causes it to stop. > > I?ve run it in debug mode, which only provides this: > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=keyctl pupdate 774698354 > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Caught fault 907 from server > https://foo.example.com/ipa/session/xml: cannot connect to 'ldap://10.x.x.x:389': > > ipa: DEBUG: Destroyed connection context.xmlclient > > ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': > > Initially, it had transferred 2000 records and stopped, until I set > nsslapd-sizelimit in cn=config: > > nsslapd-sizelimit: 20000 > > I then re-ran the migration a dozen times, each time it would transfer more > records, but would always time out at around the 36 second mark. Now that I?m > at 9762 records, it seems to have reached a peak. > > I suspect this is another tunable, but haven?t been able to find it, any > document that mentions it, or anyone else hitting this issue. > > RHEL 7.0 server > > idM ipa-server-3.3.3-28 > > source is RHEL 6.5 running openldap-2.4.23-34 > > command used to migrate: > > ipa migrate-ds --continue --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com" > --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 > > *Cheers,* > > *-Bill* Ludwig, do you know? I am just thinking it may be also caused by some form of timelimit, as mentioned in https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html (those apply both for bind DNs and global cn=config). Maybe nsslapd-timelimit could be increased? Although I saw the default is 3600, I assume it means 1 hour, i.e. not being the root cause. Martin From jcholast at redhat.com Fri Jan 16 08:05:47 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 16 Jan 2015 09:05:47 +0100 Subject: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover? In-Reply-To: References: <3B853E7A-697D-4710-B441-5177E40959D6@gmail.com> <49E5AF63-BB33-45FB-A722-6061D2B16081@gmail.com> <54B50468.3080504@redhat.com> <10B3317E-BC39-4744-9613-7298AB723E19@gmail.com> <54B7799F.1070606@redhat.com> Message-ID: <54B8C65B.9050209@redhat.com> Dne 15.1.2015 v 15:29 Bill Peck napsal(a): > > > On Thu, Jan 15, 2015 at 3:26 AM, Jan Cholasta > wrote: > > Hi, > > Dne 14.1.2015 v 14:54 Brian Topping napsal(a): > > Hi Martin, thanks for your response! > > What I realize now is the certificate CRL points to the > server that > no longer exists and I'd like to get that cleaned up. I > found > http://www.freeipa.org/page/__Howto/Promote_CA_to_Renewal___and_CRL_Master > > >, > is that relevant for my situation? > > > Yes, this is the procedure to follow for servers older than > FreeIPA > 4.1. Jan is > that correct? If yes, the page deserves a warning/update. > > > This is the procedure to follow on IPA < 4.0. On IPA >= 4.0, the > information about renewal master is stored in LDAP, but you still > have to handle CRL master manually. > > > I'm still not clear what needs to be done on IPA >= 4.0 when promoting a > new CRL master. Can that page be updated to state these instructions > are for IPA < 4.0 and include the manual piece you mention for IPA >= 4.0? > > Thanks I have updated the page with information for current versions of IPA. > > > > > Ooof! I forgot that vendor repos were so far behind. I'm still > at 3.3.3-28. > > Is it reasonable and desirable to run one of my two servers with the > image documented at > http://seven.centos.org/2014/__12/freeipa-4-1-2-and-centos > ? I'm > interested in integrating Shiro or some other RBAC against IPA > at some > point in the next few months, but I'd wait if the Docker image is a > prelude to 4.x hitting vendor repos soon. > > Cheers, Brian > > > Honza > > -- > Jan Cholasta > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/__mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > -- Jan Cholasta From jcholast at redhat.com Fri Jan 16 08:06:31 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 16 Jan 2015 09:06:31 +0100 Subject: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master In-Reply-To: <968023554.47311.1421340413161.JavaMail.zimbra@rvx.is> References: <835459293.46262.1421337394847.JavaMail.zimbra@rvx.is> <54B7E8DE.5060902@redhat.com> <968023554.47311.1421340413161.JavaMail.zimbra@rvx.is> Message-ID: <54B8C687.3000109@redhat.com> Hi, I have updated with information for IPA 4.0+. Honza Dne 15.1.2015 v 17:46 Rui Gomes napsal(a): > Hello Rob, > > Thank you for the quick reply, I will give it a go, I wasn't sure if the links would work since most the of configuration for the dogtag in centos7 is different > and commands like: > > "getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save" > > Do not apply, I will try to accommodate for the difference in versions, I might bug you guys again :) > > > Regards > Rui Gomes > > > ----- Original Message ----- > From: "Rob Crittenden" > To: "Rui Gomes" , freeipa-users at redhat.com > Sent: Thursday, 15 January, 2015 16:20:46 > Subject: Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master > > Rui Gomes wrote: >> Hello Guys, >> >> I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. >> >> I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master. >> >> I tried: >> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >> >> and: >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html >> >> But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master? >> >> Regards >> Rui Gomes >> > > Every server in IPA is a master, the only distinction being whether it > has a CA installed or not, and to a lesser extend DNS (all masters have > the data, some may just not run the service). > > So if you have a master with a CA then you have a full IPA master. > > The only thing that distinguishes one master from another is due to > order of installation due to two things that should only be done on one > master: generate the CRL and handle CA subsysutem certificate renewal. > > The first IPA master installed is given these duties. To switch the CRL > generator use the first link. > > The page is going to be updated soon to reflect how renewal should be > handled on 4.0+ servers. The renewal master is now stored in LDAP so > switching it is a lot easier. > > rob > -- Jan Cholasta From lkrispen at redhat.com Fri Jan 16 08:14:16 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 16 Jan 2015 09:14:16 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54B8C13B.7030903@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> Message-ID: <54B8C858.7040109@redhat.com> On 01/16/2015 08:43 AM, Martin Kosek wrote: > On 01/15/2015 06:31 PM, Quayle, Bill wrote: >> I am migrating an openLDAP tree into ipa, and when I run ipa >> migrate-ds, the >> migration aborts after roughly 36 seconds with: >> >> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389?: >> >> It has transferred 9762 records, but seems to hit a timeout that >> causes it to stop. >> >> I?ve run it in debug mode, which only provides this: >> >> ipa: DEBUG: Starting external process >> >> ipa: DEBUG: args=keyctl pupdate 774698354 >> >> ipa: DEBUG: Process finished, return code=0 >> >> ipa: DEBUG: stdout= >> >> ipa: DEBUG: stderr= >> >> ipa: DEBUG: Caught fault 907 from server >> https://foo.example.com/ipa/session/xml: cannot connect to >> 'ldap://10.x.x.x:389': >> >> ipa: DEBUG: Destroyed connection context.xmlclient >> >> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >> >> Initially, it had transferred 2000 records and stopped, until I set >> nsslapd-sizelimit in cn=config: >> >> nsslapd-sizelimit: 20000 >> >> I then re-ran the migration a dozen times, each time it would >> transfer more >> records, but would always time out at around the 36 second mark. Now >> that I?m >> at 9762 records, it seems to have reached a peak. >> >> I suspect this is another tunable, but haven?t been able to find it, any >> document that mentions it, or anyone else hitting this issue. >> >> RHEL 7.0 server >> >> idM ipa-server-3.3.3-28 >> >> source is RHEL 6.5 running openldap-2.4.23-34 >> >> command used to migrate: >> >> ipa migrate-ds --continue >> --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com" >> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 >> >> *Cheers,* >> >> *-Bill* > > Ludwig, do you know? I am just thinking it may be also caused by some > form of timelimit, as mentioned in > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html > > > (those apply both for bind DNs and global cn=config). Maybe > nsslapd-timelimit could be increased? Although I saw the default is > 3600, I assume it means 1 hour, i.e. not being the root cause. we need the access and error logs from DS, if it is a DS limit it should be seen in the err code. Could it be that migrate-ds has it's own limit waiting for a repsponse from DS ? > > Martin From mkosek at redhat.com Fri Jan 16 08:25:15 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Jan 2015 09:25:15 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54B8C858.7040109@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> Message-ID: <54B8CAEB.2090703@redhat.com> On 01/16/2015 09:14 AM, Ludwig Krispenz wrote: > > On 01/16/2015 08:43 AM, Martin Kosek wrote: >> On 01/15/2015 06:31 PM, Quayle, Bill wrote: >>> I am migrating an openLDAP tree into ipa, and when I run ipa migrate-ds, the >>> migration aborts after roughly 36 seconds with: >>> >>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389?: >>> >>> It has transferred 9762 records, but seems to hit a timeout that causes it >>> to stop. >>> >>> I?ve run it in debug mode, which only provides this: >>> >>> ipa: DEBUG: Starting external process >>> >>> ipa: DEBUG: args=keyctl pupdate 774698354 >>> >>> ipa: DEBUG: Process finished, return code=0 >>> >>> ipa: DEBUG: stdout= >>> >>> ipa: DEBUG: stderr= >>> >>> ipa: DEBUG: Caught fault 907 from server >>> https://foo.example.com/ipa/session/xml: cannot connect to >>> 'ldap://10.x.x.x:389': >>> >>> ipa: DEBUG: Destroyed connection context.xmlclient >>> >>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>> >>> Initially, it had transferred 2000 records and stopped, until I set >>> nsslapd-sizelimit in cn=config: >>> >>> nsslapd-sizelimit: 20000 >>> >>> I then re-ran the migration a dozen times, each time it would transfer more >>> records, but would always time out at around the 36 second mark. Now that I?m >>> at 9762 records, it seems to have reached a peak. >>> >>> I suspect this is another tunable, but haven?t been able to find it, any >>> document that mentions it, or anyone else hitting this issue. >>> >>> RHEL 7.0 server >>> >>> idM ipa-server-3.3.3-28 >>> >>> source is RHEL 6.5 running openldap-2.4.23-34 >>> >>> command used to migrate: >>> >>> ipa migrate-ds --continue --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com" >>> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 >>> >>> *Cheers,* >>> >>> *-Bill* >> >> Ludwig, do you know? I am just thinking it may be also caused by some form of >> timelimit, as mentioned in >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >> >> >> (those apply both for bind DNs and global cn=config). Maybe nsslapd-timelimit >> could be increased? Although I saw the default is 3600, I assume it means 1 >> hour, i.e. not being the root cause. > we need the access and error logs from DS, if it is a DS limit it should be > seen in the err code. +1 > Could it be that migrate-ds has it's own limit waiting for a repsponse from DS ? The search itself in migrate-ds is limit-less: try: entries, truncated = ds_ldap.find_entries( search_filter, ['*'], search_bases[ldap_obj_name], ds_ldap.SCOPE_ONELEVEL, time_limit=0, size_limit=-1, search_refs=True # migrated DS may contain search references ) except... Bill, I am wondering, could you add debug=True to /etc/ipa/default.conf on your server, reload the httpd process and re-run the migration? It should print additional debugging information that may help us. Martin From pspacek at redhat.com Fri Jan 16 09:33:00 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 16 Jan 2015 10:33:00 +0100 Subject: [Freeipa-users] DNS Design for FreeIPA4 In-Reply-To: References: Message-ID: <54B8DACC.6060102@redhat.com> On 15.1.2015 20:51, Baird, Josh wrote: > Hi, > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution > * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) > * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrastructure non-IPA DNS servers > * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers > * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers > * IPA can resolve our Active Directory DNS (ad.domain.lan) > * Active Directory DNS can resolve IPA DNS (ipa.domain.com) > > Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? It should work as long as AD and IPA controlled domains do not overlap. You have to put AD-directly-joined machines to one set of DNS domains and IPA-joined-machines to distinct set of DNS domains. This is a requirement because you have to have unambiguous DNS domain -> Kerberos REALM mapping. > We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. This is definitely a good idea. > Any advice/tips/suggestions regarding this design would be greatly appreciated. It should work just fine if you respect the limitation mentioned above. Let us know if you encounter any problems so we can help you with debugging. -- Petr^2 Spacek From Bill.Quayle at citadel.com Fri Jan 16 15:48:34 2015 From: Bill.Quayle at citadel.com (Quayle, Bill) Date: Fri, 16 Jan 2015 15:48:34 +0000 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54B8CAEB.2090703@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> Message-ID: <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> Thanks for looking into this! I was finally able to import all 11811 user records into IPA, but even now, when I re-run the migrate, I get the same failure. I enabled debug in the default.cfg, and this is the tail of the httpd error_log: . . . [Fri Jan 16 09:28:29.046991 2015] [:error] [pid 14924] ipa: WARNING: GID number 11 of migrated user andy does not point to a known group. [Fri Jan 16 09:28:29.051353 2015] [:error] [pid 14924] ipa: INFO: admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None): NetworkError [Fri Jan 16 09:28:29.051428 2015] [:error] [pid 14924] ipa: DEBUG: response: NetworkError: cannot connect to 'ldap://10.x.x.x:389': [Fri Jan 16 09:28:29.054057 2015] [:error] [pid 14924] ipa: DEBUG: no session id in request, generating empty session data with id=c0d2c8b3803593b30684e15ff1f57e0e [Fri Jan 16 09:28:29.054173 2015] [:error] [pid 14924] ipa: DEBUG: store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e start_timestamp=2015-01-16T09:28:29 access_timestamp=2015-01-16T09:28:29 expiration_timestamp=1969-12-31T18:00:00 [Fri Jan 16 09:28:29.054395 2015] [:error] [pid 14924] ipa: DEBUG: finalize_kerberos_acquisition: xmlserver ccache_name="FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku" session_id="c0d2c8b3803593b30684e15ff1f57e0e" [Fri Jan 16 09:28:29.054463 2015] [:error] [pid 14924] ipa: DEBUG: reading ccache data from file "/run/httpd/krbcache/krb5cc_apache_zTGsku" [Fri Jan 16 09:28:29.054851 2015] [:error] [pid 14924] ipa: DEBUG: get_credential_times: principal=HTTP/myipatestserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 09:28:29.055014 2015] [:error] [pid 14924] ipa: DEBUG: KRB5_CCache FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku endtime=1421448244 (01/16/15 16:44:04) [Fri Jan 16 09:28:29.055109 2015] [:error] [pid 14924] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1421447944 expiration=1421423309.06 (2015-01-16T09:48:29) [Fri Jan 16 09:28:29.055217 2015] [:error] [pid 14924] ipa: DEBUG: store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e start_timestamp=2015-01-16T09:28:29 access_timestamp=2015-01-16T09:28:29 expiration_timestamp=2015-01-16T09:48:29 [Fri Jan 16 09:28:29.055806 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed connection context.ldap2_140392345753040 [Fri Jan 16 09:28:29.056471 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed connection context.ldap2 One thing that is also confusing me, is that I am getting this error: [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: GID number 11 of migrated user anyone does not point to a known group. And it never migrates my groups. The ou=Groups is used in my source openLDAP tree, so I'm not sure why it wouldn't migrate. Bill -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Friday, January 16, 2015 2:25 AM To: Ludwig Krispenz Cc: Quayle, Bill; 'freeipa-users at redhat.com' Subject: Re: [Freeipa-users] migrate-ds aborts On 01/16/2015 09:14 AM, Ludwig Krispenz wrote: > > On 01/16/2015 08:43 AM, Martin Kosek wrote: >> On 01/15/2015 06:31 PM, Quayle, Bill wrote: >>> I am migrating an openLDAP tree into ipa, and when I run ipa >>> migrate-ds, the migration aborts after roughly 36 seconds with: >>> >>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>> >>> It has transferred 9762 records, but seems to hit a timeout that >>> causes it to stop. >>> >>> I've run it in debug mode, which only provides this: >>> >>> ipa: DEBUG: Starting external process >>> >>> ipa: DEBUG: args=keyctl pupdate 774698354 >>> >>> ipa: DEBUG: Process finished, return code=0 >>> >>> ipa: DEBUG: stdout= >>> >>> ipa: DEBUG: stderr= >>> >>> ipa: DEBUG: Caught fault 907 from server >>> https://foo.example.com/ipa/session/xml: cannot connect to >>> 'ldap://10.x.x.x:389': >>> >>> ipa: DEBUG: Destroyed connection context.xmlclient >>> >>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>> >>> Initially, it had transferred 2000 records and stopped, until I set >>> nsslapd-sizelimit in cn=config: >>> >>> nsslapd-sizelimit: 20000 >>> >>> I then re-ran the migration a dozen times, each time it would >>> transfer more records, but would always time out at around the 36 >>> second mark. Now that I'm at 9762 records, it seems to have reached a peak. >>> >>> I suspect this is another tunable, but haven't been able to find it, >>> any document that mentions it, or anyone else hitting this issue. >>> >>> RHEL 7.0 server >>> >>> idM ipa-server-3.3.3-28 >>> >>> source is RHEL 6.5 running openldap-2.4.23-34 >>> >>> command used to migrate: >>> >>> ipa migrate-ds --continue --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com" >>> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 >>> >>> *Cheers,* >>> >>> *-Bill* >> >> Ludwig, do you know? I am just thinking it may be also caused by some >> form of timelimit, as mentioned in >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Serve >> r/8.2/html/Administration_Guide/User_Account_Management-Setting_Resou >> rce_Limits_Based_on_the_Bind_DN.html >> >> >> (those apply both for bind DNs and global cn=config). Maybe >> nsslapd-timelimit could be increased? Although I saw the default is >> 3600, I assume it means 1 hour, i.e. not being the root cause. > we need the access and error logs from DS, if it is a DS limit it > should be seen in the err code. +1 > Could it be that migrate-ds has it's own limit waiting for a repsponse from DS ? The search itself in migrate-ds is limit-less: try: entries, truncated = ds_ldap.find_entries( search_filter, ['*'], search_bases[ldap_obj_name], ds_ldap.SCOPE_ONELEVEL, time_limit=0, size_limit=-1, search_refs=True # migrated DS may contain search references ) except... Bill, I am wondering, could you add debug=True to /etc/ipa/default.conf on your server, reload the httpd process and re-run the migration? It should print additional debugging information that may help us. Martin ________________________________ CONFIDENTIALITY AND SECURITY NOTICE The contents of this message and any attachments may be confidential and proprietary. If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, distributing or copying the contents. From ejnersan at gmail.com Fri Jan 16 16:31:28 2015 From: ejnersan at gmail.com (Ejner Fergo) Date: Fri, 16 Jan 2015 17:31:28 +0100 Subject: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups In-Reply-To: <54B78710.7020005@redhat.com> References: <54B6B6BD.7060403@redhat.com> <54B78710.7020005@redhat.com> Message-ID: I emailed the author of the howto, so hopefully he will update it. I still think it would make sense to have this information (how to setup an OSX 10.7+ client) documented directly on freeipa.org like http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at least have a link to http://www.freeipa.org/page/HowTos under http://www.freeipa.org/page/Documentation (I could not find a link to HowTos on freeipa.org without searching for it..). I may be willing to volunteer to write this updated howto, even though it would be a 99% copy/paste from linsec.ca .... don't know if that's a good idea. On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek wrote: > On 01/14/2015 07:34 PM, Dmitri Pal wrote: > > On 01/14/2015 01:11 PM, Ejner Fergo wrote: > >> Hola, > >> > >> This is a response to: > >> > https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html > >> > >> Scott, maybe you already found the solution, but I've been banging my > head > >> with the same problem, albeit with a newer version of FreeIPA and OSX. > I used > >> this excellent howto to get started: > >> > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > >> > >> Despite initial success, without secondary groups the OSX integration > doesn't > >> really make sense. I managed to get it working though, by doing this: > >> > >> In the "Search & Mappings" area of Directory Utility, change the "Search > >> base" of the Groups record type from > >> 'cn=groups,cn=accounts,dc=example,dc=com' to > >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of > accounts). In > >> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You > might > >> have to map to 'member' in FreeIPA 3.0. > >> > >> With these settings, doing an 'id user' on OSX shows all secondary > groups, > >> even indirect group membership! > >> > >> I still have to test and figure stuff out about ssh and sudo on the OSX > side > >> of things, but that isn't as important as having group access control. > >> > >> Hope it helps! > >> > >> Best regards, > >> Ejner Fergo > >> > >> > >> > >> > >> > >> > > > > Thanks for sharing! > > So this seems to mean that Mac expects 2307 schema instead of the > 2307bis. > > So yes pointing to compat tree would be the right approach. > > > > Can we document it somethere? > > I at least added this useful link to > http://www.freeipa.org/page/HowTos#UNIX > > If there is some better place, please feel free to update. > > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ejnersan at gmail.com Fri Jan 16 16:36:16 2015 From: ejnersan at gmail.com (Ejner Fergo) Date: Fri, 16 Jan 2015 17:36:16 +0100 Subject: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups In-Reply-To: References: <54B6B6BD.7060403@redhat.com> <54B78710.7020005@redhat.com> Message-ID: Sorry, I didn't look close enough, so missed the link to HowTos under "Additional Resources"... On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo wrote: > I emailed the author of the howto, so hopefully he will update it. > > I still think it would make sense to have this information (how to setup > an OSX 10.7+ client) documented directly on freeipa.org like > http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at > least have a link to http://www.freeipa.org/page/HowTos under > http://www.freeipa.org/page/Documentation (I could not find a link to > HowTos on freeipa.org without searching for it..). > > I may be willing to volunteer to write this updated howto, even though it > would be a 99% copy/paste from linsec.ca .... don't know if that's a good > idea. > > On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek wrote: > >> On 01/14/2015 07:34 PM, Dmitri Pal wrote: >> > On 01/14/2015 01:11 PM, Ejner Fergo wrote: >> >> Hola, >> >> >> >> This is a response to: >> >> >> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html >> >> >> >> Scott, maybe you already found the solution, but I've been banging my >> head >> >> with the same problem, albeit with a newer version of FreeIPA and OSX. >> I used >> >> this excellent howto to get started: >> >> >> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 >> >> >> >> Despite initial success, without secondary groups the OSX integration >> doesn't >> >> really make sense. I managed to get it working though, by doing this: >> >> >> >> In the "Search & Mappings" area of Directory Utility, change the >> "Search >> >> base" of the Groups record type from >> >> 'cn=groups,cn=accounts,dc=example,dc=com' to >> >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of >> accounts). In >> >> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You >> might >> >> have to map to 'member' in FreeIPA 3.0. >> >> >> >> With these settings, doing an 'id user' on OSX shows all secondary >> groups, >> >> even indirect group membership! >> >> >> >> I still have to test and figure stuff out about ssh and sudo on the >> OSX side >> >> of things, but that isn't as important as having group access control. >> >> >> >> Hope it helps! >> >> >> >> Best regards, >> >> Ejner Fergo >> >> >> >> >> >> >> >> >> >> >> >> >> > >> > Thanks for sharing! >> > So this seems to mean that Mac expects 2307 schema instead of the >> 2307bis. >> > So yes pointing to compat tree would be the right approach. >> > >> > Can we document it somethere? >> >> I at least added this useful link to >> http://www.freeipa.org/page/HowTos#UNIX >> >> If there is some better place, please feel free to update. >> >> Martin >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Fri Jan 16 16:49:56 2015 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Fri, 16 Jan 2015 22:19:56 +0530 Subject: [Freeipa-users] Can I revert back the hostname on client In-Reply-To: <54B6B556.4010502@redhat.com> References: <54B62B18.9020501@redhat.com> <54B6B556.4010502@redhat.com> Message-ID: >>What doesn't work? We have glassfish running on few of the hosts. That refuses to restart after the hostname change. ( However, looks like someone found a way out). I did not face issues with that today. So, that I guess is pretty much fixable. Apart from that, At the moment we do not see any other issues. The only issue I can think is incase you have your scripts/applications referring to your machine with its host-names instead of IP wont that cause a problem? >>You can tell SSSD to use a different hostname instead of the one the host actually uses. >>See SSSD man pages for that. >>You might also need to do a similar thing with krb5.conf by setting dns_canonicalize_hostname and make sure your DNS can actually resolve the short >>hostnames to FQDNs Will give this a try. On Wed, Jan 14, 2015 at 11:58 PM, Dmitri Pal wrote: > On 01/14/2015 03:38 AM, Petr Spacek wrote: > >> Hello, >> >> On 14.1.2015 06:13, Rakesh Rajasekharan wrote: >> >>> Freeipa changes the hostname to FQDN. But in our exisitng set up that can >>> cause issues . >>> >> Could you be more specific? It would help if we had detailed bug reports >> about >> this but up to know everybody just said 'I need non-FQDN hostname' but >> did not >> add any details :-) >> >> What doesn't work? >> >> Can I revert back the hostname to previous value once the client >>> installation is complete. >>> >> You might see all sorts of breakages related to Kerberos, sorry. >> >> I am fine with server having a FQDN. >>> >> You can tell SSSD to use a different hostname instead of the one the host > actually uses. > See SSSD man pages for that. > You might also need to do a similar thing with krb5.conf by setting > dns_canonicalize_hostname and make sure your DNS can actually resolve the > short hostnames to FQDNs > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From william.muriithi at gmail.com Fri Jan 16 16:58:12 2015 From: william.muriithi at gmail.com (William Muriithi) Date: Fri, 16 Jan 2015 11:58:12 -0500 Subject: [Freeipa-users] DNS Design for FreeIPA4 In-Reply-To: References: <20150116010758.6037648.62018.13438@gmail.com> Message-ID: <20150116165812.6037649.64211.13508@gmail.com> ?Josh, First, sorry for top posting, on a stupid cell. You miss the point that dns is not only used for name resolution, but also hosting configurations. If something is not right about dns, lots of incorrect info will be embedded on your ipa clients. Make it simple as Simon said and point your ipa clients to ipa servers. Redhat recommend you point your ipa clients to ipa server. Microsoft recommend the same thing, point windows clients to AD. William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of William Muriithi > Sent: Thursday, January 15, 2015 8:08 PM > To: freeipa-users at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 > > ?Josh, > > You will have problems if you go with below plan in my opinion. I used > arrangements like the one you listed below when I used freeipa 2.2. This > worked for me only when I had users hosted on freeipa. After upgrading to > 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa > server for it to work reliably > > Especially if you plan to point them to AD, it wouldn't work as AD use dns for > configuration just like ipa, do there will be conflict. > > William > > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We > plan on establishing a trust with AD at some point during the POC. An > overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Servers in our environment (even once joined to IPA) continue to use our > current non-IPA DNS infrastructure for name resolution > * Servers in our environment have hostnames in several other non-IPA > domains (not ipa.domain.com) > * IPA DNS is configured to zone-transfer ipa.domain.com to our primary > infrwastructure non-IPA DNS servers > * IPA is configured to forward all non ipa.domain.com requests to our > primary infrastructure non-IPA DNS servers > * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it > is a slave on our primary non-IPA DNS servers > * IPA can resolve our Active Directory DNS (ad.domain.lan) > * Active Directory DNS can resolve IPA DNS (ipa.domain.com) > > Is this a sensible design for DNS? In this configuration, IPA does not appear > to be creating DNS records in ipa.domain.com for the hosts that we add to > IPA. This is presumably because the hosts themselves are in other domains > (not ipa.domain.com) which are not controlled by IPA. Is this going to cause > problems? > > We have a requirement to keep all servers in our environment using our > primary non-IPA DNS servers for resolution. It seemed logical to use IPA- > integrated DNS just so IPA could manage the SRV/LDAP records > automatically within the IPA zone. > > Any advice/tips/suggestions regarding this design would be greatly > appreciated. > > Thanks, > > Josh > > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 78, Issue 62 > ********************************************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From simo at redhat.com Fri Jan 16 17:30:35 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Jan 2015 12:30:35 -0500 Subject: [Freeipa-users] DNS Design for FreeIPA4 In-Reply-To: <20150116165812.6037649.64211.13508@gmail.com> References: <20150116010758.6037648.62018.13438@gmail.com> <20150116165812.6037649.64211.13508@gmail.com> Message-ID: <20150116123035.30affb89@willson.usersys.redhat.com> On Fri, 16 Jan 2015 11:58:12 -0500 William Muriithi wrote: > ?Josh, > > First, sorry for top posting, on a stupid cell. > > You miss the point that dns is not only used for name resolution, but > also hosting configurations. If something is not right about dns, > lots of incorrect info will be embedded on your ipa clients. > > Make it simple as Simon said and point your ipa clients to ipa > servers. Redhat recommend you point your ipa clients to ipa server. > Microsoft recommend the same thing, point windows clients to AD. Hi William, we just recommend that IPA clients have names in IPA managed domains, the DNS server the clients actually point to does not really matter as long as proper DNS resolution happens (either using forwarding or delegation). Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri Jan 16 18:50:35 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Jan 2015 19:50:35 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> Message-ID: <54B95D7B.3020408@redhat.com> On 01/16/2015 04:48 PM, Quayle, Bill wrote: > Thanks for looking into this! > > I was finally able to import all 11811 user records into IPA, but even now, when I re-run the migrate, I get the same failure. How did you do it in the end? Simply by running migrate-ds command multiple times or did you succeeded with the limits? > > I enabled debug in the default.cfg, and this is the tail of the httpd error_log: > > . > . > . > [Fri Jan 16 09:28:29.046991 2015] [:error] [pid 14924] ipa: WARNING: GID number 11 of migrated user andy does not point to a known group. > [Fri Jan 16 09:28:29.051353 2015] [:error] [pid 14924] ipa: INFO: admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None): NetworkError > [Fri Jan 16 09:28:29.051428 2015] [:error] [pid 14924] ipa: DEBUG: response: NetworkError: cannot connect to 'ldap://10.x.x.x:389': > [Fri Jan 16 09:28:29.054057 2015] [:error] [pid 14924] ipa: DEBUG: no session id in request, generating empty session data with id=c0d2c8b3803593b30684e15ff1f57e0e > [Fri Jan 16 09:28:29.054173 2015] [:error] [pid 14924] ipa: DEBUG: store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e start_timestamp=2015-01-16T09:28:29 access_timestamp=2015-01-16T09:28:29 expiration_timestamp=1969-12-31T18:00:00 > [Fri Jan 16 09:28:29.054395 2015] [:error] [pid 14924] ipa: DEBUG: finalize_kerberos_acquisition: xmlserver ccache_name="FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku" session_id="c0d2c8b3803593b30684e15ff1f57e0e" > [Fri Jan 16 09:28:29.054463 2015] [:error] [pid 14924] ipa: DEBUG: reading ccache data from file "/run/httpd/krbcache/krb5cc_apache_zTGsku" > [Fri Jan 16 09:28:29.054851 2015] [:error] [pid 14924] ipa: DEBUG: get_credential_times: principal=HTTP/myipatestserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 > [Fri Jan 16 09:28:29.055014 2015] [:error] [pid 14924] ipa: DEBUG: KRB5_CCache FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku endtime=1421448244 (01/16/15 16:44:04) > [Fri Jan 16 09:28:29.055109 2015] [:error] [pid 14924] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1421447944 expiration=1421423309.06 (2015-01-16T09:48:29) > [Fri Jan 16 09:28:29.055217 2015] [:error] [pid 14924] ipa: DEBUG: store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e start_timestamp=2015-01-16T09:28:29 access_timestamp=2015-01-16T09:28:29 expiration_timestamp=2015-01-16T09:48:29 > [Fri Jan 16 09:28:29.055806 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed connection context.ldap2_140392345753040 > [Fri Jan 16 09:28:29.056471 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed connection context.ldap2 > > One thing that is also confusing me, is that I am getting this error: > [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: GID number 11 of migrated user anyone does not point to a known group. migrate-ds command runs a search against the migrated OpenLDAP database and tries to find a group with gidNumber 11. When it fails to locate it, it reports this error. Do you have all the groups in DN "ou=people,ou=agroup,dc=example,dc=com"? > And it never migrates my groups. The ou=Groups is used in my source openLDAP tree, so I'm not sure why it wouldn't migrate. If i crashes during user migration, it won't even continue with groups. I know this is not a proper fix, but you could make sure the user migration part does not find anything (e.g. with --user-objectclass=foo) and using --continue option. Then it will jump directly to group migration. I am still thinking it would make sense to also check the migrated OpenLDAP logs and see if there is anything interesting when the migration breaks. HTH, Martin > Bill > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Friday, January 16, 2015 2:25 AM > To: Ludwig Krispenz > Cc: Quayle, Bill; 'freeipa-users at redhat.com' > Subject: Re: [Freeipa-users] migrate-ds aborts > > On 01/16/2015 09:14 AM, Ludwig Krispenz wrote: >> >> On 01/16/2015 08:43 AM, Martin Kosek wrote: >>> On 01/15/2015 06:31 PM, Quayle, Bill wrote: >>>> I am migrating an openLDAP tree into ipa, and when I run ipa >>>> migrate-ds, the migration aborts after roughly 36 seconds with: >>>> >>>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>>> >>>> It has transferred 9762 records, but seems to hit a timeout that >>>> causes it to stop. >>>> >>>> I've run it in debug mode, which only provides this: >>>> >>>> ipa: DEBUG: Starting external process >>>> >>>> ipa: DEBUG: args=keyctl pupdate 774698354 >>>> >>>> ipa: DEBUG: Process finished, return code=0 >>>> >>>> ipa: DEBUG: stdout= >>>> >>>> ipa: DEBUG: stderr= >>>> >>>> ipa: DEBUG: Caught fault 907 from server >>>> https://foo.example.com/ipa/session/xml: cannot connect to >>>> 'ldap://10.x.x.x:389': >>>> >>>> ipa: DEBUG: Destroyed connection context.xmlclient >>>> >>>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>>> >>>> Initially, it had transferred 2000 records and stopped, until I set >>>> nsslapd-sizelimit in cn=config: >>>> >>>> nsslapd-sizelimit: 20000 >>>> >>>> I then re-ran the migration a dozen times, each time it would >>>> transfer more records, but would always time out at around the 36 >>>> second mark. Now that I'm at 9762 records, it seems to have reached a peak. >>>> >>>> I suspect this is another tunable, but haven't been able to find it, >>>> any document that mentions it, or anyone else hitting this issue. >>>> >>>> RHEL 7.0 server >>>> >>>> idM ipa-server-3.3.3-28 >>>> >>>> source is RHEL 6.5 running openldap-2.4.23-34 >>>> >>>> command used to migrate: >>>> >>>> ipa migrate-ds --continue --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com" >>>> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 >>>> >>>> *Cheers,* >>>> >>>> *-Bill* >>> >>> Ludwig, do you know? I am just thinking it may be also caused by some >>> form of timelimit, as mentioned in >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Serve >>> r/8.2/html/Administration_Guide/User_Account_Management-Setting_Resou >>> rce_Limits_Based_on_the_Bind_DN.html >>> >>> >>> (those apply both for bind DNs and global cn=config). Maybe >>> nsslapd-timelimit could be increased? Although I saw the default is >>> 3600, I assume it means 1 hour, i.e. not being the root cause. >> we need the access and error logs from DS, if it is a DS limit it >> should be seen in the err code. > > +1 > >> Could it be that migrate-ds has it's own limit waiting for a repsponse from DS ? > > The search itself in migrate-ds is limit-less: > > try: > entries, truncated = ds_ldap.find_entries( > search_filter, ['*'], search_bases[ldap_obj_name], > ds_ldap.SCOPE_ONELEVEL, > time_limit=0, size_limit=-1, > search_refs=True # migrated DS may contain search > references > ) > except... > > Bill, I am wondering, could you add debug=True to /etc/ipa/default.conf on your server, reload the httpd process and re-run the migration? It should print additional debugging information that may help us. > > Martin > > ________________________________ > > > CONFIDENTIALITY AND SECURITY NOTICE > > The contents of this message and any attachments may be confidential and proprietary. If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, distributing or copying the contents. > From Bill.Quayle at citadel.com Fri Jan 16 19:21:03 2015 From: Bill.Quayle at citadel.com (Quayle, Bill) Date: Fri, 16 Jan 2015 19:21:03 +0000 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54B95D7B.3020408@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> Message-ID: <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Friday, January 16, 2015 12:51 PM > To: Quayle, Bill; Ludwig Krispenz > Cc: 'freeipa-users at redhat.com' > Subject: Re: [Freeipa-users] migrate-ds aborts > > On 01/16/2015 04:48 PM, Quayle, Bill wrote: > > Thanks for looking into this! > > > > I was finally able to import all 11811 user records into IPA, but even now, > when I re-run the migrate, I get the same failure. > > How did you do it in the end? Simply by running migrate-ds command > multiple times or did you succeeded with the limits? > I re-ran migrate-ds about 30 times to complete the migration of users. > > > > I enabled debug in the default.cfg, and this is the tail of the httpd error_log: > > > > . > > . > > . > > [Fri Jan 16 09:28:29.046991 2015] [:error] [pid 14924] ipa: WARNING: GID > number 11 of migrated user andy does not point to a known group. > > [Fri Jan 16 09:28:29.051353 2015] [:error] [pid 14924] ipa: INFO: > > admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', > u'********', > binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', > usercontainer=u'ou=people', groupcontainer=u'ou=groups', > userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', > u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, > groupignoreobjectclass=None, groupignoreattribute=None, > groupoverwritegid=False, schema=u'RFC2307bis', continue=True, > basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', > exclude_groups=None, exclude_users=None): NetworkError [Fri Jan 16 > 09:28:29.051428 2015] [:error] [pid 14924] ipa: DEBUG: response: > NetworkError: cannot connect to 'ldap://10.x.x.x:389': > > [Fri Jan 16 09:28:29.054057 2015] [:error] [pid 14924] ipa: DEBUG: no > > session id in request, generating empty session data with > > id=c0d2c8b3803593b30684e15ff1f57e0e > > [Fri Jan 16 09:28:29.054173 2015] [:error] [pid 14924] ipa: DEBUG: > > store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e > > start_timestamp=2015-01-16T09:28:29 > > access_timestamp=2015-01-16T09:28:29 > > expiration_timestamp=1969-12-31T18:00:00 > > [Fri Jan 16 09:28:29.054395 2015] [:error] [pid 14924] ipa: DEBUG: > finalize_kerberos_acquisition: xmlserver > ccache_name="FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku" > session_id="c0d2c8b3803593b30684e15ff1f57e0e" > > [Fri Jan 16 09:28:29.054463 2015] [:error] [pid 14924] ipa: DEBUG: reading > ccache data from file "/run/httpd/krbcache/krb5cc_apache_zTGsku" > > [Fri Jan 16 09:28:29.054851 2015] [:error] [pid 14924] ipa: DEBUG: > > get_credential_times: > > principal=HTTP/myipatestserver.example.com at IDMTEST.EXAMPLE.COM, > > authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, > > endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 > > 09:28:29.055014 2015] [:error] [pid 14924] ipa: DEBUG: KRB5_CCache > > FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku endtime=1421448244 > > (01/16/15 16:44:04) [Fri Jan 16 09:28:29.055109 2015] [:error] [pid > > 14924] ipa: DEBUG: set_session_expiration_time: > > duration_type=inactivity_timeout duration=1200 max_age=1421447944 > > expiration=1421423309.06 (2015-01-16T09:48:29) [Fri Jan 16 > > 09:28:29.055217 2015] [:error] [pid 14924] ipa: DEBUG: store session: > > session_id=c0d2c8b3803593b30684e15ff1f57e0e > > start_timestamp=2015-01-16T09:28:29 > > access_timestamp=2015-01-16T09:28:29 > > expiration_timestamp=2015-01-16T09:48:29 > > [Fri Jan 16 09:28:29.055806 2015] [:error] [pid 14924] ipa: DEBUG: > > Destroyed connection context.ldap2_140392345753040 [Fri Jan 16 > > 09:28:29.056471 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed > > connection context.ldap2 > > > > One thing that is also confusing me, is that I am getting this error: > > [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: GID > number 11 of migrated user anyone does not point to a known group. > > migrate-ds command runs a search against the migrated OpenLDAP database > and tries to find a group with gidNumber 11. When it fails to locate it, it > reports this error. Do you have all the groups in DN > "ou=people,ou=agroup,dc=example,dc=com"? > Groups are in "ou=groups,ou=agroup,dc=example,dc=com" I use --base-dn="ou=agroup,dc=example,dc=com" as an option to migrate-ds > > > And it never migrates my groups. The ou=Groups is used in my source > openLDAP tree, so I'm not sure why it wouldn't migrate. > > If i crashes during user migration, it won't even continue with groups. I know > this is not a proper fix, but you could make sure the user migration part does > not find anything (e.g. with --user-objectclass=foo) and using --continue > option. Then it will jump directly to group migration. > I had actually already tried doing that. I just re-tried using the debug=True, and here's the contents of error_log: [Fri Jan 16 13:07:42.819342 2015] [:error] [pid 15335] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Fri Jan 16 13:07:42.819462 2015] [:error] [pid 15335] ipa: DEBUG: WSGI xmlserver_session.__call__: [Fri Jan 16 13:07:42.819649 2015] [:error] [pid 15335] ipa: DEBUG: found session cookie_id = 7efb4fc24d37b7fe064fa2a4f0af447b [Fri Jan 16 13:07:42.819926 2015] [:error] [pid 15335] ipa: DEBUG: found session data in cache with id=7efb4fc24d37b7fe064fa2a4f0af447b [Fri Jan 16 13:07:42.820031 2015] [:error] [pid 15335] ipa: DEBUG: xmlserver_session.__call__: session_id=7efb4fc24d37b7fe064fa2a4f0af447b start_timestamp=2015-01-16T13:06:02 access_timestamp=2015-01-16T13:07:42 expiration_timestamp=2015-01-16T13:26:02 [Fri Jan 16 13:07:42.820113 2015] [:error] [pid 15335] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_15335" [Fri Jan 16 13:07:42.820724 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 13:07:42.821070 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 13:07:42.821370 2015] [:error] [pid 15335] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_15335 endtime=1421448244 (01/16/15 16:44:04) [Fri Jan 16 13:07:42.821480 2015] [:error] [pid 15335] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1421447944 expiration=1421436462.82 (2015-01-16T13:27:42) [Fri Jan 16 13:07:42.821539 2015] [:error] [pid 15335] ipa: DEBUG: WSGI xmlserver.__call__: [Fri Jan 16 13:07:42.850018 2015] [:error] [pid 15335] ipa: DEBUG: Created connection context.ldap2 [Fri Jan 16 13:07:42.850117 2015] [:error] [pid 15335] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Fri Jan 16 13:07:42.851403 2015] [:error] [pid 15335] ipa: DEBUG: raw: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None) [Fri Jan 16 13:07:42.852159 2015] [:error] [pid 15335] ipa: DEBUG: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=ipapython.dn.DN('uid=me,ou=people,ou=agroup,dc=example,dc=com'), usercontainer=ipapython.dn.DN('ou=people'), groupcontainer=ipapython.dn.DN('ou=groups'), userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=ipapython.dn.DN('ou=agroup,dc=example,dc=com'), compat=False, version=u'2.65', exclude_groups=None, exclude_users=None) [Fri Jan 16 13:07:42.933433 2015] [:error] [pid 15335] ipa: DEBUG: Created connection context.ldap2_140625322494032 [Fri Jan 16 13:07:42.944655 2015] [:error] [pid 15335] ipa: ERROR: non-public: UnboundLocalError: local variable 'pkey' referenced before assignment [Fri Jan 16 13:07:42.944666 2015] [:error] [pid 15335] Traceback (most recent call last): [Fri Jan 16 13:07:42.944668 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute [Fri Jan 16 13:07:42.944670 2015] [:error] [pid 15335] result = self.Command[name](*args, **options) [Fri Jan 16 13:07:42.944671 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ [Fri Jan 16 13:07:42.944673 2015] [:error] [pid 15335] ret = self.run(*args, **options) [Fri Jan 16 13:07:42.944683 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run [Fri Jan 16 13:07:42.944686 2015] [:error] [pid 15335] result = self.execute(*args, **options) [Fri Jan 16 13:07:42.944687 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 894, in execute [Fri Jan 16 13:07:42.944689 2015] [:error] [pid 15335] ldap, config, ds_ldap, ds_base_dn, options [Fri Jan 16 13:07:42.944691 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 843, in migrate [Fri Jan 16 13:07:42.944692 2015] [:error] [pid 15335] _update_default_group(ldap, pkey, config, context, True) [Fri Jan 16 13:07:42.944694 2015] [:error] [pid 15335] UnboundLocalError: local variable 'pkey' referenced before assignment [Fri Jan 16 13:07:42.944888 2015] [:error] [pid 15335] ipa: INFO: admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None): UnboundLocalError [Fri Jan 16 13:07:42.944952 2015] [:error] [pid 15335] ipa: DEBUG: response: InternalError: an internal error has occurred [Fri Jan 16 13:07:42.945645 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2 [Fri Jan 16 13:07:42.945757 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2_140625322494032 [Fri Jan 16 13:07:42.945846 2015] [:error] [pid 15335] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_15335" [Fri Jan 16 13:07:42.946019 2015] [:error] [pid 15335] ipa: DEBUG: store session: session_id=7efb4fc24d37b7fe064fa2a4f0af447b start_timestamp=2015-01-16T13:06:02 access_timestamp=2015-01-16T13:07:42 expiration_timestamp=2015-01-16T13:27:42 > I am still thinking it would make sense to also check the migrated OpenLDAP > logs and see if there is anything interesting when the migration breaks. I've been watching the logs on the OpenLDAP servers, and they just see the connection close. Thanks again, Bill > > HTH, > Martin > > > Bill > > -----Original Message----- > > From: Martin Kosek [mailto:mkosek at redhat.com] > > Sent: Friday, January 16, 2015 2:25 AM > > To: Ludwig Krispenz > > Cc: Quayle, Bill; 'freeipa-users at redhat.com' > > Subject: Re: [Freeipa-users] migrate-ds aborts > > > > On 01/16/2015 09:14 AM, Ludwig Krispenz wrote: > >> > >> On 01/16/2015 08:43 AM, Martin Kosek wrote: > >>> On 01/15/2015 06:31 PM, Quayle, Bill wrote: > >>>> I am migrating an openLDAP tree into ipa, and when I run ipa > >>>> migrate-ds, the migration aborts after roughly 36 seconds with: > >>>> > >>>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': > >>>> > >>>> It has transferred 9762 records, but seems to hit a timeout that > >>>> causes it to stop. > >>>> > >>>> I've run it in debug mode, which only provides this: > >>>> > >>>> ipa: DEBUG: Starting external process > >>>> > >>>> ipa: DEBUG: args=keyctl pupdate 774698354 > >>>> > >>>> ipa: DEBUG: Process finished, return code=0 > >>>> > >>>> ipa: DEBUG: stdout= > >>>> > >>>> ipa: DEBUG: stderr= > >>>> > >>>> ipa: DEBUG: Caught fault 907 from server > >>>> https://foo.example.com/ipa/session/xml: cannot connect to > >>>> 'ldap://10.x.x.x:389': > >>>> > >>>> ipa: DEBUG: Destroyed connection context.xmlclient > >>>> > >>>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': > >>>> > >>>> Initially, it had transferred 2000 records and stopped, until I set > >>>> nsslapd-sizelimit in cn=config: > >>>> > >>>> nsslapd-sizelimit: 20000 > >>>> > >>>> I then re-ran the migration a dozen times, each time it would > >>>> transfer more records, but would always time out at around the 36 > >>>> second mark. Now that I'm at 9762 records, it seems to have reached a > peak. > >>>> > >>>> I suspect this is another tunable, but haven't been able to find > >>>> it, any document that mentions it, or anyone else hitting this issue. > >>>> > >>>> RHEL 7.0 server > >>>> > >>>> idM ipa-server-3.3.3-28 > >>>> > >>>> source is RHEL 6.5 running openldap-2.4.23-34 > >>>> > >>>> command used to migrate: > >>>> > >>>> ipa migrate-ds --continue --bind- > dn="uid=me,ou=people,ou=foo,dc=example,dc=com" > >>>> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 > >>>> > >>>> *Cheers,* > >>>> > >>>> *-Bill* > >>> > >>> Ludwig, do you know? I am just thinking it may be also caused by > >>> some form of timelimit, as mentioned in > >>> > >>> https://access.redhat.com/documentation/en- > US/Red_Hat_Directory_Serv > >>> e > >>> r/8.2/html/Administration_Guide/User_Account_Management- > Setting_Reso > >>> u rce_Limits_Based_on_the_Bind_DN.html > >>> > >>> > >>> (those apply both for bind DNs and global cn=config). Maybe > >>> nsslapd-timelimit could be increased? Although I saw the default is > >>> 3600, I assume it means 1 hour, i.e. not being the root cause. > >> we need the access and error logs from DS, if it is a DS limit it > >> should be seen in the err code. > > > > +1 > > > >> Could it be that migrate-ds has it's own limit waiting for a repsponse from > DS ? > > > > The search itself in migrate-ds is limit-less: > > > > try: > > entries, truncated = ds_ldap.find_entries( > > search_filter, ['*'], search_bases[ldap_obj_name], > > ds_ldap.SCOPE_ONELEVEL, > > time_limit=0, size_limit=-1, > > search_refs=True # migrated DS may contain search > > references > > ) > > except... > > > > Bill, I am wondering, could you add debug=True to /etc/ipa/default.conf on > your server, reload the httpd process and re-run the migration? It should > print additional debugging information that may help us. > > > > Martin > > > > ________________________________ > > > > > > CONFIDENTIALITY AND SECURITY NOTICE > > > > The contents of this message and any attachments may be confidential and > proprietary. If you are not an intended recipient, please inform the sender of > the transmission error and delete this message immediately without reading, > distributing or copying the contents. > > From dpal at redhat.com Fri Jan 16 20:53:00 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 Jan 2015 15:53:00 -0500 Subject: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups In-Reply-To: References: <54B6B6BD.7060403@redhat.com> <54B78710.7020005@redhat.com> Message-ID: <54B97A2C.6010402@redhat.com> On 01/16/2015 11:36 AM, Ejner Fergo wrote: > Sorry, I didn't look close enough, so missed the link to HowTos under > "Additional Resources"... > > On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo > wrote: > > I emailed the author of the howto, so hopefully he will update it. > > I still think it would make sense to have this information (how to > setup an OSX 10.7+ client) documented directly on freeipa.org > like > http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, > or at least have a link to http://www.freeipa.org/page/HowTos > under http://www.freeipa.org/page/Documentation (I could not find > a link to HowTos on freeipa.org without > searching for it..). > > I may be willing to volunteer to write this updated howto, even > though it would be a 99% copy/paste from linsec.ca > .... don't know if that's a good idea. > Many people are looking for pointers on FreeIPA site. Some kind of linking or copy/paste needs to happen, whatever makes more sense and the cleanest. > > On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek > wrote: > > On 01/14/2015 07:34 PM, Dmitri Pal wrote: > > On 01/14/2015 01:11 PM, Ejner Fergo wrote: > >> Hola, > >> > >> This is a response to: > >> > https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html > >> > >> Scott, maybe you already found the solution, but I've been > banging my head > >> with the same problem, albeit with a newer version of > FreeIPA and OSX. I used > >> this excellent howto to get started: > >> > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > >> > >> Despite initial success, without secondary groups the OSX > integration doesn't > >> really make sense. I managed to get it working though, by > doing this: > >> > >> In the "Search & Mappings" area of Directory Utility, > change the "Search > >> base" of the Groups record type from > >> 'cn=groups,cn=accounts,dc=example,dc=com' to > >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead > of accounts). In > >> Groups add the attribute 'GroupMembership' mapped to > 'memberUID'. You might > >> have to map to 'member' in FreeIPA 3.0. > >> > >> With these settings, doing an 'id user' on OSX shows all > secondary groups, > >> even indirect group membership! > >> > >> I still have to test and figure stuff out about ssh and > sudo on the OSX side > >> of things, but that isn't as important as having group > access control. > >> > >> Hope it helps! > >> > >> Best regards, > >> Ejner Fergo > >> > >> > >> > >> > >> > >> > > > > Thanks for sharing! > > So this seems to mean that Mac expects 2307 schema instead > of the 2307bis. > > So yes pointing to compat tree would be the right approach. > > > > Can we document it somethere? > > I at least added this useful link to > http://www.freeipa.org/page/HowTos#UNIX > > If there is some better place, please feel free to update. > > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jan 16 20:59:46 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 Jan 2015 15:59:46 -0500 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> Message-ID: <54B97BC2.407@redhat.com> On 01/16/2015 02:21 PM, Quayle, Bill wrote: > >> -----Original Message----- >> From: Martin Kosek [mailto:mkosek at redhat.com] >> Sent: Friday, January 16, 2015 12:51 PM >> To: Quayle, Bill; Ludwig Krispenz >> Cc: 'freeipa-users at redhat.com' >> Subject: Re: [Freeipa-users] migrate-ds aborts >> >> On 01/16/2015 04:48 PM, Quayle, Bill wrote: >>> Thanks for looking into this! >>> >>> I was finally able to import all 11811 user records into IPA, but even now, >> when I re-run the migrate, I get the same failure. >> >> How did you do it in the end? Simply by running migrate-ds command >> multiple times or did you succeeded with the limits? >> > I re-ran migrate-ds about 30 times to complete the migration of users. >>> I enabled debug in the default.cfg, and this is the tail of the httpd error_log: >>> >>> . >>> . >>> . >>> [Fri Jan 16 09:28:29.046991 2015] [:error] [pid 14924] ipa: WARNING: GID >> number 11 of migrated user andy does not point to a known group. >>> [Fri Jan 16 09:28:29.051353 2015] [:error] [pid 14924] ipa: INFO: >>> admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', >> u'********', >> binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, >> groupignoreobjectclass=None, groupignoreattribute=None, >> groupoverwritegid=False, schema=u'RFC2307bis', continue=True, >> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >> exclude_groups=None, exclude_users=None): NetworkError [Fri Jan 16 >> 09:28:29.051428 2015] [:error] [pid 14924] ipa: DEBUG: response: >> NetworkError: cannot connect to 'ldap://10.x.x.x:389': >>> [Fri Jan 16 09:28:29.054057 2015] [:error] [pid 14924] ipa: DEBUG: no >>> session id in request, generating empty session data with >>> id=c0d2c8b3803593b30684e15ff1f57e0e >>> [Fri Jan 16 09:28:29.054173 2015] [:error] [pid 14924] ipa: DEBUG: >>> store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e >>> start_timestamp=2015-01-16T09:28:29 >>> access_timestamp=2015-01-16T09:28:29 >>> expiration_timestamp=1969-12-31T18:00:00 >>> [Fri Jan 16 09:28:29.054395 2015] [:error] [pid 14924] ipa: DEBUG: >> finalize_kerberos_acquisition: xmlserver >> ccache_name="FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku" >> session_id="c0d2c8b3803593b30684e15ff1f57e0e" >>> [Fri Jan 16 09:28:29.054463 2015] [:error] [pid 14924] ipa: DEBUG: reading >> ccache data from file "/run/httpd/krbcache/krb5cc_apache_zTGsku" >>> [Fri Jan 16 09:28:29.054851 2015] [:error] [pid 14924] ipa: DEBUG: >>> get_credential_times: >>> principal=HTTP/myipatestserver.example.com at IDMTEST.EXAMPLE.COM, >>> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >>> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 >>> 09:28:29.055014 2015] [:error] [pid 14924] ipa: DEBUG: KRB5_CCache >>> FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku endtime=1421448244 >>> (01/16/15 16:44:04) [Fri Jan 16 09:28:29.055109 2015] [:error] [pid >>> 14924] ipa: DEBUG: set_session_expiration_time: >>> duration_type=inactivity_timeout duration=1200 max_age=1421447944 >>> expiration=1421423309.06 (2015-01-16T09:48:29) [Fri Jan 16 >>> 09:28:29.055217 2015] [:error] [pid 14924] ipa: DEBUG: store session: >>> session_id=c0d2c8b3803593b30684e15ff1f57e0e >>> start_timestamp=2015-01-16T09:28:29 >>> access_timestamp=2015-01-16T09:28:29 >>> expiration_timestamp=2015-01-16T09:48:29 >>> [Fri Jan 16 09:28:29.055806 2015] [:error] [pid 14924] ipa: DEBUG: >>> Destroyed connection context.ldap2_140392345753040 [Fri Jan 16 >>> 09:28:29.056471 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed >>> connection context.ldap2 >>> >>> One thing that is also confusing me, is that I am getting this error: >>> [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: GID >> number 11 of migrated user anyone does not point to a known group. >> >> migrate-ds command runs a search against the migrated OpenLDAP database >> and tries to find a group with gidNumber 11. When it fails to locate it, it >> reports this error. Do you have all the groups in DN >> "ou=people,ou=agroup,dc=example,dc=com"? >> > Groups are in "ou=groups,ou=agroup,dc=example,dc=com" > I use --base-dn="ou=agroup,dc=example,dc=com" as an option to migrate-ds >>> And it never migrates my groups. The ou=Groups is used in my source >> openLDAP tree, so I'm not sure why it wouldn't migrate. >> >> If i crashes during user migration, it won't even continue with groups. I know >> this is not a proper fix, but you could make sure the user migration part does >> not find anything (e.g. with --user-objectclass=foo) and using --continue >> option. Then it will jump directly to group migration. >> > I had actually already tried doing that. I just re-tried using the debug=True, and here's the contents of error_log: > [Fri Jan 16 13:07:42.819342 2015] [:error] [pid 15335] ipa: DEBUG: WSGI wsgi_dispatch.__call__: > [Fri Jan 16 13:07:42.819462 2015] [:error] [pid 15335] ipa: DEBUG: WSGI xmlserver_session.__call__: > [Fri Jan 16 13:07:42.819649 2015] [:error] [pid 15335] ipa: DEBUG: found session cookie_id = 7efb4fc24d37b7fe064fa2a4f0af447b > [Fri Jan 16 13:07:42.819926 2015] [:error] [pid 15335] ipa: DEBUG: found session data in cache with id=7efb4fc24d37b7fe064fa2a4f0af447b > [Fri Jan 16 13:07:42.820031 2015] [:error] [pid 15335] ipa: DEBUG: xmlserver_session.__call__: session_id=7efb4fc24d37b7fe064fa2a4f0af447b start_timestamp=2015-01-16T13:06:02 access_timestamp=2015-01-16T13:07:42 expiration_timestamp=2015-01-16T13:26:02 > [Fri Jan 16 13:07:42.820113 2015] [:error] [pid 15335] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_15335" > [Fri Jan 16 13:07:42.820724 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 > [Fri Jan 16 13:07:42.821070 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 > [Fri Jan 16 13:07:42.821370 2015] [:error] [pid 15335] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_15335 endtime=1421448244 (01/16/15 16:44:04) > [Fri Jan 16 13:07:42.821480 2015] [:error] [pid 15335] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1421447944 expiration=1421436462.82 (2015-01-16T13:27:42) > [Fri Jan 16 13:07:42.821539 2015] [:error] [pid 15335] ipa: DEBUG: WSGI xmlserver.__call__: > [Fri Jan 16 13:07:42.850018 2015] [:error] [pid 15335] ipa: DEBUG: Created connection context.ldap2 > [Fri Jan 16 13:07:42.850117 2015] [:error] [pid 15335] ipa: DEBUG: WSGI WSGIExecutioner.__call__: > [Fri Jan 16 13:07:42.851403 2015] [:error] [pid 15335] ipa: DEBUG: raw: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None) > [Fri Jan 16 13:07:42.852159 2015] [:error] [pid 15335] ipa: DEBUG: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=ipapython.dn.DN('uid=me,ou=people,ou=agroup,dc=example,dc=com'), usercontainer=ipapython.dn.DN('ou=people'), groupcontainer=ipapython.dn.DN('ou=groups'), userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=ipapython.dn.DN('ou=agroup,dc=example,dc=com'), compat=False, version=u'2.65', exclude_groups=None, exclude_users=None) > [Fri Jan 16 13:07:42.933433 2015] [:error] [pid 15335] ipa: DEBUG: Created connection context.ldap2_140625322494032 > [Fri Jan 16 13:07:42.944655 2015] [:error] [pid 15335] ipa: ERROR: non-public: UnboundLocalError: local variable 'pkey' referenced before assignment > [Fri Jan 16 13:07:42.944666 2015] [:error] [pid 15335] Traceback (most recent call last): > [Fri Jan 16 13:07:42.944668 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute > [Fri Jan 16 13:07:42.944670 2015] [:error] [pid 15335] result = self.Command[name](*args, **options) > [Fri Jan 16 13:07:42.944671 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ > [Fri Jan 16 13:07:42.944673 2015] [:error] [pid 15335] ret = self.run(*args, **options) > [Fri Jan 16 13:07:42.944683 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run > [Fri Jan 16 13:07:42.944686 2015] [:error] [pid 15335] result = self.execute(*args, **options) > [Fri Jan 16 13:07:42.944687 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 894, in execute > [Fri Jan 16 13:07:42.944689 2015] [:error] [pid 15335] ldap, config, ds_ldap, ds_base_dn, options > [Fri Jan 16 13:07:42.944691 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 843, in migrate > [Fri Jan 16 13:07:42.944692 2015] [:error] [pid 15335] _update_default_group(ldap, pkey, config, context, True) > [Fri Jan 16 13:07:42.944694 2015] [:error] [pid 15335] UnboundLocalError: local variable 'pkey' referenced before assignment > [Fri Jan 16 13:07:42.944888 2015] [:error] [pid 15335] ipa: INFO: admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None): UnboundLocalError > [Fri Jan 16 13:07:42.944952 2015] [:error] [pid 15335] ipa: DEBUG: response: InternalError: an internal error has occurred > [Fri Jan 16 13:07:42.945645 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2 > [Fri Jan 16 13:07:42.945757 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2_140625322494032 > [Fri Jan 16 13:07:42.945846 2015] [:error] [pid 15335] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_15335" > [Fri Jan 16 13:07:42.946019 2015] [:error] [pid 15335] ipa: DEBUG: store session: session_id=7efb4fc24d37b7fe064fa2a4f0af447b start_timestamp=2015-01-16T13:06:02 access_timestamp=2015-01-16T13:07:42 expiration_timestamp=2015-01-16T13:27:42 > >> I am still thinking it would make sense to also check the migrated OpenLDAP >> logs and see if there is anything interesting when the migration breaks. > I've been watching the logs on the OpenLDAP servers, and they just see the connection close. We would probably need Rob to take a look at this but my gut feeling based on the internal error above is that there is some data inconsistency in one (or more) of your entries that we choke on. For example an entry does not have a proper object class and thus a mandatory attribute we expect is missing. > > Thanks again, > Bill > >> HTH, >> Martin >> >>> Bill >>> -----Original Message----- >>> From: Martin Kosek [mailto:mkosek at redhat.com] >>> Sent: Friday, January 16, 2015 2:25 AM >>> To: Ludwig Krispenz >>> Cc: Quayle, Bill; 'freeipa-users at redhat.com' >>> Subject: Re: [Freeipa-users] migrate-ds aborts >>> >>> On 01/16/2015 09:14 AM, Ludwig Krispenz wrote: >>>> On 01/16/2015 08:43 AM, Martin Kosek wrote: >>>>> On 01/15/2015 06:31 PM, Quayle, Bill wrote: >>>>>> I am migrating an openLDAP tree into ipa, and when I run ipa >>>>>> migrate-ds, the migration aborts after roughly 36 seconds with: >>>>>> >>>>>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>>>>> >>>>>> It has transferred 9762 records, but seems to hit a timeout that >>>>>> causes it to stop. >>>>>> >>>>>> I've run it in debug mode, which only provides this: >>>>>> >>>>>> ipa: DEBUG: Starting external process >>>>>> >>>>>> ipa: DEBUG: args=keyctl pupdate 774698354 >>>>>> >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> >>>>>> ipa: DEBUG: stdout= >>>>>> >>>>>> ipa: DEBUG: stderr= >>>>>> >>>>>> ipa: DEBUG: Caught fault 907 from server >>>>>> https://foo.example.com/ipa/session/xml: cannot connect to >>>>>> 'ldap://10.x.x.x:389': >>>>>> >>>>>> ipa: DEBUG: Destroyed connection context.xmlclient >>>>>> >>>>>> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': >>>>>> >>>>>> Initially, it had transferred 2000 records and stopped, until I set >>>>>> nsslapd-sizelimit in cn=config: >>>>>> >>>>>> nsslapd-sizelimit: 20000 >>>>>> >>>>>> I then re-ran the migration a dozen times, each time it would >>>>>> transfer more records, but would always time out at around the 36 >>>>>> second mark. Now that I'm at 9762 records, it seems to have reached a >> peak. >>>>>> I suspect this is another tunable, but haven't been able to find >>>>>> it, any document that mentions it, or anyone else hitting this issue. >>>>>> >>>>>> RHEL 7.0 server >>>>>> >>>>>> idM ipa-server-3.3.3-28 >>>>>> >>>>>> source is RHEL 6.5 running openldap-2.4.23-34 >>>>>> >>>>>> command used to migrate: >>>>>> >>>>>> ipa migrate-ds --continue --bind- >> dn="uid=me,ou=people,ou=foo,dc=example,dc=com" >>>>>> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389 >>>>>> >>>>>> *Cheers,* >>>>>> >>>>>> *-Bill* >>>>> Ludwig, do you know? I am just thinking it may be also caused by >>>>> some form of timelimit, as mentioned in >>>>> >>>>> https://access.redhat.com/documentation/en- >> US/Red_Hat_Directory_Serv >>>>> e >>>>> r/8.2/html/Administration_Guide/User_Account_Management- >> Setting_Reso >>>>> u rce_Limits_Based_on_the_Bind_DN.html >>>>> >>>>> >>>>> (those apply both for bind DNs and global cn=config). Maybe >>>>> nsslapd-timelimit could be increased? Although I saw the default is >>>>> 3600, I assume it means 1 hour, i.e. not being the root cause. >>>> we need the access and error logs from DS, if it is a DS limit it >>>> should be seen in the err code. >>> +1 >>> >>>> Could it be that migrate-ds has it's own limit waiting for a repsponse from >> DS ? >>> The search itself in migrate-ds is limit-less: >>> >>> try: >>> entries, truncated = ds_ldap.find_entries( >>> search_filter, ['*'], search_bases[ldap_obj_name], >>> ds_ldap.SCOPE_ONELEVEL, >>> time_limit=0, size_limit=-1, >>> search_refs=True # migrated DS may contain search >>> references >>> ) >>> except... >>> >>> Bill, I am wondering, could you add debug=True to /etc/ipa/default.conf on >> your server, reload the httpd process and re-run the migration? It should >> print additional debugging information that may help us. >>> Martin >>> >>> ________________________________ >>> >>> >>> CONFIDENTIALITY AND SECURITY NOTICE >>> >>> The contents of this message and any attachments may be confidential and >> proprietary. If you are not an intended recipient, please inform the sender of >> the transmission error and delete this message immediately without reading, >> distributing or copying the contents. > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From rcritten at redhat.com Fri Jan 16 22:38:20 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Jan 2015 17:38:20 -0500 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54B97BC2.407@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> <54B97BC2.407@redhat.com> Message-ID: <54B992DC.1090305@redhat.com> Dmitri Pal wrote: > On 01/16/2015 02:21 PM, Quayle, Bill wrote: >> >>> -----Original Message----- >>> From: Martin Kosek [mailto:mkosek at redhat.com] >>> Sent: Friday, January 16, 2015 12:51 PM >>> To: Quayle, Bill; Ludwig Krispenz >>> Cc: 'freeipa-users at redhat.com' >>> Subject: Re: [Freeipa-users] migrate-ds aborts >>> >>> On 01/16/2015 04:48 PM, Quayle, Bill wrote: >>>> Thanks for looking into this! >>>> >>>> I was finally able to import all 11811 user records into IPA, but >>>> even now, >>> when I re-run the migrate, I get the same failure. >>> >>> How did you do it in the end? Simply by running migrate-ds command >>> multiple times or did you succeeded with the limits? >>> >> I re-ran migrate-ds about 30 times to complete the migration of users. >>>> I enabled debug in the default.cfg, and this is the tail of the >>>> httpd error_log: >>>> >>>> . >>>> . >>>> . >>>> [Fri Jan 16 09:28:29.046991 2015] [:error] [pid 14924] ipa: >>>> WARNING: GID >>> number 11 of migrated user andy does not point to a known group. >>>> [Fri Jan 16 09:28:29.051353 2015] [:error] [pid 14924] ipa: INFO: >>>> admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', >>> u'********', >>> binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >>> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >>> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >>> u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, >>> groupignoreobjectclass=None, groupignoreattribute=None, >>> groupoverwritegid=False, schema=u'RFC2307bis', continue=True, >>> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >>> exclude_groups=None, exclude_users=None): NetworkError [Fri Jan 16 >>> 09:28:29.051428 2015] [:error] [pid 14924] ipa: DEBUG: response: >>> NetworkError: cannot connect to 'ldap://10.x.x.x:389': >>>> [Fri Jan 16 09:28:29.054057 2015] [:error] [pid 14924] ipa: DEBUG: no >>>> session id in request, generating empty session data with >>>> id=c0d2c8b3803593b30684e15ff1f57e0e >>>> [Fri Jan 16 09:28:29.054173 2015] [:error] [pid 14924] ipa: DEBUG: >>>> store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e >>>> start_timestamp=2015-01-16T09:28:29 >>>> access_timestamp=2015-01-16T09:28:29 >>>> expiration_timestamp=1969-12-31T18:00:00 >>>> [Fri Jan 16 09:28:29.054395 2015] [:error] [pid 14924] ipa: DEBUG: >>> finalize_kerberos_acquisition: xmlserver >>> ccache_name="FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku" >>> session_id="c0d2c8b3803593b30684e15ff1f57e0e" >>>> [Fri Jan 16 09:28:29.054463 2015] [:error] [pid 14924] ipa: DEBUG: >>>> reading >>> ccache data from file "/run/httpd/krbcache/krb5cc_apache_zTGsku" >>>> [Fri Jan 16 09:28:29.054851 2015] [:error] [pid 14924] ipa: DEBUG: >>>> get_credential_times: >>>> principal=HTTP/myipatestserver.example.com at IDMTEST.EXAMPLE.COM, >>>> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >>>> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 >>>> 09:28:29.055014 2015] [:error] [pid 14924] ipa: DEBUG: KRB5_CCache >>>> FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku endtime=1421448244 >>>> (01/16/15 16:44:04) [Fri Jan 16 09:28:29.055109 2015] [:error] [pid >>>> 14924] ipa: DEBUG: set_session_expiration_time: >>>> duration_type=inactivity_timeout duration=1200 max_age=1421447944 >>>> expiration=1421423309.06 (2015-01-16T09:48:29) [Fri Jan 16 >>>> 09:28:29.055217 2015] [:error] [pid 14924] ipa: DEBUG: store session: >>>> session_id=c0d2c8b3803593b30684e15ff1f57e0e >>>> start_timestamp=2015-01-16T09:28:29 >>>> access_timestamp=2015-01-16T09:28:29 >>>> expiration_timestamp=2015-01-16T09:48:29 >>>> [Fri Jan 16 09:28:29.055806 2015] [:error] [pid 14924] ipa: DEBUG: >>>> Destroyed connection context.ldap2_140392345753040 [Fri Jan 16 >>>> 09:28:29.056471 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed >>>> connection context.ldap2 >>>> >>>> One thing that is also confusing me, is that I am getting this error: >>>> [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: >>>> GID >>> number 11 of migrated user anyone does not point to a known group. >>> >>> migrate-ds command runs a search against the migrated OpenLDAP database >>> and tries to find a group with gidNumber 11. When it fails to locate >>> it, it >>> reports this error. Do you have all the groups in DN >>> "ou=people,ou=agroup,dc=example,dc=com"? >>> >> Groups are in "ou=groups,ou=agroup,dc=example,dc=com" >> I use --base-dn="ou=agroup,dc=example,dc=com" as an option to migrate-ds >>>> And it never migrates my groups. The ou=Groups is used in my source >>> openLDAP tree, so I'm not sure why it wouldn't migrate. >>> >>> If i crashes during user migration, it won't even continue with >>> groups. I know >>> this is not a proper fix, but you could make sure the user migration >>> part does >>> not find anything (e.g. with --user-objectclass=foo) and using >>> --continue >>> option. Then it will jump directly to group migration. >>> >> I had actually already tried doing that. I just re-tried using the >> debug=True, and here's the contents of error_log: >> [Fri Jan 16 13:07:42.819342 2015] [:error] [pid 15335] ipa: DEBUG: >> WSGI wsgi_dispatch.__call__: >> [Fri Jan 16 13:07:42.819462 2015] [:error] [pid 15335] ipa: DEBUG: >> WSGI xmlserver_session.__call__: >> [Fri Jan 16 13:07:42.819649 2015] [:error] [pid 15335] ipa: DEBUG: >> found session cookie_id = 7efb4fc24d37b7fe064fa2a4f0af447b >> [Fri Jan 16 13:07:42.819926 2015] [:error] [pid 15335] ipa: DEBUG: >> found session data in cache with id=7efb4fc24d37b7fe064fa2a4f0af447b >> [Fri Jan 16 13:07:42.820031 2015] [:error] [pid 15335] ipa: DEBUG: >> xmlserver_session.__call__: >> session_id=7efb4fc24d37b7fe064fa2a4f0af447b >> start_timestamp=2015-01-16T13:06:02 >> access_timestamp=2015-01-16T13:07:42 >> expiration_timestamp=2015-01-16T13:26:02 >> [Fri Jan 16 13:07:42.820113 2015] [:error] [pid 15335] ipa: DEBUG: >> storing ccache data into file "/var/run/ipa_memcached/krbcc_15335" >> [Fri Jan 16 13:07:42.820724 2015] [:error] [pid 15335] ipa: DEBUG: >> get_credential_times: >> principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, >> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 >> [Fri Jan 16 13:07:42.821070 2015] [:error] [pid 15335] ipa: DEBUG: >> get_credential_times: >> principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, >> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 >> [Fri Jan 16 13:07:42.821370 2015] [:error] [pid 15335] ipa: DEBUG: >> KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_15335 endtime=1421448244 >> (01/16/15 16:44:04) >> [Fri Jan 16 13:07:42.821480 2015] [:error] [pid 15335] ipa: DEBUG: >> set_session_expiration_time: duration_type=inactivity_timeout >> duration=1200 max_age=1421447944 expiration=1421436462.82 >> (2015-01-16T13:27:42) >> [Fri Jan 16 13:07:42.821539 2015] [:error] [pid 15335] ipa: DEBUG: >> WSGI xmlserver.__call__: >> [Fri Jan 16 13:07:42.850018 2015] [:error] [pid 15335] ipa: DEBUG: >> Created connection context.ldap2 >> [Fri Jan 16 13:07:42.850117 2015] [:error] [pid 15335] ipa: DEBUG: >> WSGI WSGIExecutioner.__call__: >> [Fri Jan 16 13:07:42.851403 2015] [:error] [pid 15335] ipa: DEBUG: >> raw: migrate_ds(u'ldap://10.x.x.x:389', u'********', >> binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >> userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), userignoreobjectclass=None, >> userignoreattribute=None, groupignoreobjectclass=None, >> groupignoreattribute=None, groupoverwritegid=False, >> schema=u'RFC2307bis', continue=True, >> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >> exclude_groups=None, exclude_users=None) >> [Fri Jan 16 13:07:42.852159 2015] [:error] [pid 15335] ipa: DEBUG: >> migrate_ds(u'ldap://10.x.x.x:389', u'********', >> binddn=ipapython.dn.DN('uid=me,ou=people,ou=agroup,dc=example,dc=com'), usercontainer=ipapython.dn.DN('ou=people'), >> groupcontainer=ipapython.dn.DN('ou=groups'), >> userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), userignoreobjectclass=None, >> userignoreattribute=None, groupignoreobjectclass=None, >> groupignoreattribute=None, groupoverwritegid=False, >> schema=u'RFC2307bis', continue=True, >> basedn=ipapython.dn.DN('ou=agroup,dc=example,dc=com'), compat=False, >> version=u'2.65', exclude_groups=None, exclude_users=None) >> [Fri Jan 16 13:07:42.933433 2015] [:error] [pid 15335] ipa: DEBUG: >> Created connection context.ldap2_140625322494032 >> [Fri Jan 16 13:07:42.944655 2015] [:error] [pid 15335] ipa: ERROR: >> non-public: UnboundLocalError: local variable 'pkey' referenced before >> assignment >> [Fri Jan 16 13:07:42.944666 2015] [:error] [pid 15335] Traceback (most >> recent call last): >> [Fri Jan 16 13:07:42.944668 2015] [:error] [pid 15335] File >> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, >> in wsgi_execute >> [Fri Jan 16 13:07:42.944670 2015] [:error] [pid 15335] result = >> self.Command[name](*args, **options) >> [Fri Jan 16 13:07:42.944671 2015] [:error] [pid 15335] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in >> __call__ >> [Fri Jan 16 13:07:42.944673 2015] [:error] [pid 15335] ret = >> self.run(*args, **options) >> [Fri Jan 16 13:07:42.944683 2015] [:error] [pid 15335] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run >> [Fri Jan 16 13:07:42.944686 2015] [:error] [pid 15335] result = >> self.execute(*args, **options) >> [Fri Jan 16 13:07:42.944687 2015] [:error] [pid 15335] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line >> 894, in execute >> [Fri Jan 16 13:07:42.944689 2015] [:error] [pid 15335] ldap, >> config, ds_ldap, ds_base_dn, options >> [Fri Jan 16 13:07:42.944691 2015] [:error] [pid 15335] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line >> 843, in migrate >> [Fri Jan 16 13:07:42.944692 2015] [:error] [pid 15335] >> _update_default_group(ldap, pkey, config, context, True) >> [Fri Jan 16 13:07:42.944694 2015] [:error] [pid 15335] >> UnboundLocalError: local variable 'pkey' referenced before assignment >> [Fri Jan 16 13:07:42.944888 2015] [:error] [pid 15335] ipa: INFO: >> admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', >> u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >> userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), userignoreobjectclass=None, >> userignoreattribute=None, groupignoreobjectclass=None, >> groupignoreattribute=None, groupoverwritegid=False, >> schema=u'RFC2307bis', continue=True, >> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >> exclude_groups=None, exclude_users=None): UnboundLocalError >> [Fri Jan 16 13:07:42.944952 2015] [:error] [pid 15335] ipa: DEBUG: >> response: InternalError: an internal error has occurred >> [Fri Jan 16 13:07:42.945645 2015] [:error] [pid 15335] ipa: DEBUG: >> Destroyed connection context.ldap2 >> [Fri Jan 16 13:07:42.945757 2015] [:error] [pid 15335] ipa: DEBUG: >> Destroyed connection context.ldap2_140625322494032 >> [Fri Jan 16 13:07:42.945846 2015] [:error] [pid 15335] ipa: DEBUG: >> reading ccache data from file "/var/run/ipa_memcached/krbcc_15335" >> [Fri Jan 16 13:07:42.946019 2015] [:error] [pid 15335] ipa: DEBUG: >> store session: session_id=7efb4fc24d37b7fe064fa2a4f0af447b >> start_timestamp=2015-01-16T13:06:02 >> access_timestamp=2015-01-16T13:07:42 >> expiration_timestamp=2015-01-16T13:27:42 >> >>> I am still thinking it would make sense to also check the migrated >>> OpenLDAP >>> logs and see if there is anything interesting when the migration breaks. >> I've been watching the logs on the OpenLDAP servers, and they just see >> the connection close. > > > We would probably need Rob to take a look at this but my gut feeling > based on the internal error above is that there is some data > inconsistency in one (or more) of your entries that we choke on. > For example an entry does not have a proper object class and thus a > mandatory attribute we expect is missing. I'm with Martin. I think we need to see the access log of the server being migrated from so we can see the exactly queries and results. The exception being thrown is rather unusual and the only way I can see that it could happen is if all the entries were either search references or had invalid DN formatting (or a combination of the two). Any chance you can provide a small ldif of an entry that is failing? rob From notify.sina at gmail.com Sat Jan 17 08:49:04 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 17 Jan 2015 08:49:04 +0000 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 References: <54B7F3B7.7070907@redhat.com> Message-ID: Thanks Tomas. List, please how do I get rid of this error: ipa-client-install --uninstall *Disabling client Kerberos and LDAP configurations* *Failed to remove krb5/LDAP configuration: * After I've deleted everything I can think of? Uninstalling freeipa doesn't help, and I can't reinstall the server. On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej wrote: > > On 01/15/2015 03:34 AM, Sina Owolabi wrote: > > Hi List > > Please is it really possible to have Debian and Ubuntu serve as IPA > clients? > I've tried some instructions/guidelines on the list and they always fail > with the IPA client install being halfway completed and sssd's > configuration file moved to .deleted. > I'm really interested in getting this to work and I'll appreciate any help > I can get. Failing that are there any alternatives? > > Thanks! > > > > If you're SSSD version is less than 1.9, you could try running ipa-advise > config-generic-linux-sssd-before-1-9 on the IPA server. > > This will provide setup instructions to run on the client. > > HTH, > > > -- > Tomas Babej > Associate Software Engineer | Red Hat | Identity Management > RHCE | Brno Site | IRC: tbabej | freeipa.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.topping at gmail.com Sat Jan 17 09:59:17 2015 From: brian.topping at gmail.com (Brian Topping) Date: Sat, 17 Jan 2015 16:59:17 +0700 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: References: <54B7F3B7.7070907@redhat.com> Message-ID: <66E2E309-BC73-4E96-8C55-5ECF0C42A524@gmail.com> Did you try strace to see what files it is choking on? Sent from my iPhone > On Jan 17, 2015, at 15:49, Sina Owolabi wrote: > > Thanks Tomas. > > List, please how do I get rid of this error: > ipa-client-install --uninstall > Disabling client Kerberos and LDAP configurations > Failed to remove krb5/LDAP configuration: > After I've deleted everything I can think of? Uninstalling freeipa doesn't help, and I can't reinstall the server. > >> On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej wrote: >> >>> On 01/15/2015 03:34 AM, Sina Owolabi wrote: >>> Hi List >>> >>> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >>> I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. >>> I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? >>> >>> Thanks! >> >> If you're SSSD version is less than 1.9, you could try running ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. >> >> This will provide setup instructions to run on the client. >> >> HTH, >> >> >> -- >> Tomas Babej >> Associate Software Engineer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Sat Jan 17 10:23:00 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 17 Jan 2015 10:23:00 +0000 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 References: <54B7F3B7.7070907@redhat.com> <66E2E309-BC73-4E96-8C55-5ECF0C42A524@gmail.com> Message-ID: How do I strace this, please? On Sat Jan 17 2015 at 10:59:22 AM Brian Topping wrote: > Did you try strace to see what files it is choking on? > > Sent from my iPhone > > On Jan 17, 2015, at 15:49, Sina Owolabi wrote: > > Thanks Tomas. > > List, please how do I get rid of this error: > ipa-client-install --uninstall > *Disabling client Kerberos and LDAP configurations* > *Failed to remove krb5/LDAP configuration: * > After I've deleted everything I can think of? Uninstalling freeipa doesn't > help, and I can't reinstall the server. > > On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej wrote: > >> >> On 01/15/2015 03:34 AM, Sina Owolabi wrote: >> >> Hi List >> >> Please is it really possible to have Debian and Ubuntu serve as IPA >> clients? >> I've tried some instructions/guidelines on the list and they always fail >> with the IPA client install being halfway completed and sssd's >> configuration file moved to .deleted. >> I'm really interested in getting this to work and I'll appreciate any >> help I can get. Failing that are there any alternatives? >> >> Thanks! >> >> >> >> If you're SSSD version is less than 1.9, you could try running ipa-advise >> config-generic-linux-sssd-before-1-9 on the IPA server. >> >> This will provide setup instructions to run on the client. >> >> HTH, >> >> >> -- >> Tomas Babej >> Associate Software Engineer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> -- > > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Sat Jan 17 10:31:23 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 17 Jan 2015 10:31:23 +0000 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 References: <54B7F3B7.7070907@redhat.com> <66E2E309-BC73-4E96-8C55-5ECF0C42A524@gmail.com> Message-ID: Hi I cant make head or tail of the output, but here it is attached. :-) Sorry about the "how do I trace". I RTFM'ed myself. On Sat Jan 17 2015 at 11:23:00 AM Sina Owolabi wrote: > How do I strace this, please? > > On Sat Jan 17 2015 at 10:59:22 AM Brian Topping > wrote: > >> Did you try strace to see what files it is choking on? >> >> Sent from my iPhone >> >> On Jan 17, 2015, at 15:49, Sina Owolabi wrote: >> >> Thanks Tomas. >> >> List, please how do I get rid of this error: >> ipa-client-install --uninstall >> *Disabling client Kerberos and LDAP configurations* >> *Failed to remove krb5/LDAP configuration: * >> After I've deleted everything I can think of? Uninstalling freeipa >> doesn't help, and I can't reinstall the server. >> >> On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej wrote: >> >>> >>> On 01/15/2015 03:34 AM, Sina Owolabi wrote: >>> >>> Hi List >>> >>> Please is it really possible to have Debian and Ubuntu serve as IPA >>> clients? >>> I've tried some instructions/guidelines on the list and they always fail >>> with the IPA client install being halfway completed and sssd's >>> configuration file moved to .deleted. >>> I'm really interested in getting this to work and I'll appreciate any >>> help I can get. Failing that are there any alternatives? >>> >>> Thanks! >>> >>> >>> >>> If you're SSSD version is less than 1.9, you could try running >>> ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. >>> >>> This will provide setup instructions to run on the client. >>> >>> HTH, >>> >>> >>> -- >>> Tomas Babej >>> Associate Software Engineer | Red Hat | Identity Management >>> RHCE | Brno Site | IRC: tbabej | freeipa.org >>> >>> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- execve("/usr/sbin/ipa-client-install", ["ipa-client-install", "--uninstall"], [/* 17 vars */]) = 0 brk(0) = 0x1b17000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fab000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f0ad5fa1000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0 mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad5b72000 mprotect(0x7f0ad5b89000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad5d88000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f0ad5d88000 mmap(0x7f0ad5d8a000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5d8a000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0 mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad596e000 mprotect(0x7f0ad5970000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad5b70000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f0ad5b70000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libutil.so.1", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=10640, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa0000 mmap(NULL, 2105608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad576b000 mprotect(0x7f0ad576d000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad596c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f0ad596c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340#\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=92752, ...}) = 0 mmap(NULL, 2187792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad5554000 mprotect(0x7f0ad556a000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad5769000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f0ad5769000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360>\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=530736, ...}) = 0 mmap(NULL, 2625768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad52d2000 mprotect(0x7f0ad5353000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad5552000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x80000) = 0x7f0ad5552000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1603600, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f9f000 mmap(NULL, 3717176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad4f46000 mprotect(0x7f0ad50c8000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad52c8000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x182000) = 0x7f0ad52c8000 mmap(0x7f0ad52cd000, 18488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad52cd000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p.\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=89056, ...}) = 0 mmap(NULL, 2184824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0ad4d30000 mprotect(0x7f0ad4d45000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad4f45000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f0ad4f45000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f9e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f9d000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f9c000 arch_prctl(ARCH_SET_FS, 0x7f0ad5f9d700) = 0 mprotect(0x7f0ad52c8000, 16384, PROT_READ) = 0 mprotect(0x7f0ad5552000, 4096, PROT_READ) = 0 mprotect(0x7f0ad5769000, 4096, PROT_READ) = 0 mprotect(0x7f0ad596c000, 4096, PROT_READ) = 0 mprotect(0x7f0ad5b70000, 4096, PROT_READ) = 0 mprotect(0x7f0ad5d88000, 4096, PROT_READ) = 0 mprotect(0x856000, 4096, PROT_READ) = 0 mprotect(0x7f0ad5fad000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 set_tid_address(0x7f0ad5f9d9d0) = 11094 set_robust_list(0x7f0ad5f9d9e0, 0x18) = 0 futex(0x7fff59e308bc, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f0ad5f9d700) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f0ad5b77ad0, [], SA_RESTORER|SA_SIGINFO, 0x7f0ad5b810a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f0ad5b77b60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f0ad5b810a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 brk(0) = 0x1b17000 brk(0x1b38000) = 0x1b38000 mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f5b000 open("/proc/meminfo", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(3, "MemTotal: 2061172 kB\nMemF"..., 1024) = 1024 close(3) = 0 munmap(0x7f0ad5faa000, 4096) = 0 brk(0x1b64000) = 0x1b64000 fstat(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 fstat(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 fstat(2, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 readlink("/usr/bin/python", "python2.7", 4096) = 9 readlink("/usr/bin/python2.7", 0x7fff59e2f630, 4096) = -1 EINVAL (Invalid argument) stat("/usr/bin/Modules/Setup", 0x7fff59e2e570) = -1 ENOENT (No such file or directory) stat("/usr/bin/lib/python2.7/os.py", 0x7fff59e2e560) = -1 ENOENT (No such file or directory) stat("/usr/bin/lib/python2.7/os.pyc", 0x7fff59e2e560) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/os.py", {st_mode=S_IFREG|0644, st_size=25769, ...}) = 0 stat("/usr/bin/Modules/Setup", 0x7fff59e2e570) = -1 ENOENT (No such file or directory) stat("/usr/bin/lib/python2.7/lib-dynload", 0x7fff59e2e570) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f1a000 rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f0ad5b810a0}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGXFSZ, {SIG_IGN, [], SA_RESTORER, 0x7f0ad5b810a0}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGHUP, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGILL, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTRAP, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGABRT, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGBUS, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGFPE, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGKILL, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGUSR1, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGSEGV, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGUSR2, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGPIPE, NULL, {SIG_IGN, [], SA_RESTORER, 0x7f0ad5b810a0}, 8) = 0 rt_sigaction(SIGALRM, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGSTKFLT, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGCONT, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGSTOP, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTSTP, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTTIN, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTTOU, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGURG, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGXCPU, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGXFSZ, NULL, {SIG_IGN, [], SA_RESTORER, 0x7f0ad5b810a0}, 8) = 0 rt_sigaction(SIGVTALRM, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGPROF, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGWINCH, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGIO, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGPWR, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGSYS, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_2, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_3, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_4, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_5, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_6, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_7, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_8, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_9, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_10, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_11, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_12, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_13, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_14, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_15, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_16, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_17, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_18, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_19, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_20, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_21, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_22, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_23, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_24, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_25, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_26, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_27, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_28, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_29, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_30, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_31, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGRT_32, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGINT, {0x41b434, [], SA_RESTORER, 0x7f0ad5b810a0}, {SIG_DFL, [], 0}, 8) = 0 stat("/usr/lib/python2.7/", {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0 stat("/usr/lib/python2.7/", {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0 stat("/usr/lib/python2.7/site", 0x7fff59e2f2e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/site.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/sitemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/site.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=20387, ...}) = 0 open("/usr/lib/python2.7/site.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=19742, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(4, "\3\363\r\n\213\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sp\1\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=19742, ...}) = 0 read(4, "\0(\0\0\0\0s\32\0\0\0/usr/lib/python2.7/si"..., 12288) = 12288 read(4, "n2.7/site.pyt\t\0\0\0aliasmbcs\332\1\0\0s\24"..., 4096) = 3358 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5f19000, 4096) = 0 stat("/usr/lib/python2.7/os", 0x7fff59e2ec20) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/os.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=25769, ...}) = 0 open("/usr/lib/python2.7/os.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=25451, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(5, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\16\0\0\0@\0\0\0s\372\6\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=25451, ...}) = 0 brk(0x1b87000) = 0x1b87000 read(5, "e.\n\n N(\t\0\0\0R\t\0\0\0t\5\0\0\0splitt\6\0"..., 20480) = 20480 read(5, "\0t\6\0\0\0extendR\31\0\0\0t\6\0\0\0ntpathR\32\0\0"..., 4096) = 875 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5f19000, 4096) = 0 stat("/usr/lib/python2.7/posixpath", 0x7fff59e2e560) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/posixpath.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/posixpathmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/posixpath.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=13442, ...}) = 0 open("/usr/lib/python2.7/posixpath.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=11465, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0&\0\0\0@\0\0\0s\31\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=11465, ...}) = 0 read(6, "\2\0\0\0R3\0\0\0t\2\0\0\0st(\0\0\0\0(\0\0\0\0s\37\0\0\0/"..., 4096) = 4096 read(6, "\1\0\0\0jR]\0\0\0R:\0\0\0(\0\0\0\0(\0\0\0\0s\37\0\0\0/u"..., 4096) = 3273 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5f19000, 4096) = 0 stat("/usr/lib/python2.7/stat", 0x7fff59e2dea0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/stat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/statmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/stat.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=1842, ...}) = 0 open("/usr/lib/python2.7/stat.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2731, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s{\1\0\0d\0"..., 4096) = 2731 fstat(7, {st_mode=S_IFREG|0644, st_size=2731, ...}) = 0 read(7, "", 4096) = 0 mmap(NULL, 200704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5ee8000 close(7) = 0 munmap(0x7f0ad5f19000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/genericpath", 0x7fff59e2dea0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/genericpath.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/genericpathmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/genericpath.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3015, ...}) = 0 open("/usr/lib/python2.7/genericpath.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3243, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\10\0\0\0@\0\0\0s\221\0\0\0d\0"..., 4096) = 3243 fstat(7, {st_mode=S_IFREG|0644, st_size=3243, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5f19000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/warnings", 0x7fff59e2dea0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/warnings.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/warningsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/warnings.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=14044, ...}) = 0 open("/usr/lib/python2.7/warnings.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=13104, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0sS\2\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=13104, ...}) = 0 read(7, "efaults\6\0\0\0modules\4\0\0\0once(\7\0\0\0R"..., 8192) = 8192 read(7, "pyt\10\0\0\0__exit__c\1\0\0s\10\0\0\0\0\1\t\1\23\1\17\1"..., 4096) = 816 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5f19000, 4096) = 0 stat("/usr/lib/python2.7/linecache", 0x7fff59e2d7e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/linecache.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/linecachemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/linecache.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=4118, ...}) = 0 open("/usr/lib/python2.7/linecache.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=3240, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sp\0\0\0d\0"..., 4096) = 3240 fstat(8, {st_mode=S_IFREG|0644, st_size=3240, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5f19000, 4096) = 0 close(7) = 0 stat("/usr/lib/python2.7/types", 0x7fff59e2d7e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/types.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/typesmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/types.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2040, ...}) = 0 open("/usr/lib/python2.7/types.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=2494, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s/\2\0\0d\0"..., 4096) = 2494 fstat(8, {st_mode=S_IFREG|0644, st_size=2494, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5f19000, 4096) = 0 close(7) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/UserDict", 0x7fff59e2e560) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/UserDict.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/UserDictmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/UserDict.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=5811, ...}) = 0 open("/usr/lib/python2.7/UserDict.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=8730, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sb\0\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=8730, ...}) = 0 read(6, "\0\1c\2\0\0\0\2\0\0\0\2\0\0\0C\0\0\0s\r\0\0\0|\1\0|\0\0j\0"..., 4096) = 4096 read(6, "/UserDict.pyR\r\0\0\0\255\0\0\0s\n\0\0\0\0\1\f\1\4\1"..., 4096) = 538 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5f19000, 4096) = 0 stat("/usr/lib/python2.7/_abcoll", 0x7fff59e2dea0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_abcoll.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_abcollmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_abcoll.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=14672, ...}) = 0 open("/usr/lib/python2.7/_abcoll.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=21725, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5f19000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\20\0\0\0@\0\0\0sI\2\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=21725, ...}) = 0 brk(0x1baa000) = 0x1baa000 read(7, "C\0\0\0s&\0\0\0|\0\0t\0\0k\10\0r\"\0t\1\0|\1\0d\1\0\203\2"..., 16384) = 16384 read(7, "\30\0\1\0\0\0P:\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0644, st_size=38520, ...}) = 0 mmap(NULL, 2133760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f0ad4726000 mprotect(0x7f0ad472e000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad492d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x7000) = 0x7f0ad492d000 close(5) = 0 open("/etc/ld.so.cache", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7f0ad5fa1000 close(5) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0", O_RDONLY) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200P\1\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0644, st_size=392072, ...}) = 0 mmap(NULL, 2487344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f0ad44c6000 mprotect(0x7f0ad451c000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad471c000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x56000) = 0x7f0ad471c000 close(5) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\207\7\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0644, st_size=2048512, ...}) = 0 mmap(NULL, 4158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f0ad40ce000 mprotect(0x7f0ad4298000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad4498000, 172032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x1ca000) = 0x7f0ad4498000 mmap(0x7f0ad44c2000, 13688, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad44c2000 close(5) = 0 mprotect(0x7f0ad4498000, 110592, PROT_READ) = 0 mprotect(0x7f0ad471c000, 12288, PROT_READ) = 0 mprotect(0x7f0ad492d000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 close(4) = 0 close(3) = 0 stat("/usr/sbin/ipapython", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/ipapython", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/ipapython", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/ipapython", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/ipapython", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/ipapython", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/__init__.py", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/__init__", 0x7fff59e2f090) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/__init__.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/__init__.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=141, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\4\0\0\0d\0"..., 4096) = 141 fstat(4, {st_mode=S_IFREG|0644, st_size=141, ...}) = 0 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/ipa_log_manager", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipa_log_manager.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipa_log_managermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipa_log_manager.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=8301, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/ipa_log_manager.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=6057, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\n\0\0\0@\0\0\0s\30\1\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=6057, ...}) = 0 read(4, "ackages/ipapython/ipa_log_manage"..., 4096) = 1961 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/sys", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/re", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/copy", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/copy.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/copymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/copy.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/copy.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/copy", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/sbin/copy.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/copymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/copy.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/copy.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/copy", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/copy.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/copymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/copy.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=11519, ...}) = 0 open("/usr/lib/python2.7/copy.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=12142, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\17\0\0\0@\0\0\0s\233\3\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=12142, ...}) = 0 read(5, "St\0\0|\0\0d\2\0\203\2\0rF\0|\0\0j\2\0\203\0\0}\1\0|\0\0j"..., 4096) = 4096 read(5, "\16\0|\2\0r\376\1t\6\0|\16\0|\3\0\203\2\0}\16\0n\0\0|\n\0j\16\0"..., 4096) = 3950 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/weakref", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/weakref.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/weakrefmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/weakref.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/weakref.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/weakref", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/weakref.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/weakrefmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/weakref.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=10693, ...}) = 0 open("/usr/lib/python2.7/weakref.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=13946, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\f\0\0\0@\0\0\0s\350\0\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=13946, ...}) = 0 read(6, "the values.\n\n The referen"..., 8192) = 8192 read(6, " (\2\0\0\0R\r\0\0\0t\4\0\0\0keys(\1\0\0\0R\21\0"..., 4096) = 1658 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(5) = 0 stat("/usr/sbin/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/org", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(4) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/log_manager", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/log_manager.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/log_managermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/log_manager.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=62297, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/log_manager.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=57873, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s\10\1\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=57873, ...}) = 0 read(5, "eates the logger, configures it,"..., 53248) = 53248 read(5, "\0R\202\0\0\0R\204\0\0\0R\206\0\0\0R\210\0\0\0R=\0\0\0R\215\0\0\0R"..., 4096) = 529 read(5, "", 4096) = 0 brk(0x1ce3000) = 0x1ce3000 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/os", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/pwd", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/pwd.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/pwdmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/pwd.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/pwd.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/logging", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/logging.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/loggingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/logging.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/logging.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/logging", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/logging.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/loggingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/logging.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/logging.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/logging/__init__.py", {st_mode=S_IFREG|0644, st_size=60200, ...}) = 0 stat("/usr/lib/python2.7/logging/__init__", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/__init__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=60200, ...}) = 0 open("/usr/lib/python2.7/logging/__init__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=57201, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0%\0\0\0@\0\0\0sc\5\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=57201, ...}) = 0 read(6, "\0\0\0\0(\0\0\0\0s&\0\0\0/usr/lib/python2.7"..., 49152) = 49152 read(6, "\0\0\0|\0\0t\0\0j\1\0_\2\0d\1\0S(\2\0\0\0sB\0\0\0\n "..., 4096) = 3953 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/logging", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/logging", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/logging/sys", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/os", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/time", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/cStringIO", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/cStringIO.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/cStringIOmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/cStringIO.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/cStringIO.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/traceback", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/traceback.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/tracebackmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/traceback.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/traceback.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/warnings", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/warnings.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/warningsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/warnings.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/warnings.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/weakref", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/weakref.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/weakrefmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/weakref.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/weakref.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/codecs", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/codecs.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/codecsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/codecs.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/codecs.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/thread", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/thread.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/threadmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/thread.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/thread.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/logging/threading", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/threading.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/threadingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/threading.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/threading.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/threading", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/sbin/threading.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/threadingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/threading.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/threading.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/threading", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/threading.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/threadingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/threading.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=32709, ...}) = 0 open("/usr/lib/python2.7/threading.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=28243, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\21\0\0\0@\0\0\0s \3\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=28243, ...}) = 0 read(7, "\0s\37\0\0\0/usr/lib/python2.7/threadi"..., 20480) = 20480 read(7, "|\6\0|\5\0\203\2\0}\t\0d\n\0|\10\0d\v\0\27\26|\t\0_\3\0|\7\0"..., 4096) = 3667 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/collections", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/sbin/collections.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/collectionsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/collections.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/collections.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/collections", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/collections.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/collectionsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/collections.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=25626, ...}) = 0 open("/usr/lib/python2.7/collections.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=24587, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0sl\2\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=24587, ...}) = 0 read(8, "!\0\0\0/usr/lib/python2.7/collectio"..., 20480) = 20480 read(8, "\7\32\2\31\1\10\2\f\1\17\1", 4096) = 11 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/keyword", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/sbin/keyword.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/keywordmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/keyword.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/keyword.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/keyword", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/keyword.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/keywordmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/keyword.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0755, st_size=1995, ...}) = 0 open("/usr/lib/python2.7/keyword.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=2101, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n\215\216!Sc\0\0\0\0\0\0\0\0\37\0\0\0@\0\0\0s\247\0\0\0d\0"..., 4096) = 2101 fstat(9, {st_mode=S_IFREG|0644, st_size=2101, ...}) = 0 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(8) = 0 stat("/usr/sbin/heapq", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/sbin/heapq.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/heapqmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/heapq.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/heapq.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/heapq", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/heapq.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/heapqmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/heapq.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=17395, ...}) = 0 open("/usr/lib/python2.7/heapq.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=13406, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\n\0\0\0@\0\0\0s\277\1\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=13406, ...}) = 0 read(9, "s (this is what I\nused for my MI"..., 8192) = 8192 read(9, "\0}\5\0Wn\27\0\4t\7\0t\10\0f\2\0k\n\0r\236\0\1\1\1n'\0X|"..., 4096) = 1118 read(9, "", 4096) = 0 brk(0x1d04000) = 0x1d04000 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/bisect", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/sbin/bisect.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/bisectmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/bisect.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/bisect.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/bisect", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/bisect.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/bisectmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/bisect.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=2595, ...}) = 0 open("/usr/lib/python2.7/bisect.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=3061, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0st\0\0\0d\0"..., 4096) = 3061 fstat(10, {st_mode=S_IFREG|0644, st_size=3061, ...}) = 0 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(9) = 0 close(8) = 0 close(7) = 0 close(6) = 0 gettimeofday({1421490496, 281643}, NULL) = 0 stat("/usr/lib/python2.7/logging/atexit", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/atexit.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/atexitmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/atexit.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/logging/atexit.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/atexit", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/sbin/atexit.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/atexitmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/atexit.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/atexit.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/atexit", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/atexit.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/atexitmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/atexit.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=1705, ...}) = 0 open("/usr/lib/python2.7/atexit.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2191, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\4\0\0\0@\0\0\0s\300\0\0\0d\0"..., 4096) = 2191 fstat(7, {st_mode=S_IFREG|0644, st_size=2191, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/time", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(4) = 0 close(3) = 0 stat("/usr/sbin/tempfile", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/sbin/tempfile.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tempfilemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tempfile.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tempfile.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/tempfile", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tempfile.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tempfilemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tempfile.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=18061, ...}) = 0 open("/usr/lib/python2.7/tempfile.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=19755, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\n\0\0\0@\0\0\0s\0\3\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=19755, ...}) = 0 read(4, "pfile.pyt\4\0\0\0next\206\0\0\0s\20\0\0\0\0\1\t\1\t\1"..., 12288) = 12288 read(4, "on2.7/tempfile.pyR\237\0\0\0%\2\0\0s\2\0\0\0\0"..., 4096) = 3371 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/random", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/sbin/random.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/randommodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/random.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/random.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/random", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/random.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/randommodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/random.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=32268, ...}) = 0 open("/usr/lib/python2.7/random.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=25549, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\31\0\0\0@ \0\0s\243\2\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=25549, ...}) = 0 brk(0x1d27000) = 0x1d27000 read(5, "mness source if available.\n\n "..., 20480) = 20480 read(5, "\0\0\0\0\0\340?g\0\0\0\0\0\0\360?(\2\0\0\0g\315\314\314\314\314\314\354?g\0"..., 4096) = 973 read(5, "", 4096) = 0 brk(0x1d6a000) = 0x1d6a000 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/__future__", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/__future__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/__future__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/__future__.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/__future__.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/__future__", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/__future__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/__future__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/__future__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=4380, ...}) = 0 open("/usr/lib/python2.7/__future__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=4216, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0s\355\0\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=4216, ...}) = 0 read(6, "/python2.7/__future__.pyt\10\0\0\0\0\1\0\0\0\20\30\0\0\0\0\0\0"..., 832) = 832 fstat(7, {st_mode=S_IFREG|0644, st_size=20696, ...}) = 0 mmap(NULL, 2116368, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f0ad4973000 mprotect(0x7f0ad4976000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad4b76000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x3000) = 0x7f0ad4b76000 close(7) = 0 mprotect(0x7f0ad4b76000, 4096, PROT_READ) = 0 close(6) = 0 close(5) = 0 time([1421490496]) = 1421490496 open("/dev/urandom", O_RDONLY) = 5 read(5, "k\210M_0\306\203\307a\321\213\247\214S>\237", 16) = 16 close(5) = 0 close(4) = 0 close(3) = 0 stat("/usr/sbin/getpass", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/sbin/getpass.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/getpassmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/getpass.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/getpass.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/getpass", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/getpass.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/getpassmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/getpass.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=5563, ...}) = 0 open("/usr/lib/python2.7/getpass.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=4729, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s9\1\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=4729, ...}) = 0 read(4, "then the password\n database. "..., 4096) = 633 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/termios", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/sbin/termios.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/termiosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/termios.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/termios.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/termios", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/termios.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/termiosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/termios.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/termios.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/termios", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/termios.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/termiosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/termios.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/termios.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/termios", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/termios.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/termiosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/termios.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/termios.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/termios", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/termios.so", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=24648, ...}) = 0 open("/usr/lib/python2.7/lib-dynload/termios.so", O_RDONLY) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300'\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0644, st_size=24648, ...}) = 0 mmap(NULL, 2119848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f0ad3ec8000 mprotect(0x7f0ad3ecc000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad40cb000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x3000) = 0x7f0ad40cb000 close(5) = 0 mprotect(0x7f0ad40cb000, 4096, PROT_READ) = 0 close(4) = 0 close(3) = 0 stat("/usr/sbin/ipaclient", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipaclient.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipaclientmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipaclient.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipaclient.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/ipaclient", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipaclient.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipaclientmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipaclient.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipaclient.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/ipaclient", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipaclient.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipaclientmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipaclient.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipaclient.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/ipaclient", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipaclient.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipaclientmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipaclient.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipaclient.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/ipaclient", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipaclient.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipaclientmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipaclient.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipaclient.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/ipaclient", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipaclient.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipaclientmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipaclient.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipaclient.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/__init__.py", {st_mode=S_IFREG|0644, st_size=812, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/__init__", 0x7fff59e2f090) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/__init__.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=812, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipaclient/__init__.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=200, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\nk\377)Rc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s\20\0\0\0d\0"..., 4096) = 200 fstat(4, {st_mode=S_IFREG|0644, st_size=200, ...}) = 0 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/ipadiscovery", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipadiscovery.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipadiscoverymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipadiscovery.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=16533, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipaclient/ipadiscovery.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=12202, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\nk\377)Rc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s0\1\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=12202, ...}) = 0 read(4, "\t\0S|\3\0|\4\0d\7\0\27\37}\1\0|\0\0j\v\0\203\0\0}\5\0|\1\0"..., 4096) = 4096 read(4, "\0\0The server is not an IPA serve"..., 4096) = 4010 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/socket", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/os", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/ipapython", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/tempfile", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/tempfile.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/tempfilemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/tempfile.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/tempfile.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/sbin/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/ldap", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/__init__.py", {st_mode=S_IFREG|0644, st_size=2221, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/__init__", 0x7fff59e2e9d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/__init__.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=2221, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/__init__.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=3294, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n\310\365\320Oc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0sb\1\0\0d\0"..., 4096) = 3294 fstat(5, {st_mode=S_IFREG|0644, st_size=3294, ...}) = 0 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ldap", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/sys", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/traceback", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/traceback.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/tracebackmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/traceback.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/traceback.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/sbin/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/_ldap", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_ldap.so", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=70016, ...}) = 0 open("/usr/lib/python2.7/dist-packages/_ldap.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 B\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=70016, ...}) = 0 mmap(NULL, 2166440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad3cb7000 mprotect(0x7f0ad3cc7000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad3ec6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0xf000) = 0x7f0ad3ec6000 close(6) = 0 open("/etc/ld.so.cache", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7f0ad5fa1000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\4\1\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=323088, ...}) = 0 mmap(NULL, 2427560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad3a66000 mprotect(0x7f0ad3ab2000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad3cb2000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x4c000) = 0x7f0ad3cb2000 mmap(0x7f0ad3cb5000, 6824, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad3cb5000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2409\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=59640, ...}) = 0 mmap(NULL, 2154920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad3857000 mprotect(0x7f0ad3865000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad3a64000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0xd000) = 0x7f0ad3a64000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3008\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=80712, ...}) = 0 mmap(NULL, 2185864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad3641000 mprotect(0x7f0ad3654000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad3853000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x12000) = 0x7f0ad3853000 mmap(0x7f0ad3855000, 6792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad3855000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libsasl2.so.2", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2008\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=109360, ...}) = 0 mmap(NULL, 2204624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad3426000 mprotect(0x7f0ad3440000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad363f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x19000) = 0x7f0ad363f000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libgnutls.so.26", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\250\1\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=785552, ...}) = 0 mmap(NULL, 2882728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad3166000 mprotect(0x7f0ad321f000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad341e000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0xb8000) = 0x7f0ad341e000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libgcrypt.so.11", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\207\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=520224, ...}) = 0 mmap(NULL, 2616576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad2ee7000 mprotect(0x7f0ad2f62000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad3162000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x7b000) = 0x7f0ad3162000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libtasn1.so.3", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\37\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=68072, ...}) = 0 mmap(NULL, 2163656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad2cd6000 mprotect(0x7f0ad2ce6000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad2ee5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0xf000) = 0x7f0ad2ee5000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libp11-kit.so.0", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P/\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=72808, ...}) = 0 mmap(NULL, 2168144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad2ac4000 mprotect(0x7f0ad2ad5000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad2cd4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x10000) = 0x7f0ad2cd4000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libgpg-error.so.0", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\t\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=14112, ...}) = 0 mmap(NULL, 2109384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad28c1000 mprotect(0x7f0ad28c4000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad2ac3000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x2000) = 0x7f0ad2ac3000 close(6) = 0 mprotect(0x7f0ad2cd4000, 4096, PROT_READ) = 0 mprotect(0x7f0ad2ee5000, 4096, PROT_READ) = 0 mprotect(0x7f0ad3162000, 4096, PROT_READ) = 0 mprotect(0x7f0ad341e000, 24576, PROT_READ) = 0 mprotect(0x7f0ad3853000, 4096, PROT_READ) = 0 mprotect(0x7f0ad363f000, 4096, PROT_READ) = 0 mprotect(0x7f0ad3a64000, 4096, PROT_READ) = 0 mprotect(0x7f0ad3cb2000, 8192, PROT_READ) = 0 mprotect(0x7f0ad3ec6000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 mmap(NULL, 790528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad2800000 munmap(0x7f0ad5ee8000, 200704) = 0 brk(0x1d8b000) = 0x1d8b000 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/thread", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/thread.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/threadmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/thread.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/thread.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/threading", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/threading.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/threadingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/threading.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/threading.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/functions", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/functions.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/functionsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/functions.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=3404, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/functions.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=4137, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\353\212\21Oc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0s\365\0\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=4137, ...}) = 0 read(6, "e>\23\0\0\0s\36\0\0\0\6\2\20\3\t\1\6\1\f\0030\2\20\2\26\2\20\4\f\3\t"..., 4096) = 41 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/ldap", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/pprint", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/pprint.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/pprintmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/pprint.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/pprint.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/pprint", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/sbin/pprint.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pprintmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pprint.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pprint.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/pprint", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pprint.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pprintmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pprint.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=11932, ...}) = 0 open("/usr/lib/python2.7/pprint.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=10203, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s\367\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=10203, ...}) = 0 brk(0x1dac000) = 0x1dac000 read(7, "i\0\0\0\0i\2\0\0\0(\1\0\0\0t\6\0\0\0format(\2\0\0\0R"..., 4096) = 4096 read(7, "t\6\0t\5\0f\3\0Sd\6\0|\1\0|\f\0%(delim)s) | #"..., 12288) = 12288 read(11, "e first maxreplace occurrences a"..., 4096) = 3522 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(10) = 0 close(9) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/schema/models", 0x7fff59e2c7a0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/models.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/modelsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/models.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=22121, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/schema/models.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=27208, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\no\365\320Oc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\330\1\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=27208, ...}) = 0 read(10, "\0\0Z\6\0d\f\0\204\0\0Z\7\0RS(\23\0\0\0sU\3\0\0\n Arg"..., 20480) = 20480 read(10, "d\0\0S(\1\0\0\0N(\1\0\0\0t\4\0\0\0keys(\3\0\0\0R\v\0"..., 4096) = 2632 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/schema/UserDict", 0x7fff59e2c0e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/UserDict.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/UserDictmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/UserDict.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/UserDict.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/schema/tokenizer", 0x7fff59e2c0e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/tokenizer.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/tokenizermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/tokenizer.py", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=2025, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/schema/tokenizer.pyc", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=2259, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(11, "\3\363\r\n\343\230\370Ic\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\34\0\0\0d\0"..., 4096) = 2259 fstat(11, {st_mode=S_IFREG|0644, st_size=2259, ...}) = 0 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(10) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/schema/types", 0x7fff59e2c0e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/types.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/typesmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/types.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/schema/types.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(9) = 0 close(8) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls/__init__.py", {st_mode=S_IFREG|0644, st_size=4124, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls/__init__", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/__init__.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=4124, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/controls/__init__.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=5060, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\no\365\320Oc\0\0\0\0\0\0\0\0\r\0\0\0@\0\0\0s\315\0\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=5060, ...}) = 0 read(8, "by _ldap.result4() containing\n "..., 4096) = 964 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls/ldap", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/controls/_ldap", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/_ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/_ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/_ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/_ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/controls/simple", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/simple.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/simplemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/simple.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=4073, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/controls/simple.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=6874, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\no\365\320Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s1\1\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=6874, ...}) = 0 read(9, "\0\0s\32\0\0\0e\0\0Z\1\0d\0\0Z\2\0e\3\0d\1\0\204\1\0Z\4\0R"..., 4096) = 2778 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls/struct", 0x7fff59e2c7a0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/struct", 0x7fff59e2c7a0) = -1 ENOENT (No such file or directory) open("/usr/sbin/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/struct", 0x7fff59e2c7a0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/struct.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0 open("/usr/lib/python2.7/struct.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=237, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s.\0\0\0d\0"..., 4096) = 237 fstat(10, {st_mode=S_IFREG|0644, st_size=237, ...}) = 0 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(9) = 0 close(8) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/controls/libldap", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/libldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/libldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/controls/libldap.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=2182, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/controls/libldap.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=3553, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n\223\303*Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\247\0\0\0d\0"..., 4096) = 3553 fstat(9, {st_mode=S_IFREG|0644, st_size=3553, ...}) = 0 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(8) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/extop", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/extop/__init__.py", {st_mode=S_IFREG|0644, st_size=1977, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/extop/__init__", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/__init__.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=1977, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ldap/extop/__init__.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=3153, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\224\272)Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0sz\0\0\0d\0"..., 4096) = 3153 fstat(8, {st_mode=S_IFREG|0644, st_size=3153, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/extop", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/extop", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ldap/extop/ldap", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ldap/extop/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ldap/extop/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/pyasn1", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/pyasn1.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/pyasn1module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/pyasn1.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/pyasn1.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(7) = 0 close(6) = 0 close(5) = 0 close(4) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/sbin/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/dns", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/dns/__init__.py", {st_mode=S_IFREG|0644, st_size=1327, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/dns/__init__", 0x7fff59e2e9d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__init__.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=1327, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/__init__.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=763, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0#\0\0\0@\0\0\0sy\0\0\0d\0"..., 4096) = 763 fstat(5, {st_mode=S_IFREG|0644, st_size=763, ...}) = 0 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(4) = 0 stat("/usr/lib/python2.7/dist-packages/dns", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/dns", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/dns/resolver", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/resolver.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/resolvermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/resolver.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=44345, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/resolver.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=36194, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n\271\215\201Oc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0s\10\3\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=36194, ...}) = 0 brk(0x1e1f000) = 0x1e1f000 read(5, "\0|\1\0j\24\0\203\0\0}\1\0WqA\2\4t\n\0j\25\0j\26\0k\n\0r<"..., 28672) = 28672 read(5, "\r\1\t\2\6\1\22\1\23\1\3\1\22\1\35\1\37\1\r\1\25\1\6\1\f\1\36\2\6\1\f\1"..., 4096) = 3426 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/socket", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/sys", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/time", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/dns", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/exception", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/exception.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/exceptionmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/exception.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=1318, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/exception.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=1583, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\216\0\0\0d\0"..., 4096) = 1583 fstat(6, {st_mode=S_IFREG|0644, st_size=1583, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/dns/flags", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/flags.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/flagsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/flags.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=2686, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/flags.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=2628, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s7\1\0\0d\0"..., 4096) = 2628 fstat(6, {st_mode=S_IFREG|0644, st_size=2628, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/dns/ipv4", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ipv4.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ipv4module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ipv4.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=1852, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/ipv4.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=1394, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\nM\220\201Oc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s4\0\0\0d\0"..., 4096) = 1394 fstat(6, {st_mode=S_IFREG|0644, st_size=1394, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/struct", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(5) = 0 stat("/usr/lib/python2.7/dist-packages/dns/ipv6", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ipv6.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ipv6module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ipv6.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=4976, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/ipv6.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3259, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\302\370\34Nc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s|\0\0\0d\0"..., 4096) = 3259 fstat(6, {st_mode=S_IFREG|0644, st_size=3259, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/re", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(5) = 0 stat("/usr/lib/python2.7/dist-packages/dns/message", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/message.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/messagemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/message.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=42234, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/message.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=36951, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\332\210\201Oc\0\0\0\0\0\0\0\0\v\0\0\0@\0\0\0sD\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=36951, ...}) = 0 read(6, "hen validating TSIG signatures. "..., 32768) = 32768 read(6, "\20\0\0\0sN\0\0\0\6\2\f\1\f\1\f\1\f\1\f\2\f\1\f\1\f\1\f\1\f\1\f"..., 4096) = 87 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/cStringIO", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/cStringIO.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/cStringIOmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/cStringIO.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/cStringIO.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/random", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/random.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/randommodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/random.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/random.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/edns", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/edns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ednsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/edns.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=4316, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/edns.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=5282, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\315\213\201Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sT\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=5282, ...}) = 0 read(7, "R\35\0\0\0(\2\0\0\0R\2\0\0\0R\f\0\0\0(\0\0\0\0(\0\0\0\0s,"..., 4096) = 1186 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/dns/name", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/name.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/namemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/name.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=21973, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/name.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=22895, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s \2\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=22895, ...}) = 0 read(7, "ython2.7/dist-packages/dns/name."..., 16384) = 16384 read(7, "rt text into a Name object.\n "..., 4096) = 2415 read(7, "", 4096) = 0 brk(0x1e6c000) = 0x1e6c000 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/encodings", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/encodings.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/encodingsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/encodings.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/encodings.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/encodings/idna", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/idna.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/idnamodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/idna.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=8474, ...}) = 0 open("/usr/lib/python2.7/encodings/idna.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=6376, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\177\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\3\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=6376, ...}) = 0 read(8, "\0\0g\0\0}\6\0d\4\0}\7\0xD\0|\4\0D]<\0}\10\0|\6\0j\3"..., 4096) = 2280 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/encodings/stringprep", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/stringprep.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/stringprepmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/stringprep.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/stringprep.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/stringprep", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/sbin/stringprep.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/stringprepmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/stringprep.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/stringprep.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/stringprep", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/stringprep.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/stringprepmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/stringprep.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=13522, ...}) = 0 open("/usr/lib/python2.7/stringprep.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=14447, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\f\0\0\0@\0\0\0s\260\23\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=14447, ...}) = 0 read(9, "d\374\0026d'\0d\375\0026d\340\2d\376\0026d-\0d\377\0026d3\0d\0\0036"..., 8192) = 8192 read(9, "R\2\0\0\0R\3\0\0\0(\1\0\0\0R\6\0\0\0(\0\0\0\0(\0\0\0\0s "..., 4096) = 2159 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(8) = 0 stat("/usr/lib/python2.7/encodings/re", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/encodings/unicodedata", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/unicodedata.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/unicodedatamodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/unicodedata.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/unicodedata.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5de5000 munmap(0x7f0ad5de5000, 528384) = 0 brk(0x1efe000) = 0x1efe000 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/dns/wiredata", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/wiredata.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/wiredatamodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/wiredata.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2100, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/wiredata.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=1852, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sA\0\0\0d\0"..., 4096) = 1852 fstat(8, {st_mode=S_IFREG|0644, st_size=1852, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(7) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/dns/opcode", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/opcode.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/opcodemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/opcode.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=2614, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/opcode.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2534, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\327\0\0\0d\0"..., 4096) = 2534 fstat(7, {st_mode=S_IFREG|0644, st_size=2534, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/dns/entropy", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/entropy.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/entropymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/entropy.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3878, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/entropy.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3768, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s}\0\0\0d\0"..., 4096) = 3768 fstat(7, {st_mode=S_IFREG|0644, st_size=3768, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/os", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/threading", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/threading.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/threadingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/threading.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/threading.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/hashlib", 0x7fff59e2d050) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hashlib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hashlibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hashlib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hashlib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(6) = 0 stat("/usr/lib/python2.7/dist-packages/dns/rcode", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rcode.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rcodemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rcode.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3105, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/rcode.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2978, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s)\1\0\0d\0"..., 4096) = 2978 fstat(7, {st_mode=S_IFREG|0644, st_size=2978, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/dns/rdata", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdata.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdatamodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdata.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=15713, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/rdata.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=16914, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n\1\256$Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\4\1\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=16914, ...}) = 0 read(7, "to a specific type; this type is"..., 12288) = 12288 read(7, ".Rdata instance(\5\0\0\0R%\0\0\0t\10\0\0\0wi"..., 4096) = 530 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/rdataclass", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdataclass.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdataclassmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdataclass.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3302, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/rdataclass.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=3016, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s)\1\0\0d\0"..., 4096) = 3016 fstat(8, {st_mode=S_IFREG|0644, st_size=3016, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/dns/rdatatype", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdatatype.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdatatypemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdatatype.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=5163, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/rdatatype.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=5370, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\351\3\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=5370, ...}) = 0 read(8, "uet\5\0\0\0False(\1\0\0\0t\6\0\0\0rdtype(\0\0\0"..., 4096) = 1274 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/dns/tokenizer", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/tokenizer.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/tokenizermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/tokenizer.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=17963, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/tokenizer.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=17254, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n\332\215\201Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\374\0\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=17254, ...}) = 0 read(8, "ntaxErrort\3\0\0\0chrt\3\0\0\0intR\t\0\0\0R\v"..., 12288) = 12288 read(8, "\0\0get_eol\22\2\0\0s\10\0\0\0\0\10\f\1\f\1%\1c\1\0\0\0\2"..., 4096) = 870 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/ttl", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ttl.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ttlmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/ttl.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=2179, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/ttl.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=1510, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(9, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s;\0\0\0d\0"..., 4096) = 1510 fstat(9, {st_mode=S_IFREG|0644, st_size=1510, ...}) = 0 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(8) = 0 close(7) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/dns/rrset", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rrset.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rrsetmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rrset.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=5895, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/rrset.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=6283, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sz\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=6283, ...}) = 0 read(7, "\3\t\v\f\n\17\22\17\6c\5\0\0\0\10\0\0\0\5\0\0\0C\0\0\0s\340\0\0\0t"..., 4096) = 2187 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/rdataset", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdataset.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdatasetmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/rdataset.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=11548, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/rdataset.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=11297, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n\322\245\200Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\356\0\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=11297, ...}) = 0 read(8, "her(\0\0\0\0(\0\0\0\0s0\0\0\0/usr/lib/pytho"..., 4096) = 4096 read(8, "s\5\0\0\0!HHIHi\1\0\0\0i\0\0\1\0s\2\0\0\0!HN(\20\0\0"..., 4096) = 3105 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/StringIO", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/StringIO.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/StringIOmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/StringIO.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/StringIO.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/StringIO", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/sbin/StringIO.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/StringIOmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/StringIO.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/StringIO.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/StringIO", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/StringIO.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/StringIOmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/StringIO.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=10661, ...}) = 0 open("/usr/lib/python2.7/StringIO.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=11442, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(9, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s|\0\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=11442, ...}) = 0 read(9, "ument is optional and defaults t"..., 4096) = 4096 read(9, "t\1\0\0\0\0R\5\0\0\0(\v\0\0\0R\4\0\0\0R\3\0\0\0R\6\0\0\0R"..., 4096) = 3250 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(8) = 0 stat("/usr/lib/python2.7/dist-packages/dns/set", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/set.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/setmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/set.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=7842, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/set.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=9970, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(9, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s \0\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=9970, ...}) = 0 read(9, "\0t\2\0d\1\0\203\1\0\202\1\0n\0\0|\0\0|\1\0k\10\0r6\0g\0\0|"..., 4096) = 4096 read(9, "\0\0R\1\0\0\0(\2\0\0\0R\4\0\0\0t\1\0\0\0i(\0\0\0\0(\0\0\0"..., 4096) = 1778 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(8) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/dns/renderer", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/renderer.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/renderermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/renderer.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=11910, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/renderer.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=11090, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\200\0\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=11090, ...}) = 0 read(8, "set\n a section value less"..., 4096) = 4096 read(8, "\0|\5\0|\6\0|\7\0d\1\0|\10\0\203\t\1\\\3\0}\v\0|\0\0_\n\0}"..., 4096) = 2898 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/tsig", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/tsig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/tsigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/tsig.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=7681, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/tsig.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=7695, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(9, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\361\1\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=7695, ...}) = 0 read(9, "\0R\37\0\0\0R \0\0\0R!\0\0\0R\"\0\0\0R#\0\0\0R$\0\0\0R"..., 4096) = 3599 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/hmac", 0x7fff59e2c880) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hmac.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hmacmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hmac.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hmac.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/hmac", 0x7fff59e2c880) = -1 ENOENT (No such file or directory) open("/usr/sbin/hmac.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/hmacmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/hmac.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/hmac.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/hmac", 0x7fff59e2c880) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/hmac.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/hmacmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/hmac.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=4531, ...}) = 0 open("/usr/lib/python2.7/hmac.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=4442, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(10, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s\250\0\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=4442, ...}) = 0 read(10, "an ask for the hash value at any"..., 4096) = 346 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(9) = 0 stat("/usr/lib/python2.7/dist-packages/dns/hash", 0x7fff59e2c880) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hash.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hashmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/hash.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=2395, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/hash.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=2142, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(10, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s7\0\0\0d\0"..., 4096) = 2142 fstat(10, {st_mode=S_IFREG|0644, st_size=2142, ...}) = 0 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(9) = 0 close(8) = 0 close(7) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/dns/query", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/query.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/querymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/query.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=17912, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/query.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=15560, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(6, "\3\363\r\n\201\216\201Oc\0\0\0\0\0\0\0\0\17\0\0\0@\0\0\0s\352\1\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=15560, ...}) = 0 read(6, "\31\203\2\0}\4\0|\3\0|\4\0k\2\0oO\0|\1\0d\2\0\37|\2\0d\2\0"..., 8192) = 8192 read(6, "ge. The default is 53.\n @typ"..., 4096) = 3272 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/dns/__future__", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__future__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__future__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__future__.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/__future__.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/errno", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/errno.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/errnomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/errno.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/errno.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/select", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/select.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/selectmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/select.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/select.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/dns/inet", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/inet.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/inetmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/inet.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3235, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/inet.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2664, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\202\0\0\0d\0"..., 4096) = 2664 fstat(7, {st_mode=S_IFREG|0644, st_size=2664, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/dns/reversename", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/reversename.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/reversenamemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/dns/reversename.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=2930, ...}) = 0 open("/usr/lib/python2.7/dist-packages/dns/reversename.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=2343, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(6, "\3\363\r\n!`\30Nc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0sd\0\0\0d\0"..., 4096) = 2343 fstat(6, {st_mode=S_IFREG|0644, st_size=2343, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(5) = 0 close(4) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/ipautil", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipautil.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipautilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=40792, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/ipautil.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=37706, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(5, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0s\257\3\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=37706, ...}) = 0 read(5, "tnett\t\0\0\0interfaceR\23\0\0\0t\5\0\0\0Fals"..., 32768) = 32768 read(5, "_hostname\216\4\0\0s\16\0\0\0\0\4\22\1\f\1\30\1\3\1\24\1\17\1"..., 4096) = 842 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/string", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/string.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/stringmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/string.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/string.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/tempfile", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/tempfile.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/tempfilemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/tempfile.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/tempfile.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/subprocess", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/subprocess.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/subprocessmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/subprocess.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/subprocess.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/subprocess", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/subprocess.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/subprocessmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/subprocess.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/subprocess.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/subprocess", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/subprocess.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/subprocessmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/subprocess.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=56029, ...}) = 0 open("/usr/lib/python2.7/subprocess.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=40012, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\t\0\0\0@\0\0\0sW\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=40012, ...}) = 0 read(6, "ine convention, '\\r', the Macint"..., 32768) = 32768 read(6, "\0\0\0RF\0\0\0R~\0\0\0(\16\0\0\0R\5\0\0\0R\200\0\0\0t\10\0\0"..., 4096) = 3148 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/pickle", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/pickle.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/picklemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pickle.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pickle.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/pickle", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pickle.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/picklemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pickle.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=45135, ...}) = 0 open("/usr/lib/python2.7/pickle.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=38231, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\t\0\0\0@\0\0\0s\355\3\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=38231, ...}) = 0 read(7, " for writing a pickle data strea"..., 32768) = 32768 read(7, "\0\0S(\1\0\0\0N(\2\0\0\0R\t\0\0\0R\f\0\0\0(\1\0\0\0RH\0"..., 4096) = 1367 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) brk(0x1f47000) = 0x1f47000 stat("/usr/lib/python2.7/lib-dynload/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/org", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/org.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/orgmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/org.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/org.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(6) = 0 getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=4*1024}) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/random", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/random.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/randommodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/random.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/random.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/traceback", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/traceback.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/tracebackmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/traceback.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/traceback.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/stat", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/stat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/statmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/stat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/stat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/shutil", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/shutil.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/shutilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/shutil.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/shutil.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/shutil", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/shutil.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/shutilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/shutil.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/shutil.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/shutil", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/shutil.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/shutilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/shutil.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=18435, ...}) = 0 open("/usr/lib/python2.7/shutil.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=18287, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\21\0\0\0@\0\0\0s\273\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=18287, ...}) = 0 read(6, " N(\7\0\0\0R\37\0\0\0R \0\0\0t\5\0\0\0isdirt\4"..., 12288) = 12288 read(6, "\v\0d\5\0\31}\f\0x\"\0|\v\0d\6\0\31D]\26\0\\\2\0}\r\0}\16\0"..., 4096) = 1903 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/fnmatch", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/fnmatch.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/fnmatchmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/fnmatch.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/fnmatch.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/fnmatch", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/fnmatch.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/fnmatchmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/fnmatch.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3239, ...}) = 0 open("/usr/lib/python2.7/fnmatch.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3522, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\4\0\0\0@\0\0\0sa\0\0\0d\0"..., 4096) = 3522 fstat(7, {st_mode=S_IFREG|0644, st_size=3522, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/urllib2", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib2.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib2module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib2.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib2.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/urllib2", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib2.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib2module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib2.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib2.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/urllib2", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urllib2.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urllib2module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urllib2.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=51742, ...}) = 0 open("/usr/lib/python2.7/urllib2.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=46418, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\33\4\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=46418, ...}) = 0 read(6, "trt\n\0\0\0ftpwrappert\t\0\0\0splitusert"..., 40960) = 40960 read(6, "\0=|\0\0j\2\0|\2\0=q+\0q+\0Wn\0\0t\6\0|\0\0j\2\0j"..., 4096) = 1362 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/base64", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/base64.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/base64module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/base64.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/base64.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/base64", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/base64.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/base64module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/base64.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0755, st_size=11356, ...}) = 0 open("/usr/lib/python2.7/base64.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=10852, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n\215\216!Sc\0\0\0\0\0\0\0\0\16\0\0\0@\0\0\0s\255\2\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=10852, ...}) = 0 read(7, "i\22\0\0\0t\1\0\0\0003i\33\0\0\0t\1\0\0\0Bi\1\0\0\0t\1\0\0\0"..., 4096) = 4096 read(7, "\0\0c\2\0\0\0\5\0\0\0\4\0\0\0C\0\0\0s\214\0\0\0x\205\0t\0\0r\207"..., 4096) = 2660 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(6) = 0 stat("/usr/sbin/httplib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/httplib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/httplibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/httplib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/httplib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/httplib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/httplib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/httplibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/httplib.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=46587, ...}) = 0 open("/usr/lib/python2.7/httplib.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=34980, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\22\0\0\0@\0\0\0st\5\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=34980, ...}) = 0 read(7, "d(\1\0\0\0t\10\0\0\0StringIOt\4\0\0\0HTTPt\f\0\0"..., 28672) = 28672 read(7, "\372\0\0\0R\371\0\0\0R9\0\0\0R\374\0\0\0Rz\0\0\0R\370\0\0\0R\373\0"..., 4096) = 2212 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/urlparse", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/urlparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urlparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urlparse.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urlparse.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/urlparse", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urlparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urlparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urlparse.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=14613, ...}) = 0 open("/usr/lib/python2.7/urlparse.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=13804, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\27\0\0\0@\0\0\0sy\2\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=13804, ...}) = 0 read(8, "\203\1\0S(\1\0\0\0N(\1\0\0\0R\5\0\0\0(\1\0\0\0R,\0\0\0(\0"..., 8192) = 8192 read(8, "\0\26\202\2\0n\0\0|\1\0rE\0|\10\0j\3\0d\7\0\203\1\0\1q\270\0qE"..., 4096) = 1516 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 brk(0x1f6d000) = 0x1f6d000 brk(0x1fae000) = 0x1fae000 close(7) = 0 stat("/usr/sbin/mimetools", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/mimetools.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/mimetoolsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/mimetools.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/mimetools.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/mimetools", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/mimetools.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/mimetoolsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/mimetools.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=7168, ...}) = 0 open("/usr/lib/python2.7/mimetools.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=8182, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\10\0\0\0@\0\0\0s\306\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=8182, ...}) = 0 read(8, "c\0\0\0\0\5\0\0\0\5\0\0\0C\0\0\0s\355\0\0\0d\1\0d\2\0l\0\0}"..., 4096) = 4086 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/rfc822", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/sbin/rfc822.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/rfc822module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/rfc822.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/rfc822.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/rfc822", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/rfc822.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/rfc822module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/rfc822.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=33293, ...}) = 0 open("/usr/lib/python2.7/rfc822.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=31669, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(9, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\30\0\0\0@\0\0\0s\271\3\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=31669, ...}) = 0 read(9, "\204\0\0Z\4\0d\4\0\204\0\0Z\5\0d\5\0\204\0\0Z\6\0d\6\0\204\0\0Z\7"..., 24576) = 24576 read(9, "|\f\0f\n\0S(\25\0\0\0sQ\0\0\0Convert a date "..., 4096) = 2997 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(8) = 0 close(7) = 0 stat("/usr/sbin/ssl", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/ssl.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/sslmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ssl.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ssl.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/ssl", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ssl.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/sslmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ssl.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=15940, ...}) = 0 open("/usr/lib/python2.7/ssl.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=14500, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\n\0\0\0@\0\0\0s\23\2\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=14500, ...}) = 0 read(8, "nectt\24\0\0\0suppress_ragged_eofst\16\0"..., 8192) = 8192 read(8, "\1\0\202\1\0n\0\0|\0\0j\3\0\203\0\0j\4\0t\5\0\203\1\0sJ\0t\2\0"..., 4096) = 2212 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/textwrap", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/sbin/textwrap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/textwrapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/textwrap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/textwrap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/textwrap", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/textwrap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/textwrapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/textwrap.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=17037, ...}) = 0 open("/usr/lib/python2.7/textwrap.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=11871, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(9, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\354\0\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=11871, ...}) = 0 read(9, "t\4\0\0\0text(\0\0\0\0(\0\0\0\0s\36\0\0\0/usr/lib"..., 4096) = 4096 read(9, "string.expandtabs(),\n and"..., 4096) = 3679 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5e65000, 4096) = 0 close(8) = 0 close(7) = 0 close(6) = 0 stat("/usr/sbin/urllib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/urllib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/urllib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urllib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urllibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/urllib.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=57695, ...}) = 0 open("/usr/lib/python2.7/urllib.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=49711, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\34\0\0\0@\0\0\0s\273\4\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=49711, ...}) = 0 brk(0x1fd5000) = 0x1fd5000 read(7, "lib/python2.7/urllib.pyR\5\0\0\0^\0\0\0"..., 45056) = 45056 read(7, "RW\1\0\0R\25\0\0\0RX\1\0\0R\26\0\0\0RZ\1\0\0R\27\0\0\0R["..., 4096) = 559 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 brk(0x201a000) = 0x201a000 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/socket", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/ldap", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ldap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ldapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ldap.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ldap.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/struct", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/types", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/types.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/typesmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/types.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/types.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/xmlrpclib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/xmlrpclib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/xmlrpclib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xmlrpclib.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=51323, ...}) = 0 open("/usr/lib/python2.7/xmlrpclib.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=43236, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(6, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s\357\5\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=43236, ...}) = 0 read(6, "\0\0\0\0\0\0\1\0\0\0B\0\0\0s\27\0\0\0e\0\0Z\1\0d\0\0Z\2\0d"..., 36864) = 36864 read(6, "\1\0\0RY\1\0\0R\276\0\0\0(\5\0\0\0R\24\0\0\0R\365\0\0\0R\330\0\0"..., 4096) = 2276 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/gzip", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/gzip.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/gzipmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/gzip.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/gzip.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/gzip", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/gzip.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/gzipmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/gzip.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=18445, ...}) = 0 open("/usr/lib/python2.7/gzip.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=14926, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\371\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=14926, ...}) = 0 read(7, "\0\0\0as\5\0\0\0Mode s\16\0\0\0 not supporte"..., 8192) = 8192 read(7, "\0j\0\0\30}\3\0x)\0t\5\0|\3\0d\4\0\32\203\1\0D]\27\0}\4\0|"..., 4096) = 2638 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/io", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/io.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/iomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/io.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/io.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/io", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/io.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/iomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/io.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3197, ...}) = 0 open("/usr/lib/python2.7/io.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=3468, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5e65000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\22\0\0\0@\0\0\0s\245\1\0\0d\0"..., 4096) = 3468 fstat(8, {st_mode=S_IFREG|0644, st_size=3468, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5e65000, 4096) = 0 stat("/usr/sbin/_io", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/sbin/_io.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_iomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_io.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_io.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/_io", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_io.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_iomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_io.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_io.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/_io", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_io.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_iomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_io.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_io.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/_io", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_io.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_iomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_io.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_io.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/_io", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_io.so", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=165400, ...}) = 0 open("/usr/lib/python2.7/lib-dynload/_io.so", O_RDONLY) = 9 read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\204\0\0\0\0\0\0"..., 832) = 832 fstat(9, {st_mode=S_IFREG|0644, st_size=165400, ...}) = 0 mmap(NULL, 2260856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7f0ad25d8000 mprotect(0x7f0ad25f7000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad27f6000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x1e000) = 0x7f0ad27f6000 close(9) = 0 mprotect(0x7f0ad27f6000, 4096, PROT_READ) = 0 close(8) = 0 close(7) = 0 close(6) = 0 stat("/usr/sbin/datetime", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/datetime.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/datetimemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/datetime.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/datetime.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/datetime", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/datetime.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/datetimemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/datetime.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/datetime.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/datetime", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/datetime.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/datetimemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/datetime.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/datetime.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/datetime", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/datetime.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/datetimemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/datetime.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/datetime.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/datetime", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/datetime.so", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=101064, ...}) = 0 open("/usr/lib/python2.7/lib-dynload/datetime.so", O_RDONLY) = 7 read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 at O\0\0\0\0\0\0"..., 832) = 832 fstat(7, {st_mode=S_IFREG|0644, st_size=101064, ...}) = 0 mmap(NULL, 2196728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f0ad23bf000 mprotect(0x7f0ad23d3000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad25d3000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x14000) = 0x7f0ad25d3000 close(7) = 0 mprotect(0x7f0ad25d3000, 4096, PROT_READ) = 0 close(6) = 0 brk(0x203b000) = 0x203b000 stat("/usr/sbin/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/_xmlrpclib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/xml", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/xml.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/xmlmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/xml.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/xml.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/xml", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/__init__.py", {st_mode=S_IFREG|0644, st_size=980, ...}) = 0 stat("/usr/lib/python2.7/xml/__init__", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/__init__.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=980, ...}) = 0 open("/usr/lib/python2.7/xml/__init__.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=1076, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\242\0\0\0d\0"..., 4096) = 1076 fstat(7, {st_mode=S_IFREG|0644, st_size=1076, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/xml", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/_xmlplus", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlplus.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlplusmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlplus.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/_xmlplus.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(6) = 0 stat("/usr/lib/python2.7/xml/parsers", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/parsers/__init__.py", {st_mode=S_IFREG|0644, st_size=167, ...}) = 0 stat("/usr/lib/python2.7/xml/parsers/__init__", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/__init__.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=167, ...}) = 0 open("/usr/lib/python2.7/xml/parsers/__init__.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=312, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\n\0\0\0d\0"..., 4096) = 312 fstat(7, {st_mode=S_IFREG|0644, st_size=312, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/xml/parsers", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/parsers", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/parsers/expat", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/expat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/expatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/expat.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=114, ...}) = 0 open("/usr/lib/python2.7/xml/parsers/expat.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=285, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s\32\0\0\0d\0"..., 4096) = 285 fstat(7, {st_mode=S_IFREG|0644, st_size=285, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/xml/parsers/pyexpat", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/pyexpat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/pyexpatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/pyexpat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/parsers/pyexpat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/pyexpat", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyexpat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyexpatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyexpat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/pyexpat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/pyexpat", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyexpat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyexpatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyexpat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/pyexpat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/pyexpat", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyexpat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyexpatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyexpat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/pyexpat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/pyexpat", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyexpat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyexpatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyexpat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/pyexpat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/pyexpat", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/pyexpat.so", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=69208, ...}) = 0 open("/usr/lib/python2.7/lib-dynload/pyexpat.so", O_RDONLY) = 8 read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200:\0\0\0\0\0\0"..., 832) = 832 fstat(8, {st_mode=S_IFREG|0644, st_size=69208, ...}) = 0 mmap(NULL, 2164848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0x7f0ad21ae000 mprotect(0x7f0ad21bd000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad23bc000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 8, 0xe000) = 0x7f0ad23bc000 close(8) = 0 open("/etc/ld.so.cache", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 8, 0) = 0x7f0ad5fa1000 close(8) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libexpat.so.1", O_RDONLY) = 8 read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0?\0\0\0\0\0\0"..., 832) = 832 fstat(8, {st_mode=S_IFREG|0644, st_size=169992, ...}) = 0 mmap(NULL, 2265192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0x7f0ad1f84000 mprotect(0x7f0ad1fab000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad21ab000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 8, 0x27000) = 0x7f0ad21ab000 close(8) = 0 mprotect(0x7f0ad21ab000, 8192, PROT_READ) = 0 mprotect(0x7f0ad23bc000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 close(7) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/datetime", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/datetime.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/datetimemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/datetime.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/datetime.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/netaddr", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/__init__.py", {st_mode=S_IFREG|0644, st_size=2773, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/__init__", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/__init__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=2773, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/__init__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=2655, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\332\235\306Oc\0\0\0\0\0\0\0\0000\0\0\0@\0\0\0sv\2\0\0d\0"..., 4096) = 2655 fstat(6, {st_mode=S_IFREG|0644, st_size=2655, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/sys", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/netaddr", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/core", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/core.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/coremodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/core.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=6592, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/core.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=7712, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\311\225\306Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\35\1\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=7712, ...}) = 0 read(7, "qV\0n\20\0t\5\0d\3\0|\1\0\26\203\1\0\202\1\0d\4\0S(\5\0\0\0s"..., 4096) = 3616 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/struct", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/pprint", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/pprint.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/pprintmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/pprint.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/pprint.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/compat", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/compat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/compatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/compat.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2464, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/compat.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=4840, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\\\237\276Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0st\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=4840, ...}) = 0 read(8, "at.pyR\32\0\0\0Q\0\0\0s\6\0\0\0\0\1\f\0\f\1c\2\0\0\0\2\0"..., 4096) = 744 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/__init__.py", {st_mode=S_IFREG|0644, st_size=66496, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/__init__", 0x7fff59e2dbe0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/__init__.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=66496, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/ip/__init__.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=62366, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\231\231\306Oc\0\0\0\0\0\0\0\0\21\0\0\0@\0\0\0s?\3\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=62366, ...}) = 0 read(7, "\0\0__ne__Q\0\0\0s\10\0\0\0\0\7\3\1\32\1\23\1c\2\0\0\0\2\0"..., 57344) = 57344 read(7, "4s\t\0\0\000234.0.0.0s\17\0\0\000238.255.255."..., 4096) = 926 read(7, "", 4096) = 0 brk(0x209b000) = 0x209b000 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/sys", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/ip/re", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/ip/netaddr", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/strategy", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/__init__.py", {st_mode=S_IFREG|0644, st_size=8275, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/__init__", 0x7fff59e2d4b0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/__init__.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=8275, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/strategy/__init__.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=7910, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\36\231\306Oc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s\222\0\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=7910, ...}) = 0 read(8, "ess (excluding\n delimiter"..., 4096) = 3814 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/re", 0x7fff59e2cdf0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/netaddr", 0x7fff59e2cdf0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(7) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv4", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv4.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv4module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv4.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=9889, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv4.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=8707, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\nB\231\306Oc\0\0\0\0\0\0\0\0\10\0\0\0@\0\0\0s\35\3\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=8707, ...}) = 0 read(8, "is equivalent to value represent"..., 4096) = 4096 read(8, "\0R\r\0\0\0R?\0\0\0R\16\0\0\0RA\0\0\0R\17\0\0\0RB\0\0\0t"..., 4096) = 515 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/sys", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/struct", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/socket", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/_socket", 0x7fff59e2ce60) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/_socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/_socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/_socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/_socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(7) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv6", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv6.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv6module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv6.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=8939, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/strategy/ipv6.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=7897, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\nH\231\306Oc\0\0\0\0\0\0\0\0\10\0\0\0@\0\0\0s\33\3\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=7897, ...}) = 0 read(8, "\n :param int_val: An unsigned"..., 4096) = 3801 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/sets", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/sets.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/setsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/sets.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=17211, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/ip/sets.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=17239, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n%\233\306Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\261\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=17239, ...}) = 0 read(7, "\0r\26\0t\2\0Sq\26\0Wt\3\0S(\1\0\0\0s\204\0\0\0\n "..., 12288) = 12288 read(7, "/dist-packages/netaddr/ip/sets.p"..., 4096) = 855 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/itertools", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/itertools.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/itertoolsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/itertools.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/itertools.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/ip/intset", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/intset.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/intsetmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/intset.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=20495, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/ip/intset.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=19533, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\nt\17\222Lc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\252\0\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=19533, ...}) = 0 read(8, "(\0d,\0d-\0\204\0\0\203\4\0Z\31\0e\v\0d.\0d(\0d/\0d0\0"..., 12288) = 12288 read(8, ".\1\17\1\6\1\20\1\32\1\f\1\17\1c\1\0\0\0\3\0\0\0\6\0\0\0C\0\0\0s"..., 4096) = 3149 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/glob", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/glob.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/globmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/glob.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=11002, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/ip/glob.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=9801, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n]\231\306Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\216\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=9801, ...}) = 0 read(7, "t1t\2\0\0\0t2R\37\0\0\0R\21\0\0\0R\22\0\0\0R\25\0\0\0(\0\0"..., 4096) = 4096 read(7, "j\4\0|\0\0j\5\0\203\2\0d\1\0\31|\0\0_\6\0d\2\0S(\3\0\0\0s"..., 4096) = 1609 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/nmap", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/nmap.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/nmapmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/nmap.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3726, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/ip/nmap.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3008, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\332\226\306Oc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s<\0\0\0d\0"..., 4096) = 3008 fstat(7, {st_mode=S_IFREG|0644, st_size=3008, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/ip/rfc1924", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/rfc1924.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/rfc1924module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/ip/rfc1924.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=1882, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/ip/rfc1924.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2060, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\\\237\276Oc\0\0\0\0\0\0\0\0\30\0\0\0@\0\0\0s\345\0\0\0d\0"..., 4096) = 2060 fstat(7, {st_mode=S_IFREG|0644, st_size=2060, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui/__init__.py", {st_mode=S_IFREG|0644, st_size=21605, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui/__init__", 0x7fff59e2dbe0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/__init__.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=21605, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/eui/__init__.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=23235, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\216\232\306Oc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s'\1\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=23235, ...}) = 0 brk(0x20bf000) = 0x20bf000 read(7, "\5\0\0\0(hex)t\1\0\0\0 i\2\0\0\0s\t\0\0\0(base 1"..., 16384) = 16384 read(7, "urns a new, numerica"..., 4096) = 2755 read(7, "", 4096) = 0 brk(0x20ff000) = 0x20ff000 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui/sys", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/eui/os", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/eui/re", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/eui/csv", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/csv.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/csvmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/csv.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/csv.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/csv", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/sbin/csv.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/csvmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/csv.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/csv.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/csv", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/csv.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/csvmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/csv.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=16344, ...}) = 0 open("/usr/lib/python2.7/csv.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=13395, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\24\0\0\0@\0\0\0s\302\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=13395, ...}) = 0 read(8, "iseR\21\0\0\0c\6\0\0\0\10\0\0\0\5\0\0\0O\0\0\0sY\0\0\0|\2"..., 8192) = 8192 read(8, "\t\0\31d\0\0k\10\0rQ\1|\n\0|\5\0|\t\0\0\1\0\0\0\260!\0\0\0\0\0\0"..., 832) = 832 fstat(9, {st_mode=S_IFREG|0644, st_size=34304, ...}) = 0 mmap(NULL, 2129600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x7f0ad1d7c000 mprotect(0x7f0ad1d82000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad1f81000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x5000) = 0x7f0ad1f81000 close(9) = 0 mprotect(0x7f0ad1f81000, 4096, PROT_READ) = 0 close(8) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/eui/pprint", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/pprint.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/pprintmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/pprint.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/pprint.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/eui/netaddr", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/eui/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui48", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui48.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui48module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui48.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=9663, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui48.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=8858, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n2\231\306Oc\0\0\0\0\0\0\0\0\f\0\0\0@\0\0\0s\367\2\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=8858, ...}) = 0 read(8, " string form.\n\n :return: An u"..., 4096) = 4096 read(8, "\0s:\0\0\0/usr/lib/python2.7/dist-pa"..., 4096) = 666 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui64", 0x7fff59e2d520) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui64.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui64module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui64.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=6011, ...}) = 0 open("/usr/lib/python2.7/dist-packages/netaddr/strategy/eui64.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=5654, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n<\231\306Oc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\224\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=5654, ...}) = 0 read(8, "id_bitst\5\0\0\0widthR\37\0\0\0(\2\0\0\0t\4\0\0\0"..., 4096) = 1558 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/krbVmodule.so", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=156048, ...}) = 0 open("/usr/lib/python2.7/dist-packages/krbVmodule.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340>\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=156048, ...}) = 0 mmap(NULL, 2251384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad1b56000 mprotect(0x7f0ad1b69000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad1d69000, 77824, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x13000) = 0x7f0ad1d69000 close(6) = 0 open("/etc/ld.so.cache", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7f0ad5fa1000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\310\1\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=868096, ...}) = 0 mmap(NULL, 2963968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad1882000 mprotect(0x7f0ad194b000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad1b4a000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0xc8000) = 0x7f0ad1b4a000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360H\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=162632, ...}) = 0 mmap(NULL, 2261424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad1659000 mprotect(0x7f0ad167f000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad187f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x26000) = 0x7f0ad187f000 mmap(0x7f0ad1881000, 432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad1881000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\26\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=14672, ...}) = 0 mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad1455000 mprotect(0x7f0ad1458000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad1657000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x2000) = 0x7f0ad1657000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240%\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=35400, ...}) = 0 mmap(NULL, 2130800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad124c000 mprotect(0x7f0ad1254000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad1453000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x7000) = 0x7f0ad1453000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\22\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=14320, ...}) = 0 mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad1048000 mprotect(0x7f0ad104b000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad124a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x2000) = 0x7f0ad124a000 close(6) = 0 mprotect(0x7f0ad124a000, 4096, PROT_READ) = 0 mprotect(0x7f0ad1453000, 4096, PROT_READ) = 0 mprotect(0x7f0ad1657000, 4096, PROT_READ) = 0 mprotect(0x7f0ad187f000, 4096, PROT_READ) = 0 mprotect(0x7f0ad1b4a000, 40960, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 brk(0x2120000) = 0x2120000 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/dns", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/ipapython", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/ipavalidate", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipavalidate.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipavalidatemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipavalidate.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=3633, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/ipavalidate.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3171, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sO\0\0\0d\0"..., 4096) = 3171 fstat(6, {st_mode=S_IFREG|0644, st_size=3171, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/config", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/config.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/configmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/config.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=8830, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/config.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=9161, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sm\1\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=9161, ...}) = 0 read(6, "fig.pyt\r\0\0\0get_safe_optsc\0\0\0s\f\0\0"..., 4096) = 4096 read(6, "\1\0n\0\0t\1\0j\4\0s\2\1t\17\0d\4\0\203\1\0\202\1\0n\0\0d\0\0"..., 4096) = 969 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/ConfigParser", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ConfigParser.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ConfigParsermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ConfigParser.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ConfigParser.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/ConfigParser", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/ConfigParser.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ConfigParsermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ConfigParser.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ConfigParser.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/ConfigParser", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ConfigParser.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ConfigParsermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ConfigParser.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=27746, ...}) = 0 open("/usr/lib/python2.7/ConfigParser.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=25095, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\r\0\0\0@\0\0\0s\275\1\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=25095, ...}) = 0 read(7, "etter for 'message'; needed only"..., 20480) = 20480 read(7, "n2.7/ConfigParser.pyRj\0\0\0\336\2\0\0s\24\0"..., 4096) = 519 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/optparse", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/optparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/optparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/optparse.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/optparse.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/optparse", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/optparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/optparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/optparse.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/optparse.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/optparse", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/optparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/optparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/optparse.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=61124, ...}) = 0 open("/usr/lib/python2.7/optparse.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=53769, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\20\0\0\0@\0\0\0s\300\2\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=53769, ...}) = 0 brk(0x214c000) = 0x214c000 read(7, "\0d\2\0\204\0\0Z\4\0RS(\3\0\0\0s]\0\0\0\n Raise"..., 49152) = 49152 read(7, "tparse.pyRB\1\0\0\212\6\0\0s\24\0\0\0\0\10\f\1\4\3\23\1\33"..., 4096) = 521 read(7, "", 4096) = 0 brk(0x218d000) = 0x218d000 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/gettext", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/gettext.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/gettextmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/gettext.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/gettext.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/gettext", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/gettext.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/gettextmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/gettext.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=19859, ...}) = 0 open("/usr/lib/python2.7/gettext.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=15420, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\f\0\0\0@\0\0\0s\264\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=15420, ...}) = 0 read(8, "Z\17\0e\20\0d\16\0d\r\0\204\2\0Z\21\0RS(\17\0\0\0c\2\0\0\0\2\0"..., 8192) = 8192 read(8, "\n\0\203\1\0\1qb\0W|\7\0S(\5\0\0\0NR\243\0\0\0i\1\0\0\0s$"..., 4096) = 3132 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/locale", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/sbin/locale.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/localemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/locale.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/locale.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/locale", 0x7fff59e2cf40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/locale.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/localemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/locale.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=89432, ...}) = 0 open("/usr/lib/python2.7/locale.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=49865, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\27\0\0\0@\0\0\0s\315 \0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=49865, ...}) = 0 read(9, "\2d\352\0026d\353\2d\354\0026d\353\2d\355\0026d\210\0d\356\0026d\266\1d\357\2"..., 45056) = 45056 read(9, "\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7\1\7"..., 4096) = 713 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 brk(0x21c0000) = 0x21c0000 close(8) = 0 close(7) = 0 stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2dd30) = -1 ENOENT (No such file or directory) close(6) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/dn", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dn.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dnmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dn.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=58683, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/dn.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=57166, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s\341\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=57166, ...}) = 0 read(7, "e string value (this common case"..., 49152) = 49152 read(7, "ex\7\6\0\0s\10\0\0\0\0\5\25\1\f\1\17\1N(%\0\0\0R\30\0\0\0R2"..., 4096) = 3918 read(7, "", 4096) = 0 brk(0x220e000) = 0x220e000 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/urlparse", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urlparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urlparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urlparse.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urlparse.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(5) = 0 close(4) = 0 close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/ipachangeconf", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipachangeconf.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipachangeconfmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ipachangeconf.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=17775, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipaclient/ipachangeconf.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=13090, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\nk\377)Rc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\\\0\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=13090, ...}) = 0 read(4, "S(\4\0\0\0Ni\1\0\0\0i\2\0\0\0i\0\0\0\0(\7\0\0\0R8\0\0\0"..., 8192) = 8192 read(4, "\0\0Wn\21\0\4t\4\0k\n\0r\324\0\1\1\1n\1\0XXt\f\0S(\6\0\0"..., 4096) = 802 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/fcntl", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/fcntl.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/fcntlmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/fcntl.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/fcntl.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/string", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/string.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/stringmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/string.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/string.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/time", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipaclient/shutil", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/shutil.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/shutilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/shutil.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/shutil.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipaclient/ntpconf", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ntpconf.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ntpconfmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipaclient/ntpconf.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=5127, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipaclient/ntpconf.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=4573, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\nk\377)Rc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s{\0\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=4573, ...}) = 0 read(4, "uccessful\n s\21\0\0\0/usr/sbin/ntp"..., 4096) = 477 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/services", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/services.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/servicesmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/services.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=2094, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/services.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=902, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\nh\377)Rc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0sG\0\0\0d\5"..., 4096) = 902 fstat(5, {st_mode=S_IFREG|0644, st_size=902, ...}) = 0 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform/__init__.py", {st_mode=S_IFREG|0644, st_size=895, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform/__init__", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/__init__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=895, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/platform/__init__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=283, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\n\0\0\0d\0"..., 4096) = 283 fstat(6, {st_mode=S_IFREG|0644, st_size=283, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform/debian", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/debian.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/debianmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/debian.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=9737, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/platform/debian.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=9986, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\nE\377)Rc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0s~\1\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=9986, ...}) = 0 read(6, "in/chkconfigs\5\0\0\0--del(\3\0\0\0R\0\0\0\0"..., 4096) = 4096 read(6, "modt\4\0\0\0statt\7\0\0\0S_IRUSRt\7\0\0\0S_I"..., 4096) = 1794 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform/tempfile", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/tempfile.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/tempfilemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/tempfile.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/tempfile.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/re", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/os", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/stat", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/stat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/statmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/stat.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/stat.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/sys", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/socket", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/time", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/ipapython", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/platform/base", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/base.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/basemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/base.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=5537, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/platform/base.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=7230, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\nE\377)Rc\0\0\0\0\0\0\0\0\22\0\0\0@\0\0\0s\5\1\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=7230, ...}) = 0 read(7, "\t\4\t\4t\17\0\0\0PlatformServicec\0\0\0\0\0\0\0"..., 4096) = 3134 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/ipalib", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/__init__.py", {st_mode=S_IFREG|0644, st_size=32350, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/__init__", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/__init__.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=32350, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/__init__.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=32494, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\7\0\0\0@\0\0\0s\352\1\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=32494, ...}) = 0 read(8, "te named\n``my_command``, the sam"..., 24576) = 24576 read(8, "server, like this:\n\n ::\n\n "..., 4096) = 3822 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/os", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/plugable", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/plugable.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/plugablemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/plugable.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=25192, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/plugable.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=26316, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\207\1\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=26316, ...}) = 0 read(9, "/ipalib/plugable.pyt\v\0\0\0__getite"..., 20480) = 20480 read(9, "\203\1\0\1|\2\0j\5\0s\225\0\210\2\0j\6\0j\7\0\fr\245\0\210\3\0j\10\0"..., 4096) = 1740 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/re", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/sys", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/inspect", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/inspect.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/inspectmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/inspect.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/inspect.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/inspect", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/sbin/inspect.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/inspectmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/inspect.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/inspect.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/inspect", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/inspect.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/inspectmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/inspect.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=42462, ...}) = 0 open("/usr/lib/python2.7/inspect.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=39839, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\t\0\0\0@\0\0\0s\316\3\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=39839, ...}) = 0 read(10, "ame__ is\n usually sensible, a"..., 32768) = 32768 read(10, "second argument specifies the nu"..., 4096) = 2975 read(10, "", 4096) = 0 brk(0x222f000) = 0x222f000 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/dis", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/sbin/dis.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/dismodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/dis.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/dis.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dis", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dis.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dismodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dis.py", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=6499, ...}) = 0 open("/usr/lib/python2.7/dis.pyc", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=6212, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(11, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0s\354\0\0\0d\0"..., 4096) = 4096 fstat(11, {st_mode=S_IFREG|0644, st_size=6212, ...}) = 0 read(11, "k\0\0r\350\0|\0\0|\3\0\31}\4\0t\1\0|\4\0\203\1\0}\5\0|\3\0d"..., 4096) = 2116 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/opcode", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/sbin/opcode.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/opcodemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/opcode.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/opcode.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/opcode", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/opcode.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/opcodemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/opcode.py", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=5474, ...}) = 0 open("/usr/lib/python2.7/opcode.pyc", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=6137, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(12, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\f\0\0\0@\0\0\0sQ\7\0\0d\0"..., 4096) = 4096 fstat(12, {st_mode=S_IFREG|0644, st_size=6137, ...}) = 0 read(12, "\0\0PRINT_NEWLINEiH\0\0\0t\r\0\0\0PRINT_I"..., 4096) = 2041 read(12, "", 4096) = 0 close(12) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(11) = 0 close(10) = 0 stat("/usr/sbin/tokenize", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/sbin/tokenize.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tokenizemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tokenize.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tokenize.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/tokenize", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tokenize.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tokenizemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tokenize.py", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=16477, ...}) = 0 open("/usr/lib/python2.7/tokenize.pyc", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=13865, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(11, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\36\0\0\0@\0\0\0s\350\4\0\0d\0"..., 4096) = 4096 fstat(11, {st_mode=S_IFREG|0644, st_size=13865, ...}) = 0 read(11, "'s\3\0\0\0Br\"s\3\0\0\0bR's\3\0\0\0bR\"s\3\0\0\0BR"..., 8192) = 8192 read(11, "\1\r\1\27\2\n\1\36\1\21\2\21\1$\1t\10\0\0\0__main__(\36\0\0"..., 4096) = 1577 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/token", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/sbin/token.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/tokenmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/token.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/token.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/token", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/token.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/tokenmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/token.py", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0755, st_size=2945, ...}) = 0 open("/usr/lib/python2.7/token.pyc", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=3806, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(12, "\3\363\r\n\215\216!Sc\0\0\0\0\0\0\0\0\4\0\0\0@\0\0\0s\337\1\0\0d\0"..., 4096) = 3806 fstat(12, {st_mode=S_IFREG|0644, st_size=3806, ...}) = 0 read(12, "", 4096) = 0 close(12) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(11) = 0 brk(0x2280000) = 0x2280000 close(10) = 0 close(9) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/threading", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/threading.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/threadingmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/threading.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/threading.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/subprocess", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/subprocess.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/subprocessmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/subprocess.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/subprocess.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/optparse", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/optparse.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/optparsemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/optparse.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/optparse.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/errors", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errors.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errorsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errors.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=43993, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/errors.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=59170, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\252\t\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=59170, ...}) = 0 brk(0x22a2000) = 0x22a2000 read(10, "00 - 5999 `GenericError` and "..., 53248) = 53248 read(10, "enericErrorc\0\0\0\0\0\0\0\0\1\0\0\0B\0\0\0s\24\0\0"..., 4096) = 1826 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/text", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/text.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/textmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/text.py", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=16959, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/text.pyc", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=18826, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(11, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\343\0\0\0d\0"..., 4096) = 4096 fstat(11, {st_mode=S_IFREG|0644, st_size=18826, ...}) = 0 read(11, "\0\0localedirt\t\0\0\0languagest\10\0\0\0fa"..., 12288) = 12288 read(11, "\0\0\0\0(\0\0\0\0s/\0\0\0/usr/lib/python2.7"..., 4096) = 2442 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/locale", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/locale.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/localemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/locale.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/locale.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/gettext", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/gettext.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/gettextmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/gettext.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/gettext.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/request", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/request.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/requestmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/request.py", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=1762, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/request.pyc", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=1405, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(12, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sm\0\0\0d\0"..., 4096) = 1405 fstat(12, {st_mode=S_IFREG|0644, st_size=1405, ...}) = 0 read(12, "", 4096) = 0 close(12) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/base", 0x7fff59e2b3d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/base.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/basemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/base.py", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=15669, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/base.pyc", O_RDONLY) = 13 fstat(13, {st_mode=S_IFREG|0644, st_size=16739, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(13, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\225\0\0\0d\0"..., 4096) = 4096 fstat(13, {st_mode=S_IFREG|0644, st_size=16739, ...}) = 0 read(13, "\1\0\203\2\0S(\1\0\0\0s\271\0\0\0\n If unlo"..., 12288) = 12288 read(13, "\0\0R\20\0\0\0R\26\0\0\0R\27\0\0\0R\n\0\0\0R8\0\0\0R:\0\0\0"..., 4096) = 355 read(13, "", 4096) = 0 close(13) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/constants", 0x7fff59e2ad10) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/constants.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/constantsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/constants.py", O_RDONLY) = 13 fstat(13, {st_mode=S_IFREG|0644, st_size=8369, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/constants.pyc", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=6006, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "\3\363\r\n\203\227\307Pc\0\0\0\0\0\0\0\0T\0\0\0@\0\0\0s\201\4\0\0d\0"..., 4096) = 4096 fstat(14, {st_mode=S_IFREG|0644, st_size=6006, ...}) = 0 read(14, "\0\0R\31\0\0\0(\2\0\0\0R\f\0\0\0R\r\0\0\0(\2\0\0\0R\f\0\0\0"..., 4096) = 1910 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/socket", 0x7fff59e2a650) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/ipapython", 0x7fff59e2a650) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipapython.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipapythonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipapython.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipapython.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/version", 0x7fff59e2a650) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/version.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/versionmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/version.py", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=1008, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/version.pyc", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=230, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(15, "\3\363\r\nh\377)Rc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\26\0\0\0d\0"..., 4096) = 230 fstat(15, {st_mode=S_IFREG|0644, st_size=230, ...}) = 0 read(15, "", 4096) = 0 close(15) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(14) = 0 uname({sys="Linux", node="debswitch.nowahalaonline.com", ...}) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 14 bind(14, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(14, {sa_family=AF_NETLINK, pid=11094, groups=00000000}, [12]) = 0 time(NULL) = 1421490497 sendto(14, "\24\0\0\0\26\0\1\3A9\272T\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(14, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0A9\272TV+\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108 recvmsg(14, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0A9\272TV+\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128 recvmsg(14, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0A9\272TV+\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(14) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 14 connect(14, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(14) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 14 connect(14, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(14) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=491, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 491 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 open("/etc/host.conf", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=9, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "multi on\n", 4096) = 9 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 futex(0x7f0ad52d02e4, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("/etc/resolv.conf", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=50, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "domain \tnowahalaonline.com\nnames"..., 4096) = 50 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 14, 0) = 0x7f0ad5fa1000 close(14) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 14 read(14, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200!\0\0\0\0\0\0"..., 832) = 832 fstat(14, {st_mode=S_IFREG|0644, st_size=47616, ...}) = 0 mmap(NULL, 2143624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 14, 0) = 0x7f0ad0e3c000 mprotect(0x7f0ad0e47000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad1046000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 14, 0xa000) = 0x7f0ad1046000 close(14) = 0 mprotect(0x7f0ad1046000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=220, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "127.0.0.1\tlocalhost\n10.22.0.246\t"..., 4096) = 220 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=50, ...}) = 0 open("/etc/resolv.conf", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=50, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "domain \tnowahalaonline.com\nnames"..., 4096) = 50 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=220, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "127.0.0.1\tlocalhost\n10.22.0.246\t"..., 4096) = 220 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(13) = 0 close(12) = 0 close(11) = 0 close(10) = 0 brk(0x22c3000) = 0x22c3000 brk(0x230c000) = 0x230c000 close(9) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/config", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/config.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/configmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/config.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=20223, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/config.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=20130, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\320\0\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=20130, ...}) = 0 read(10, "alse\n\n Also, empty ``str`` in"..., 12288) = 12288 read(10, "\36\2\f\2\f\2\25\1\f\3\f\1\30\3\f\1\f\3\f\1\t\1\17\2\33\3\f\1\37\3\f\1"..., 4096) = 3746 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/ConfigParser", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ConfigParser.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ConfigParsermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ConfigParser.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ConfigParser.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/types", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/types.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/typesmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/types.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/types.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(9) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/util", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/util.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/utilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/util.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=17209, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/util.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=18932, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\nE\377)Rc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\254\2\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=18932, ...}) = 0 read(10, "\0\0\203\2\0d\5\0k\10\0rG\0t\6\0St\7\0Sd\5\0S(\6\0\0\0s"..., 12288) = 12288 read(10, "or client\n machines trying to"..., 4096) = 2548 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/imp", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/imp.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/impmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/imp.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/imp.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/time", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/decimal", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/decimal.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/decimalmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/decimal.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/decimal.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/decimal", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/sbin/decimal.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/decimalmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/decimal.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/decimal.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/decimal", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/decimal.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/decimalmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/decimal.py", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=220812, ...}) = 0 open("/usr/lib/python2.7/decimal.pyc", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=170669, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(11, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\31\0\0\0@\0\0\0s\34\7\0\0d\0"..., 4096) = 4096 fstat(11, {st_mode=S_IFREG|0644, st_size=170669, ...}) = 0 brk(0x2352000) = 0x2352000 read(11, "raceback (most recent call last)"..., 163840) = 163840 read(11, "ositivei\1\0\0\0RE\0\0\0(\10\0\0\0R\5\2\0\0R`\0\0\0"..., 4096) = 2733 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/sbin/numbers", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/sbin/numbers.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/numbersmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/numbers.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/numbers.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/numbers", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/numbers.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/numbersmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/numbers.py", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=10319, ...}) = 0 open("/usr/lib/python2.7/numbers.pyc", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=13888, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(12, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@ \0\0s\355\0\0\0d\0"..., 4096) = 4096 fstat(12, {st_mode=S_IFREG|0644, st_size=13888, ...}) = 0 read(12, "Should promote to float when nec"..., 8192) = 8192 read(12, "rN(\1\0\0\0R\23\0\0\0(\2\0\0\0R\20\0\0\0R\26\0\0\0(\0\0\0\0"..., 4096) = 1600 read(12, "", 4096) = 0 close(12) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(11) = 0 brk(0x23a8000) = 0x23a8000 close(10) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/netaddr", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/netaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/netaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/netaddr.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/netaddr.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/weakref", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/weakref.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/weakrefmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/weakref.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/weakref.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/dns", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/dns.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/dnsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/dns.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/dns.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/ipalib", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/ssh", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ssh.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sshmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ssh.py", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=5646, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/ssh.pyc", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=5520, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(11, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\201\0\0\0d\0"..., 4096) = 4096 fstat(11, {st_mode=S_IFREG|0644, st_size=5520, ...}) = 0 read(11, "\6\0\0\0Nu\5\0\0\0%s %sR-\0\0\0s\2\0\0\0\\\"u\7\0\0\0"..., 4096) = 1424 read(11, "", 4096) = 0 close(11) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/base64", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/base64.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/base64module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/base64.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/base64.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/compat", 0x7fff59e2ba90) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/compat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/compatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/compat.py", O_RDONLY) = 11 fstat(11, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/compat.pyc", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=2064, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(12, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\262\0\0\0d\0"..., 4096) = 2064 fstat(12, {st_mode=S_IFREG|0644, st_size=2064, ...}) = 0 read(12, "", 4096) = 0 close(12) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/json", 0x7fff59e2b3d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/json", 0x7fff59e2b3d0) = -1 ENOENT (No such file or directory) open("/usr/sbin/json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/json", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/json/__init__.py", {st_mode=S_IFREG|0644, st_size=13860, ...}) = 0 stat("/usr/lib/python2.7/json/__init__", 0x7fff59e2b360) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/__init__.py", O_RDONLY) = 12 fstat(12, {st_mode=S_IFREG|0644, st_size=13860, ...}) = 0 open("/usr/lib/python2.7/json/__init__.pyc", O_RDONLY) = 13 fstat(13, {st_mode=S_IFREG|0644, st_size=13106, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(13, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\21\0\0\0@\0\0\0s&\1\0\0d\0"..., 4096) = 4096 fstat(13, {st_mode=S_IFREG|0644, st_size=13106, ...}) = 0 read(13, "``int``, ``long``, ``float``, ``"..., 8192) = 8192 read(13, "ll be called with one of the\n "..., 4096) = 818 read(13, "", 4096) = 0 close(13) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/json", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/json", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/json/decoder", 0x7fff59e2aca0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/decoder.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/decodermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/decoder.py", O_RDONLY) = 13 fstat(13, {st_mode=S_IFREG|0644, st_size=13874, ...}) = 0 open("/usr/lib/python2.7/json/decoder.pyc", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=11961, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\243\1\0\0d\0"..., 4096) = 4096 fstat(14, {st_mode=S_IFREG|0644, st_size=11961, ...}) = 0 read(14, "\0\0k\t\0r\233\0|\5\0|\n\0\203\1\0}\r\0|\r\0|\t\0f\2\0Si\0"..., 4096) = 4096 read(14, " will be used in\n place o"..., 4096) = 3769 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/json/re", 0x7fff59e2a5e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/json/sys", 0x7fff59e2a5e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/json/struct", 0x7fff59e2a5e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/struct.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/structmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/struct.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/struct.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/json/json", 0x7fff59e2a5e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/json/scanner", 0x7fff59e2a5e0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/scanner.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/scannermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/scanner.py", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=2297, ...}) = 0 open("/usr/lib/python2.7/json/scanner.pyc", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=2223, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(15, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\205\0\0\0d\0"..., 4096) = 2223 fstat(15, {st_mode=S_IFREG|0644, st_size=2223, ...}) = 0 read(15, "", 4096) = 0 close(15) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/json/_json", 0x7fff59e29f20) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/_json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/_jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/_json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/_json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/_json", 0x7fff59e29f20) = -1 ENOENT (No such file or directory) open("/usr/sbin/_json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/_json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/_json", 0x7fff59e29f20) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/_json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/_json", 0x7fff59e29f20) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/_json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/_json", 0x7fff59e29f20) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/_json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/_json", 0x7fff59e29f20) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/_json.so", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=50016, ...}) = 0 open("/usr/lib/python2.7/lib-dynload/_json.so", O_RDONLY) = 16 read(16, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\"\0\0\0\0\0\0"..., 832) = 832 fstat(16, {st_mode=S_IFREG|0644, st_size=50016, ...}) = 0 mmap(NULL, 2145384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 16, 0) = 0x7f0ad0c30000 mprotect(0x7f0ad0c3b000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad0e3a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 16, 0xa000) = 0x7f0ad0e3a000 close(16) = 0 mprotect(0x7f0ad0e3a000, 4096, PROT_READ) = 0 close(15) = 0 close(14) = 0 stat("/usr/lib/python2.7/encodings/hex_codec", 0x7fff59e2a030) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/hex_codec.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/hex_codecmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/hex_codec.py", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0 open("/usr/lib/python2.7/encodings/hex_codec.pyc", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=3754, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(15, "\3\363\r\n\177\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\306\0\0\0d\0"..., 4096) = 3754 fstat(15, {st_mode=S_IFREG|0644, st_size=3754, ...}) = 0 read(15, "", 4096) = 0 close(15) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/encodings/binascii", 0x7fff59e29970) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/binascii.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/binasciimodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/binascii.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/encodings/binascii.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(14) = 0 close(13) = 0 stat("/usr/lib/python2.7/json/encoder", 0x7fff59e2aca0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/encoder.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/encodermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/json/encoder.py", O_RDONLY) = 13 fstat(13, {st_mode=S_IFREG|0644, st_size=15933, ...}) = 0 open("/usr/lib/python2.7/json/encoder.pyc", O_RDONLY) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=13220, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(14, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\r\0\0\0@\0\0\0s|\1\0\0d\0"..., 4096) = 4096 fstat(14, {st_mode=S_IFREG|0644, st_size=13220, ...}) = 0 read(14, "low_nan is true, then NaN, Infin"..., 8192) = 8192 read(14, "t\10\0\0\0_defaultR7\0\0\0RY\0\0\0RE\0\0\0R\\\0\0"..., 4096) = 932 read(14, "", 4096) = 0 close(14) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(13) = 0 close(12) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/hashlib", 0x7fff59e2b3d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/hashlib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/hashlibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/hashlib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/hashlib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(11) = 0 close(10) = 0 close(9) = 0 close(8) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/backend", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/backend.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/backendmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/backend.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=4787, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/backend.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=5401, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\253\0\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=5401, ...}) = 0 read(9, "lientR,\0\0\0R-\0\0\0R.\0\0\0R\27\0\0\0R\3\0\0\0(\3"..., 4096) = 1305 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(8) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/frontend", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/frontend.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/frontendmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/frontend.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=51222, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/frontend.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=52039, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\22\2\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=52039, ...}) = 0 read(9, "iterable()`. Your\n ``Example"..., 45056) = 45056 read(9, "ges/ipalib/frontend.pyR\10\1\0\0P\5\0\0s"..., 4096) = 2887 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/parameters", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/parameters.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/parametersmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/parameters.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=66839, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/parameters.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=67562, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\326\2\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=67562, ...}) = 0 brk(0x23cc000) = 0x23cc000 read(10, "upplied values.\n\n For example"..., 61440) = 61440 read(10, "\0\0\1\0\0\0\7\0\0\0C\0\0\0sZ\0\0\0t\0\0|\0\0t\1\0\203\2\0r"..., 4096) = 2026 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/base64", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/base64.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/base64module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/base64.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/base64.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/csv", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/csv.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/csvmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/csv.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/csv.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/xmlrpclib", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/xmlrpclib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/xmlrpclibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/xmlrpclib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/xmlrpclib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) brk(0x2414000) = 0x2414000 close(9) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/output", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/output.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/outputmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/output.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=4232, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/output.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=4455, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\10\0\0\0@\0\0\0s\224\1\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=4455, ...}) = 0 read(10, "\0R\3\0\0\0t\4\0\0\0textR\4\0\0\0R\5\0\0\0R\23\0\0\0R\32"..., 4096) = 359 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(9) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/distutils", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/distutils.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/distutilsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/distutils.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/distutils.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/distutils", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/sbin/distutils.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/distutilsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/distutils.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/distutils.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/distutils", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/distutils/__init__.py", {st_mode=S_IFREG|0644, st_size=337, ...}) = 0 stat("/usr/lib/python2.7/distutils/__init__", 0x7fff59e2c7a0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/__init__.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=337, ...}) = 0 open("/usr/lib/python2.7/distutils/__init__.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=383, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\26\0\0\0d\0"..., 4096) = 383 fstat(10, {st_mode=S_IFREG|0644, st_size=383, ...}) = 0 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(9) = 0 stat("/usr/lib/python2.7/distutils", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/distutils", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/distutils/version", 0x7fff59e2c810) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/version.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/versionmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/version.py", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=11433, ...}) = 0 open("/usr/lib/python2.7/distutils/version.pyc", O_RDONLY) = 10 fstat(10, {st_mode=S_IFREG|0644, st_size=7178, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(10, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sq\0\0\0d\0"..., 4096) = 4096 fstat(10, {st_mode=S_IFREG|0644, st_size=7178, ...}) = 0 read(10, "\2c\2\0\0\0\3\0\0\0\7\0\0\0C\0\0\0s\265\0\0\0t\0\0|\1\0t\1\0"..., 4096) = 3082 read(10, "", 4096) = 0 close(10) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/distutils/string", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/string.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/stringmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/string.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/string.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/distutils/re", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/distutils/types", 0x7fff59e2c150) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/types.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/typesmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/types.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/distutils/types.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(9) = 0 close(8) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/crud", 0x7fff59e2ced0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/crud.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/crudmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/crud.py", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=11964, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/crud.pyc", O_RDONLY) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=11990, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(9, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\355\0\0\0d\0"..., 4096) = 4096 fstat(9, {st_mode=S_IFREG|0644, st_size=11990, ...}) = 0 read(9, "\0t\6\0\0\0Methodt\6\0\0\0ObjectNt\6\0\0\0Cre"..., 4096) = 4096 read(9, "\33\0\0\0R\34\0\0\0t\30\0\0\0standard_list_of_e"..., 4096) = 3798 read(9, "", 4096) = 0 close(9) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(8) = 0 close(7) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/platform/json", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/json.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/jsonmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/json.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/platform/json.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(6) = 0 close(5) = 0 close(4) = 0 close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/sysrestore", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sysrestore.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sysrestoremodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/sysrestore.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=13074, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/sysrestore.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=13165, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\256\0\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=13165, ...}) = 0 read(4, "\0\0\0C\0\0\0s\302\1\0\0|\2\0d\t\0k\10\0r\37\0t\1\0j\2\0d\1"..., 8192) = 8192 read(4, "/python2.7/dist-packages/ipapyth"..., 4096) = 877 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/certmonger", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/certmonger.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/certmongermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/certmonger.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=14172, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/certmonger.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=13328, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n\203\227\307Pc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0sP\1\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=13328, ...}) = 0 read(4, "\0R\27\0\0\0R\5\0\0\0R\34\0\0\0R\t\0\0\0t\5\0\0\0writeR"..., 8192) = 8192 read(4, "ag_start_trackingq\1\0\0s*\0\0\0\0\17\33\1\31\2"..., 4096) = 1040 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/dogtag", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dogtag.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dogtagmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=9614, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/dogtag.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=9404, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n\203\227\307Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sf\1\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=9404, ...}) = 0 read(5, "te chain from the configured Dog"..., 4096) = 4096 read(5, "ith the host and port arguments."..., 4096) = 1212 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/httplib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/httplib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/httplibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/httplib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/httplib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/xml", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xml.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xmlmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xml.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/xml.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/xml/dom", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/dom/__init__.py", {st_mode=S_IFREG|0644, st_size=3998, ...}) = 0 stat("/usr/lib/python2.7/xml/dom/__init__", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/__init__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=3998, ...}) = 0 open("/usr/lib/python2.7/xml/dom/__init__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=6435, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s:\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=6435, ...}) = 0 read(6, "\0\0NOT_SUPPORTED_ERRR\30\0\0\0(\0\0\0\0(\0\0"..., 4096) = 2339 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/xml/dom", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/dom", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/xml/dom/domreg", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/domreg.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/domregmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/domreg.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=3478, ...}) = 0 open("/usr/lib/python2.7/xml/dom/domreg.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3301, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sX\0\0\0d\0"..., 4096) = 3301 fstat(7, {st_mode=S_IFREG|0644, st_size=3301, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 brk(0x2435000) = 0x2435000 stat("/usr/lib/python2.7/xml/dom/xml", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xml.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xmlmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xml.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xml.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/xml/dom/minicompat", 0x7fff59e2d590) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/minicompat.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/minicompatmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/minicompat.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=3330, ...}) = 0 open("/usr/lib/python2.7/xml/dom/minicompat.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=3529, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\246\0\0\0d\0"..., 4096) = 3529 fstat(8, {st_mode=S_IFREG|0644, st_size=3529, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/xml/dom/minidom", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/minidom.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/minidommodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/minidom.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=66269, ...}) = 0 open("/usr/lib/python2.7/xml/dom/minidom.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=65315, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\4\4\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=65315, ...}) = 0 read(6, "\t\1\t\1\6\1\21\1\t\1\f\2\t\1\t\1c\2\0\0\0\3\0\0\0\5\0\0\0C\0\0"..., 57344) = 57344 read(6, "\4\0j\26\0|\10\0\203\1\0\1q\307\0Wq\347\3n\361\2|\0\0j\7\0t\10\0j"..., 4096) = 3875 read(6, "", 4096) = 0 brk(0x2487000) = 0x2487000 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/xml/dom/xmlbuilder", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xmlbuilder.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xmlbuildermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/xmlbuilder.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=12337, ...}) = 0 open("/usr/lib/python2.7/xml/dom/xmlbuilder.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=16404, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\330\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=16404, ...}) = 0 read(7, "\3\0j\t\0p\223\0|\3\0j\n\0p\223\0|\3\0j\v\0p\223\0|\3\0j\f\0"..., 12288) = 12288 read(7, "\20\3\17\3\23 \23\244\t\4\26,\0261\23\32\3\3\23 ", 4096) = 20 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/xml/dom/copy", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/copy.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/copymodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/copy.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/copy.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/xml/dom/NodeFilter", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/NodeFilter.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/NodeFiltermodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/xml/dom/NodeFilter.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=937, ...}) = 0 open("/usr/lib/python2.7/xml/dom/NodeFilter.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=1120, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n\201\216!Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\27\0\0\0d\0"..., 4096) = 1120 fstat(8, {st_mode=S_IFREG|0644, st_size=1120, ...}) = 0 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(7) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/urllib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/urllib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/nss", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/nss/__init__.py", {st_mode=S_IFREG|0644, st_size=13846, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/nss/__init__", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/__init__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=13846, ...}) = 0 open("/usr/lib/python2.7/dist-packages/nss/__init__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=12279, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\nEN\247Mc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\20\0\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=12279, ...}) = 0 read(6, "le of creating a CertDB and popu"..., 4096) = 4096 read(6, "s\n and libraries and provides"..., 4096) = 4087 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/nss", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/nss", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/nss/nss", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/nss.so", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=382504, ...}) = 0 open("/usr/lib/python2.7/dist-packages/nss/nss.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\20\1\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=382504, ...}) = 0 mmap(NULL, 2480616, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad09d2000 mprotect(0x7f0ad0a13000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad0c13000, 114688, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x41000) = 0x7f0ad0c13000 mmap(0x7f0ad0c2f000, 2536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad0c2f000 close(6) = 0 open("/etc/ld.so.cache", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7f0ad5fa1000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libnspr4.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\343\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=252976, ...}) = 0 mmap(NULL, 2358624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad0792000 mprotect(0x7f0ad07cd000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad09cd000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x3b000) = 0x7f0ad09cd000 mmap(0x7f0ad09d0000, 7520, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad09d0000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libssl3.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\262\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=279496, ...}) = 0 mmap(NULL, 2376896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad054d000 mprotect(0x7f0ad058e000, 2093056, PROT_NONE) = 0 mmap(0x7f0ad078d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x40000) = 0x7f0ad078d000 mmap(0x7f0ad0791000, 1216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad0791000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libnss3.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\271\1\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=1296560, ...}) = 0 mmap(NULL, 3397576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0ad020f000 mprotect(0x7f0ad0344000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad0544000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x135000) = 0x7f0ad0544000 mmap(0x7f0ad054c000, 1992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0ad054c000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libsmime3.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\247\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=185360, ...}) = 0 mmap(NULL, 2280544, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0acffe2000 mprotect(0x7f0ad000b000, 2097152, PROT_NONE) = 0 mmap(0x7f0ad020b000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x29000) = 0x7f0ad020b000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libnssutil3.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\305\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=179488, ...}) = 0 mmap(NULL, 2275920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0acfdb6000 mprotect(0x7f0acfddb000, 2097152, PROT_NONE) = 0 mmap(0x7f0acffdb000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x25000) = 0x7f0acffdb000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libplc4.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\27\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=18736, ...}) = 0 mmap(NULL, 2113936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0acfbb1000 mprotect(0x7f0acfbb5000, 2093056, PROT_NONE) = 0 mmap(0x7f0acfdb4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x3000) = 0x7f0acfdb4000 close(6) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libplds4.so", O_RDONLY) = 6 read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\21\0\0\0\0\0\0"..., 832) = 832 fstat(6, {st_mode=S_IFREG|0644, st_size=14576, ...}) = 0 mmap(NULL, 2109808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f0acf9ad000 mprotect(0x7f0acf9b0000, 2093056, PROT_NONE) = 0 mmap(0x7f0acfbaf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x2000) = 0x7f0acfbaf000 close(6) = 0 mprotect(0x7f0ad09cd000, 4096, PROT_READ) = 0 mprotect(0x7f0acfbaf000, 4096, PROT_READ) = 0 mprotect(0x7f0acfdb4000, 4096, PROT_READ) = 0 mprotect(0x7f0acffdb000, 24576, PROT_READ) = 0 mprotect(0x7f0ad0544000, 20480, PROT_READ) = 0 mprotect(0x7f0ad020b000, 12288, PROT_READ) = 0 mprotect(0x7f0ad078d000, 12288, PROT_READ) = 0 mprotect(0x7f0ad0c13000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 stat("/usr/lib/python2.7/dist-packages/nss/error", 0x7fff59e2df50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/error.so", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=63800, ...}) = 0 open("/usr/lib/python2.7/dist-packages/nss/error.so", O_RDONLY) = 7 read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320O\0\0\0\0\0\0"..., 832) = 832 fstat(7, {st_mode=S_IFREG|0644, st_size=63800, ...}) = 0 mmap(NULL, 2159080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f0acf79d000 mprotect(0x7f0acf7aa000, 2093056, PROT_NONE) = 0 mmap(0x7f0acf9a9000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0xc000) = 0x7f0acf9a9000 close(7) = 0 mprotect(0x7f0acf9a9000, 4096, PROT_READ) = 0 brk(0x24a8000) = 0x24a8000 close(6) = 0 brk(0x24cd000) = 0x24cd000 brk(0x2511000) = 0x2511000 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/ipalib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipalib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipalibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipalib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/ipalib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipapython/nsslib", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nsslib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nsslibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/nsslib.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=13093, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/nsslib.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=10439, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\6\0\0\0@\0\0\0sQ\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=10439, ...}) = 0 read(6, "PR_ADDRESS_NOT_SUPPORTED_ERRORt\20"..., 4096) = 4096 read(6, "eadersR\1\0\0\0Rl\0\0\0(\10\0\0\0R3\0\0\0t\7\0\0\0m"..., 4096) = 2247 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/getpass", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/getpass.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/getpassmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/getpass.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/getpass.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/nss/io", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/io.so", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=79384, ...}) = 0 open("/usr/lib/python2.7/dist-packages/nss/io.so", O_RDONLY) = 7 read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000B\0\0\0\0\0\0"..., 832) = 832 fstat(7, {st_mode=S_IFREG|0644, st_size=79384, ...}) = 0 mmap(NULL, 2175112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f0acf589000 mprotect(0x7f0acf595000, 2093056, PROT_NONE) = 0 mmap(0x7f0acf794000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0xb000) = 0x7f0acf794000 mmap(0x7f0acf79c000, 136, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0acf79c000 close(7) = 0 mprotect(0x7f0acf794000, 4096, PROT_READ) = 0 close(6) = 0 brk(0x2532000) = 0x2532000 stat("/usr/lib/python2.7/dist-packages/nss/ssl", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/nss/ssl.so", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=89440, ...}) = 0 open("/usr/lib/python2.7/dist-packages/nss/ssl.so", O_RDONLY) = 7 read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 at 9\0\0\0\0\0\0"..., 832) = 832 fstat(7, {st_mode=S_IFREG|0644, st_size=89440, ...}) = 0 mmap(NULL, 2185032, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f0acf373000 mprotect(0x7f0acf37d000, 2093056, PROT_NONE) = 0 mmap(0x7f0acf57c000, 53248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x9000) = 0x7f0acf57c000 close(7) = 0 mprotect(0x7f0acf57c000, 4096, PROT_READ) = 0 close(6) = 0 close(5) = 0 stat("/usr/sbin/pkispawn", 0x7fff59e2f3b0) = -1 ENOENT (No such file or directory) close(4) = 0 close(3) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/rpc", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/rpc.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/rpcmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/rpc.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=28386, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/rpc.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=25225, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n\225\227\307Pc\0\0\0\0\0\0\0\0\4\0\0\0@\0\0\0s\25\3\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=25225, ...}) = 0 read(4, "vert all ``unicode`` instances\n "..., 20480) = 20480 read(4, "\16\0\0\0t\r\0\0\0ipalib.errorsR\17\0\0\0R\20\0\0\0"..., 4096) = 649 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/errno", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errno.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errnomodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errno.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/errno.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/datetime", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/datetime.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/datetimemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/datetime.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/datetime.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/sbin/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/kerberos.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/kerberosmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/kerberos.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/kerberos.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/pymodules/python2.7/kerberos", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/pymodules/python2.7/kerberos.so", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=28168, ...}) = 0 open("/usr/lib/pymodules/python2.7/kerberos.so", O_RDONLY) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220&\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0644, st_size=28168, ...}) = 0 mmap(NULL, 2123496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f0acf16c000 mprotect(0x7f0acf172000, 2097152, PROT_NONE) = 0 mmap(0x7f0acf372000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x6000) = 0x7f0acf372000 close(5) = 0 open("/etc/ld.so.cache", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=37892, ...}) = 0 mmap(NULL, 37892, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7f0ad5fa1000 close(5) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\266\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0644, st_size=257288, ...}) = 0 mmap(NULL, 2353120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f0acef2d000 mprotect(0x7f0acef69000, 2097152, PROT_NONE) = 0 mmap(0x7f0acf169000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x3c000) = 0x7f0acf169000 close(5) = 0 mprotect(0x7f0acf169000, 4096, PROT_READ) = 0 munmap(0x7f0ad5fa1000, 37892) = 0 close(4) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/kernel_keyring", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/kernel_keyring.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/kernel_keyringmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/kernel_keyring.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=3281, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/kernel_keyring.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=3131, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s_\0\0\0d\0"..., 4096) = 3131 fstat(5, {st_mode=S_IFREG|0644, st_size=3131, ...}) = 0 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(4) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/cookie", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/cookie.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/cookiemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/cookie.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=25033, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipapython/cookie.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=19060, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\nE\377)Rc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0sz\0\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=19060, ...}) = 0 read(5, "\0\26\203\1\0\202\1\0n\1\0X|\2\0S(\4\0\0\0s_\0\0\0\n "..., 12288) = 12288 read(5, " a defined expiration\n "..., 4096) = 2676 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/email", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/email.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/emailmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/email.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/email.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/email", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/sbin/email.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/emailmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/email.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/email.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/email/__init__.py", {st_mode=S_IFREG|0644, st_size=2856, ...}) = 0 stat("/usr/lib/python2.7/email/__init__", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/__init__.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=2856, ...}) = 0 open("/usr/lib/python2.7/email/__init__.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=2860, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0 \0\0\0@\0\0\0s\260\1\0\0d\0"..., 4096) = 2860 fstat(6, {st_mode=S_IFREG|0644, st_size=2860, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/email", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/email", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/email/sys", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/sys.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/sysmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/sys.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/sys.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/email", 0x7fff59e2dc50) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/email.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/emailmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/email.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/email.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/mime", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/email/mime/__init__.py", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 stat("/usr/lib/python2.7/email/mime/__init__", 0x7fff59e2dbe0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/mime/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/mime/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/mime/__init__.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 open("/usr/lib/python2.7/email/mime/__init__.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=128, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\1\0\0\0@\0\0\0s\4\0\0\0d\0"..., 4096) = 128 fstat(7, {st_mode=S_IFREG|0644, st_size=128, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/email/utils", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/utils.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/utilsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/utils.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=9860, ...}) = 0 open("/usr/lib/python2.7/email/utils.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=9128, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(6, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\r\0\0\0@\0\0\0s\23\2\0\0d\0"..., 4096) = 4096 fstat(6, {st_mode=S_IFREG|0644, st_size=9128, ...}) = 0 read(6, "0s\"\0\0\0%s, %02d %s %04d %02d:%02d"..., 4096) = 4096 read(6, "\0\0s\10\0\0\0us-asciic\3\0\0\0\5\0\0\0\6\0\0\0C\0\0\0"..., 4096) = 936 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/email/os", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/re", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/time", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/base64", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/base64.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/base64module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/base64.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/base64.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/random", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/random.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/randommodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/random.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/random.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/socket", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/socket.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/socketmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/socket.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/socket.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/urllib", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/urllib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/urllibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/urllib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/urllib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/warnings", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/warnings.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/warningsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/warnings.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/warnings.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/email/_parseaddr", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/_parseaddr.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/_parseaddrmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/_parseaddr.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=15733, ...}) = 0 open("/usr/lib/python2.7/email/_parseaddr.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=13771, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\30\0\0\0@\0\0\0sd\1\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=13771, ...}) = 0 read(7, " you.\n\n Note: this class inte"..., 8192) = 8192 read(7, "lib/python2.7/email/_parseaddr.p"..., 4096) = 1483 read(7, "", 4096) = 0 brk(0x2553000) = 0x2553000 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/email/calendar", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/calendar.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/calendarmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/calendar.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/calendar.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/calendar", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/sbin/calendar.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/calendarmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/calendar.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/calendar.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/calendar", 0x7fff59e2d600) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/calendar.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/calendarmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/calendar.py", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=23107, ...}) = 0 open("/usr/lib/python2.7/calendar.pyc", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=27554, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(8, "\3\363\r\n}\216!Sc\0\0\0\0\0\0\0\0\22\0\0\0@\0\0\0s\315\2\0\0d\0"..., 4096) = 4096 fstat(8, {st_mode=S_IFREG|0644, st_size=27554, ...}) = 0 read(8, "\2\0S(\5\0\0\0s5\0\0\0Return True for lea"..., 20480) = 20480 read(8, "\0d\3\0\203\0\1}\2\0|\2\0j\2\0d\4\0d\5\0d\6\0d\7\0d\10\0d"..., 4096) = 2978 read(8, "", 4096) = 0 close(8) = 0 munmap(0x7f0ad5faa000, 4096) = 0 brk(0x259c000) = 0x259c000 close(7) = 0 close(6) = 0 stat("/usr/lib/python2.7/email/quopri", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/quopri.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/quoprimodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/quopri.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/quopri.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/sbin/quopri", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/sbin/quopri.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/quoprimodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/quopri.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/quopri.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/quopri", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/quopri.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/quoprimodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/quopri.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0755, st_size=6968, ...}) = 0 open("/usr/lib/python2.7/quopri.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=6550, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\231\216!Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s\344\0\0\0d\0"..., 4096) = 4096 fstat(7, {st_mode=S_IFREG|0644, st_size=6550, ...}) = 0 read(7, "on2.7/quopri.pyR\1\0\0\0t\0\0\0sR\0\0\0\0\5\f"..., 4096) = 2454 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 stat("/usr/lib/python2.7/email/encoders", 0x7fff59e2dcc0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/encoders.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/encodersmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/email/encoders.py", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=2015, ...}) = 0 open("/usr/lib/python2.7/email/encoders.pyc", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=2218, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(7, "\3\363\r\n\200\216!Sc\0\0\0\0\0\0\0\0\4\0\0\0@\0\0\0sn\0\0\0d\0"..., 4096) = 2218 fstat(7, {st_mode=S_IFREG|0644, st_size=2218, ...}) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x7f0ad5faa000, 4096) = 0 close(6) = 0 close(5) = 0 stat("/usr/lib/python2.7/dist-packages/ipapython/calendar", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/calendar.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/calendarmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/calendar.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipapython/calendar.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(4) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/httplib", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/httplib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/httplibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/httplib.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/httplib.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/nss", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/nss.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/nssmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/nss.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/nss.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/urllib2", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/urllib2.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/urllib2module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/urllib2.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/urllib2.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/ipalib/krb_utils", 0x7fff59e2ea40) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krb_utils.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krb_utilsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krb_utils.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=13403, ...}) = 0 open("/usr/lib/python2.7/dist-packages/ipalib/krb_utils.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=11830, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\n\204>\302Pc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\311\0\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=11830, ...}) = 0 read(5, "\0|\3\0t\20\0k\2\0r\362\0t\21\0d\5\0|\4\0|\1\0f\2\0\26\203\1\0"..., 4096) = 4096 read(5, "t_credential_times: principal=%s"..., 4096) = 3638 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/ipalib/krbV", 0x7fff59e2e380) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krbV.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krbVmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krbV.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/ipalib/krbV.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(4) = 0 close(3) = 0 stat("/usr/sbin/SSSDConfig", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/sbin/SSSDConfig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/SSSDConfigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/SSSDConfig.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/sbin/SSSDConfig.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/SSSDConfig", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/SSSDConfig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/SSSDConfigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/SSSDConfig.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/SSSDConfig.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/plat-linux2/SSSDConfig", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/SSSDConfig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/SSSDConfigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/SSSDConfig.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/plat-linux2/SSSDConfig.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-tk/SSSDConfig", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/SSSDConfig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/SSSDConfigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/SSSDConfig.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-tk/SSSDConfig.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/lib-dynload/SSSDConfig", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/SSSDConfig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/SSSDConfigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/SSSDConfig.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/lib-dynload/SSSDConfig.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/local/lib/python2.7/dist-packages/SSSDConfig", 0x7fff59e2f100) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/SSSDConfig.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/SSSDConfigmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/SSSDConfig.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/python2.7/dist-packages/SSSDConfig.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/SSSDConfig/__init__.py", {st_mode=S_IFREG|0644, st_size=76711, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/SSSDConfig/__init__", 0x7fff59e2f090) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/__init__.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/__init__module.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/__init__.py", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=76711, ...}) = 0 open("/usr/lib/python2.7/dist-packages/SSSDConfig/__init__.pyc", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=68651, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(4, "\3\363\r\n\252A\217Sc\0\0\0\0\0\0\0\0\5\0\0\0@\0\0\0s7\17\0\0d\0"..., 4096) = 4096 fstat(4, {st_mode=S_IFREG|0644, st_size=68651, ...}) = 0 read(4, "ule__(\0\0\0\0(\0\0\0\0(\0\0\0\0s7\0\0\0/usr/li"..., 61440) = 61440 read(4, " section, if it is there.\n\n "..., 4096) = 3115 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/SSSDConfig", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/SSSDConfig", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat("/usr/lib/python2.7/dist-packages/SSSDConfig/os", 0x7fff59e2e9d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/os.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/osmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/os.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/os.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/gettext", 0x7fff59e2e9d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/gettext.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/gettextmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/gettext.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/gettext.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/exceptions", 0x7fff59e2e9d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/exceptions.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/exceptionsmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/exceptions.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/exceptions.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/ipachangeconf", 0x7fff59e2e9d0) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/ipachangeconf.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/ipachangeconfmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/ipachangeconf.py", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=19190, ...}) = 0 open("/usr/lib/python2.7/dist-packages/SSSDConfig/ipachangeconf.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=17200, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 read(5, "\3\363\r\nAB\217Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s\201\0\0\0d\0"..., 4096) = 4096 fstat(5, {st_mode=S_IFREG|0644, st_size=17200, ...}) = 0 read(5, "\0\0|\0\0j\0\0|\1\0\203\1\0r\23\0t\1\0S|\1\0j\2\0|\0\0j\3"..., 12288) = 12288 read(5, "ip_comments_empty9\2\0\0s\f\0\0\0\0\1\6\1\r\1"..., 4096) = 816 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7f0ad5faa000, 4096) = 0 stat("/usr/lib/python2.7/dist-packages/SSSDConfig/fcntl", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/fcntl.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/fcntlmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/fcntl.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/fcntl.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/string", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/string.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/stringmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/string.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/string.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/time", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/time.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/timemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/time.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/time.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/shutil", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/shutil.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/shutilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/shutil.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/shutil.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib/python2.7/dist-packages/SSSDConfig/re", 0x7fff59e2e310) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/re.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/remodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/re.py", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/python2.7/dist-packages/SSSDConfig/re.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) close(4) = 0 stat("/usr/share/locale/en_NG/LC_MESSAGES/sss_daemon.mo", 0x7fff59e2f4c0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/sss_daemon.mo", 0x7fff59e2f4c0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/sss_daemon.mo", 0x7fff59e2f4c0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/sss_daemon.mo", 0x7fff59e2f4c0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/sss_daemon.mo", 0x7fff59e2f4c0) = -1 ENOENT (No such file or directory) close(3) = 0 stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2e770) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2e770) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2e770) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2e770) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2e770) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_NG/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.ISO8859-1/LC_MESSAGES/messages.mo", 0x7fff59e2e4d0) = -1 ENOENT (No such file or directory) brk(0x25bd000) = 0x25bd000 getegid() = 0 stat("/usr/sbin/selinuxenabled", 0x7fff59e2fcb0) = -1 ENOENT (No such file or directory) open("/var/log/ipaclient-uninstall.log", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 chmod("/var/log/ipaclient-uninstall.log", 0600) = 0 gettimeofday({1421490497, 469177}, NULL) = 0 fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5faa000 write(3, "2015-01-17T10:28:17Z DEBUG /usr/"..., 571) = 571 gettimeofday({1421490497, 469452}, NULL) = 0 write(3, "2015-01-17T10:28:17Z DEBUG missi"..., 82) = 82 time([1421490497]) = 1421490497 open("/dev/urandom", O_RDONLY) = 4 read(4, "\204\37\31~\234\tf#\206\307e\340\372\234s\n", 16) = 16 close(4) = 0 gettimeofday({1421490497, 469703}, NULL) = 0 write(3, "2015-01-17T10:28:17Z DEBUG Loadi"..., 101) = 101 open("/var/lib/ipa-client/sysrestore/sysrestore.index", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=125, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=125, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[files]\n8cf0cef810bf90b2-default"..., 4096) = 125 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 gettimeofday({1421490497, 477216}, NULL) = 0 write(3, "2015-01-17T10:28:17Z DEBUG Loadi"..., 100) = 100 open("/var/lib/ipa-client/sysrestore/sysrestore.state", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=32, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=32, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[network]\nhostname = debswitch\n\n", 4096) = 32 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 time([1421490497]) = 1421490497 open("/dev/urandom", O_RDONLY) = 4 read(4, "\f\210\21\4P\315[\214\276\3+\340\271\333\345\325", 16) = 16 close(4) = 0 gettimeofday({1421490497, 485138}, NULL) = 0 write(3, "2015-01-17T10:28:17Z DEBUG Loadi"..., 94) = 94 open("/var/lib/ipa/sysrestore/sysrestore.index", O_RDONLY) = -1 ENOENT (No such file or directory) gettimeofday({1421490497, 485600}, NULL) = 0 write(3, "2015-01-17T10:28:17Z DEBUG Start"..., 53) = 53 gettimeofday({1421490497, 485817}, NULL) = 0 write(3, "2015-01-17T10:28:17Z DEBUG args="..., 73) = 73 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11095 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing all plugin modules in "..., 4096) = 166 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 88 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 87 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 83 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 82 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "skipping plugin module ipalib.pl"..., 4096) = 70 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 84 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 88 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 81 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 85 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "skipping plugin module ipalib.pl"..., 4096) = 79 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 83 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 85 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 90 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 82 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 87 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 85 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 88 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 87 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 82 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 84 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 88 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 82 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 84 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 87 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "Starting external process\n", 4096) = 26 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "args=klist -V\n", 4096) = 14 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "Process finished, return code=0\n", 4096) = 32 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "stdout=Kerberos 5 version 1.10.1"..., 4096) = 34 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "stderr=\n", 4096) = 8 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 82 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 89 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 92 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 85 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 85 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 90 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 86 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 83 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 82 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 85 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "importing plugin module '/usr/li"..., 4096) = 87 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLIN}]) read(4, "Restoring configuration\n", 4096) = 24 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLHUP}]) close(4) = 0 poll([{fd=6, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=6, revents=POLLHUP}]) close(6) = 0 wait4(11095, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 11095 --- SIGCHLD (Child exited) @ 0 (0) --- gettimeofday({1421490498, 390704}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Proce"..., 59) = 59 gettimeofday({1421490498, 390991}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stdou"..., 59) = 59 gettimeofday({1421490498, 391088}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stder"..., 3884) = 3884 gettimeofday({1421490498, 391243}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Loadi"..., 101) = 101 open("/var/lib/ipa-client/sysrestore/sysrestore.index", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=125, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=125, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[files]\n8cf0cef810bf90b2-default"..., 4096) = 125 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 gettimeofday({1421490498, 391875}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Loadi"..., 100) = 100 open("/var/lib/ipa-client/sysrestore/sysrestore.state", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=32, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=32, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[network]\nhostname = debswitch\n\n", 4096) = 32 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=3745, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=3745, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "# Format:\n# option = type, subty"..., 8192) = 3745 read(4, "", 4096) = 0 brk(0x261b000) = 0x261b000 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4 getdents(4, /* 9 entries */, 32768) = 320 getdents(4, /* 0 entries */, 32768) = 0 close(4) = 0 open("/usr/share/sssd/sssd.api.d/sssd-ipa.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=8117, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=8117, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/ipa]\nipa_domain = str,"..., 8192) = 8117 read(4, "", 4096) = 0 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d/sssd-krb5.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=738, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=738, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/krb5]\nkrb5_kdcip = str"..., 8192) = 738 read(4, "", 4096) = 0 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d/sssd-ad.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=4745, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=4745, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/ad]\nad_domain = str, N"..., 8192) = 4745 read(4, "", 4096) = 0 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d/sssd-simple.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=196, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=196, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/simple]\n\n[provider/sim"..., 8192) = 196 read(4, "", 4096) = 0 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d/sssd-proxy.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=191, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=191, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/proxy]\n\n[provider/prox"..., 8192) = 191 read(4, "", 4096) = 0 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d/sssd-local.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=344, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=344, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/local]\ncreate_homedir "..., 8192) = 344 read(4, "", 4096) = 0 brk(0x263c000) = 0x263c000 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/usr/share/sssd/sssd.api.d/sssd-ldap.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=6309, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=6309, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "[provider/ldap]\nldap_uri = str, "..., 8192) = 6309 read(4, "", 4096) = 0 read(4, "", 8192) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/etc/sssd/sssd.conf", O_RDONLY) = -1 ENOENT (No such file or directory) uname({sys="Linux", node="debswitch.nowahalaonline.com", ...}) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 4 bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(4, {sa_family=AF_NETLINK, pid=11094, groups=00000000}, [12]) = 0 time(NULL) = 1421490498 sendto(4, "\24\0\0\0\26\0\1\3B9\272T\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0B9\272TV+\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108 recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0B9\272TV+\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128 recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0B9\272TV+\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(4) = 0 stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=50, ...}) = 0 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=220, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "127.0.0.1\tlocalhost\n10.22.0.246\t"..., 4096) = 220 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=220, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 read(4, "127.0.0.1\tlocalhost\n10.22.0.246\t"..., 4096) = 220 close(4) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 gettimeofday({1421490498, 442331}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Start"..., 53) = 53 gettimeofday({1421490498, 442587}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG args="..., 81) = 81 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11097 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "certutil: ", 4096) = 10 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "Could not find cert: IPA CA\n", 4096) = 28 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, ": File not found\n", 4096) = 17 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLHUP}]) close(4) = 0 poll([{fd=6, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=6, revents=POLLHUP}]) close(6) = 0 wait4(11097, [{WIFEXITED(s) && WEXITSTATUS(s) == 255}], 0, NULL) = 11097 --- SIGCHLD (Child exited) @ 0 (0) --- gettimeofday({1421490498, 512174}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Proce"..., 61) = 61 gettimeofday({1421490498, 512653}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stdou"..., 35) = 35 gettimeofday({1421490498, 512850}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stder"..., 90) = 90 gettimeofday({1421490498, 513442}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Start"..., 53) = 53 gettimeofday({1421490498, 513642}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG args="..., 63) = 63 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11098 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLIN}]) --- SIGCHLD (Child exited) @ 0 (0) --- read(4, "dbus is running.\n", 4096) = 17 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 2 ([{fd=4, revents=POLLHUP}, {fd=6, revents=POLLHUP}]) close(4) = 0 close(6) = 0 wait4(11098, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 11098 gettimeofday({1421490498, 548995}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Proce"..., 59) = 59 gettimeofday({1421490498, 549456}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stdou"..., 52) = 52 gettimeofday({1421490498, 549660}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stder"..., 35) = 35 gettimeofday({1421490498, 550223}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Start"..., 53) = 53 gettimeofday({1421490498, 550455}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG args="..., 68) = 68 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11104 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLHUP}]) close(4) = 0 poll([{fd=6, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=6, revents=POLLHUP}]) close(6) = 0 wait4(11104, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 11104 --- SIGCHLD (Child exited) @ 0 (0) --- gettimeofday({1421490498, 569490}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Proce"..., 59) = 59 gettimeofday({1421490498, 570090}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stdou"..., 35) = 35 gettimeofday({1421490498, 570306}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stder"..., 35) = 35 gettimeofday({1421490498, 570859}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Start"..., 53) = 53 gettimeofday({1421490498, 571061}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG args="..., 69) = 69 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11113 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLIN}]) read(4, "certmonger is running", 4096) = 21 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 2 ([{fd=4, revents=POLLIN|POLLHUP}, {fd=6, revents=POLLHUP}]) --- SIGCHLD (Child exited) @ 0 (0) --- read(4, ".\n", 4096) = 2 close(6) = 0 poll([{fd=4, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=4, revents=POLLHUP}]) close(4) = 0 wait4(11113, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 11113 gettimeofday({1421490498, 591084}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Proce"..., 59) = 59 gettimeofday({1421490498, 591630}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stdou"..., 58) = 58 gettimeofday({1421490498, 591830}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stder"..., 35) = 35 open("/var/lib/certmonger/requests/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4 getdents(4, /* 2 entries */, 32768) = 48 getdents(4, /* 0 entries */, 32768) = 0 close(4) = 0 gettimeofday({1421490498, 592683}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Start"..., 53) = 53 gettimeofday({1421490498, 592887}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG args="..., 129) = 129 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11120 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "certutil: ", 4096) = 10 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "Could not find cert: IPA Machine"..., 4096) = 76 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, ": File not found\n", 4096) = 17 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLHUP}]) close(4) = 0 poll([{fd=6, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=6, revents=POLLHUP}]) close(6) = 0 wait4(11120, [{WIFEXITED(s) && WEXITSTATUS(s) == 255}], 0, NULL) = 11120 --- SIGCHLD (Child exited) @ 0 (0) --- gettimeofday({1421490498, 604100}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Proce"..., 61) = 61 gettimeofday({1421490498, 604549}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stdou"..., 35) = 35 gettimeofday({1421490498, 604750}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG stder"..., 138) = 138 gettimeofday({1421490498, 605273}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG Start"..., 53) = 53 gettimeofday({1421490498, 605485}, NULL) = 0 write(3, "2015-01-17T10:28:18Z DEBUG args="..., 67) = 67 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11121 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 2 ([{fd=4, revents=POLLHUP}, {fd=6, revents=POLLHUP}]) --- SIGCHLD (Child exited) @ 0 (0) --- close(4) = 0 close(6) = 0 wait4(11121, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 11121 gettimeofday({1421490528, 628018}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG Proce"..., 59) = 59 gettimeofday({1421490528, 628495}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG stdou"..., 35) = 35 gettimeofday({1421490528, 628708}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG stder"..., 35) = 35 open("/var/lib/certmonger/cas/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4 getdents(4, /* 2 entries */, 32768) = 48 getdents(4, /* 0 entries */, 32768) = 0 close(4) = 0 gettimeofday({1421490528, 629472}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG Start"..., 53) = 53 gettimeofday({1421490528, 629694}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG args="..., 63) = 63 pipe([4, 5]) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fcntl(5, F_GETFD) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 pipe([6, 7]) = 0 fcntl(6, F_GETFD) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 pipe([8, 9]) = 0 fcntl(8, F_GETFD) = 0 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 fcntl(9, F_GETFD) = 0 fcntl(9, F_SETFD, FD_CLOEXEC) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f0ad5f9d9d0) = 11130 close(9) = 0 close(5) = 0 close(7) = 0 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0acee2c000 read(8, "", 1048576) = 0 mremap(0x7f0acee2c000, 1052672, 4096, MREMAP_MAYMOVE) = 0x7f0acee2c000 close(8) = 0 munmap(0x7f0acee2c000, 4096) = 0 fcntl(4, F_GETFL) = 0 (flags O_RDONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 fcntl(6, F_GETFL) = 0 (flags O_RDONLY) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ad5fa9000 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 munmap(0x7f0ad5fa9000, 4096) = 0 poll([{fd=4, events=POLLIN|POLLPRI}, {fd=6, events=POLLIN|POLLPRI}], 2, -1) = 1 ([{fd=4, revents=POLLHUP}]) --- SIGCHLD (Child exited) @ 0 (0) --- close(4) = 0 poll([{fd=6, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=6, revents=POLLHUP}]) close(6) = 0 wait4(11130, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 11130 gettimeofday({1421490528, 711219}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG Proce"..., 59) = 59 gettimeofday({1421490528, 711472}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG stdou"..., 35) = 35 gettimeofday({1421490528, 711594}, NULL) = 0 write(3, "2015-01-17T10:28:48Z DEBUG stder"..., 35) = 35 stat("/etc/ipa/default.conf", 0x7fff59e2fd70) = -1 ENOENT (No such file or directory) stat("/etc/ipa/default.conf", 0x7fff59e2fd70) = -1 ENOENT (No such file or directory) gettimeofday({1421490528, 711892}, NULL) = 0 write(3, "2015-01-17T10:28:48Z INFO Disabl"..., 76) = 76 write(2, "Disabling client Kerberos and LD"..., 50) = 50 gettimeofday({1421490528, 712314}, NULL) = 0 write(3, "2015-01-17T10:28:48Z ERROR Faile"..., 70) = 70 write(2, "Failed to remove krb5/LDAP confi"..., 43) = 43 unlink("/etc/ipa/.dns_ccache") = -1 ENOENT (No such file or directory) close(3) = 0 munmap(0x7f0ad5faa000, 4096) = 0 rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x7f0ad5b810a0}, {0x41b434, [], SA_RESTORER, 0x7f0ad5b810a0}, 8) = 0 exit_group(1) = ? From notify.sina at gmail.com Sat Jan 17 10:51:27 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 17 Jan 2015 10:51:27 +0000 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 References: <54B7F3B7.7070907@redhat.com> <66E2E309-BC73-4E96-8C55-5ECF0C42A524@gmail.com> Message-ID: I think I've made a go of it! I was able to uninstall freeipa-client, and it complained about some leftover files, like so Removing freeipa-client ... dpkg: warning: while removing freeipa-client, directory '/var/lib/ipa-client/sysrestore' not empty so not removed I deleted and reinstalled, no problem. I now followed the instructions over at this helpful site: http://nadirlatif.me/installing-freeipa-client-debian/ And now I'm joined to the domain! Of course this does not mean all my troubles are over, trying to login as an IPA user drops a "permission denied" error: Creating directory '/share/user'. Unable to create and initialize directory '/user'. Permission denied What can I do to fix that? What am I missing? On Sat Jan 17 2015 at 11:31:23 AM Sina Owolabi wrote: > Hi > I cant make head or tail of the output, but here it is attached. > :-) Sorry about the "how do I trace". I RTFM'ed myself. > > > On Sat Jan 17 2015 at 11:23:00 AM Sina Owolabi > wrote: > >> How do I strace this, please? >> >> On Sat Jan 17 2015 at 10:59:22 AM Brian Topping >> wrote: >> >>> Did you try strace to see what files it is choking on? >>> >>> Sent from my iPhone >>> >>> On Jan 17, 2015, at 15:49, Sina Owolabi wrote: >>> >>> Thanks Tomas. >>> >>> List, please how do I get rid of this error: >>> ipa-client-install --uninstall >>> *Disabling client Kerberos and LDAP configurations* >>> *Failed to remove krb5/LDAP configuration: * >>> After I've deleted everything I can think of? Uninstalling freeipa >>> doesn't help, and I can't reinstall the server. >>> >>> On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej wrote: >>> >>>> >>>> On 01/15/2015 03:34 AM, Sina Owolabi wrote: >>>> >>>> Hi List >>>> >>>> Please is it really possible to have Debian and Ubuntu serve as IPA >>>> clients? >>>> I've tried some instructions/guidelines on the list and they always >>>> fail with the IPA client install being halfway completed and sssd's >>>> configuration file moved to .deleted. >>>> I'm really interested in getting this to work and I'll appreciate any >>>> help I can get. Failing that are there any alternatives? >>>> >>>> Thanks! >>>> >>>> >>>> >>>> If you're SSSD version is less than 1.9, you could try running >>>> ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. >>>> >>>> This will provide setup instructions to run on the client. >>>> >>>> HTH, >>>> >>>> >>>> -- >>>> Tomas Babej >>>> Associate Software Engineer | Red Hat | Identity Management >>>> RHCE | Brno Site | IRC: tbabej | freeipa.org >>>> >>>> -- >>> >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Sat Jan 17 11:08:13 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 17 Jan 2015 11:08:13 +0000 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 References: <54B7F3B7.7070907@redhat.com> <66E2E309-BC73-4E96-8C55-5ECF0C42A524@gmail.com> Message-ID: Apparently I had to manually create the nfs4 mountpoint (/share) that kereberized nfs uses before the user's share would mount. I can login as the ipa user now. Thanks everyone. On Sat Jan 17 2015 at 11:51:27 AM Sina Owolabi wrote: > I think I've made a go of it! > I was able to uninstall freeipa-client, and it complained about some > leftover files, like so > > Removing freeipa-client ... > dpkg: warning: while removing freeipa-client, directory > '/var/lib/ipa-client/sysrestore' not empty so not removed > I deleted and reinstalled, no problem. > I now followed the instructions over at this helpful site: > http://nadirlatif.me/installing-freeipa-client-debian/ > And now I'm joined to the domain! > Of course this does not mean all my troubles are over, trying to login as > an IPA user drops a "permission denied" error: > > Creating directory '/share/user'. > Unable to create and initialize directory '/user'. > > Permission denied > > What can I do to fix that? What am I missing? > On Sat Jan 17 2015 at 11:31:23 AM Sina Owolabi > wrote: > >> Hi >> I cant make head or tail of the output, but here it is attached. >> :-) Sorry about the "how do I trace". I RTFM'ed myself. >> >> >> On Sat Jan 17 2015 at 11:23:00 AM Sina Owolabi >> wrote: >> >>> How do I strace this, please? >>> >>> On Sat Jan 17 2015 at 10:59:22 AM Brian Topping >>> wrote: >>> >>>> Did you try strace to see what files it is choking on? >>>> >>>> Sent from my iPhone >>>> >>>> On Jan 17, 2015, at 15:49, Sina Owolabi wrote: >>>> >>>> Thanks Tomas. >>>> >>>> List, please how do I get rid of this error: >>>> ipa-client-install --uninstall >>>> *Disabling client Kerberos and LDAP configurations* >>>> *Failed to remove krb5/LDAP configuration: * >>>> After I've deleted everything I can think of? Uninstalling freeipa >>>> doesn't help, and I can't reinstall the server. >>>> >>>> On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej wrote: >>>> >>>>> >>>>> On 01/15/2015 03:34 AM, Sina Owolabi wrote: >>>>> >>>>> Hi List >>>>> >>>>> Please is it really possible to have Debian and Ubuntu serve as IPA >>>>> clients? >>>>> I've tried some instructions/guidelines on the list and they always >>>>> fail with the IPA client install being halfway completed and sssd's >>>>> configuration file moved to .deleted. >>>>> I'm really interested in getting this to work and I'll appreciate any >>>>> help I can get. Failing that are there any alternatives? >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> >>>>> If you're SSSD version is less than 1.9, you could try running >>>>> ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. >>>>> >>>>> This will provide setup instructions to run on the client. >>>>> >>>>> HTH, >>>>> >>>>> >>>>> -- >>>>> Tomas Babej >>>>> Associate Software Engineer | Red Hat | Identity Management >>>>> RHCE | Brno Site | IRC: tbabej | freeipa.org >>>>> >>>>> -- >>>> >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go To http://freeipa.org for more info on the project >>>> >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Sat Jan 17 11:41:16 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 17 Jan 2015 12:41:16 +0100 Subject: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04 In-Reply-To: References: <54B7F3B7.7070907@redhat.com> <66E2E309-BC73-4E96-8C55-5ECF0C42A524@gmail.com> Message-ID: <20150117114115.GA8805@mail.corp.redhat.com> On (17/01/15 10:51), Sina Owolabi wrote: >I think I've made a go of it! >I was able to uninstall freeipa-client, and it complained about some >leftover files, like so > >Removing freeipa-client ... >dpkg: warning: while removing freeipa-client, directory >'/var/lib/ipa-client/sysrestore' not empty so not removed >I deleted and reinstalled, no problem. >I now followed the instructions over at this helpful site: >http://nadirlatif.me/installing-freeipa-client-debian/ >And now I'm joined to the domain! >Of course this does not mean all my troubles are over, trying to login as >an IPA user drops a "permission denied" error: > >Creating directory '/share/user'. >Unable to create and initialize directory '/user'. Following link might help you. https://wiki.debian.org/LDAP/PAM#Creating_home_directory_on_login LS From traiano at gmail.com Sun Jan 18 08:24:40 2015 From: traiano at gmail.com (Traiano Welcome) Date: Sun, 18 Jan 2015 11:24:40 +0300 Subject: [Freeipa-users] IPA/Kerberos5 and Upper Case/Lower-case Hostnames In-Reply-To: <54A1C4EE.3070106@redhat.com> References: <54A1C4EE.3070106@redhat.com> Message-ID: Hi Dmitri On Tue, Dec 30, 2014 at 12:17 AM, Dmitri Pal wrote: > On 12/24/2014 01:04 AM, Traiano Welcome wrote: >> >> Hi List >> >> I have a large number of legacy hosts with upper-case host names, that >> I'd like to configure as IPA clients. However ipa client refuses to >> accept upper case hostnames during configuration time. >> >> I think this derives from the fact that the kerberos5 database stores >> host names in a case sensitive way and requires that the DNS hostname >> matches the server hostname case. >> >> My question is: Is it mandatory that the hostname be lower-cased, or >> is there a safe workaround that will allow IPA client to work with >> hosts that have upper case host names ? >> >> Thanks in advance! >> Traiano >> > See man sssd-ipa > > ipa_hostname (string) > Optional. May be set on machines where the hostname(5) does not > reflect the fully qualified name used in the IPA domain to identify this > host. > > AFAIR you use this setting for the cases when you want the actual machine > name be different than the one IPA has. It looks like I would have to add this parameter in the sssd.conf before running the ipa client configuration. In that case, would the configurator not overwrite this parameter ? Or is there some way to provide this option to ipa-client-install initially? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project Thanks in advance, Traiano From janellenicole80 at gmail.com Mon Jan 19 01:26:25 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sun, 18 Jan 2015 17:26:25 -0800 Subject: [Freeipa-users] forcing OTP ? Message-ID: <54BC5D41.2090608@gmail.com> Hi all, I was playing around with the OTP app in 4.x and it is really nice. I wonder if there is a way to force some hosts require to use it, but not all the hosts from a server? I want some of the servers to be locked down more securely, but others can just require a password. thanks ~J From ftweedal at redhat.com Mon Jan 19 03:20:21 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 19 Jan 2015 13:20:21 +1000 Subject: [Freeipa-users] forcing OTP ? In-Reply-To: <54BC5D41.2090608@gmail.com> References: <54BC5D41.2090608@gmail.com> Message-ID: <20150119032021.GD5536@dhcp-40-8.bne.redhat.com> On Sun, Jan 18, 2015 at 05:26:25PM -0800, Janelle wrote: > Hi all, > > I was playing around with the OTP app in 4.x and it is really nice. I wonder > if there is a way to force some hosts require to use it, but not all the > hosts from a server? I want some of the servers to be locked down more > securely, but others can just require a password. > > thanks > ~J > Hi Janelle, Right now it is all or nothing. The CAMMAC / Authentication Indicator feature[1] that is being implemented in MIT Kerberos will eventually allow FreeIPA to manage "two factor required / not required" policy on a per-service basis. [1] http://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator Regards, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From mkosek at redhat.com Mon Jan 19 08:51:48 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 Jan 2015 09:51:48 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> Message-ID: <54BCC5A4.9070909@redhat.com> On 01/16/2015 08:21 PM, Quayle, Bill wrote: > > >> -----Original Message----- >> From: Martin Kosek [mailto:mkosek at redhat.com] >> Sent: Friday, January 16, 2015 12:51 PM >> To: Quayle, Bill; Ludwig Krispenz >> Cc: 'freeipa-users at redhat.com' >> Subject: Re: [Freeipa-users] migrate-ds aborts >> >> On 01/16/2015 04:48 PM, Quayle, Bill wrote: >>> Thanks for looking into this! >>> >>> I was finally able to import all 11811 user records into IPA, but even now, >> when I re-run the migrate, I get the same failure. >> >> How did you do it in the end? Simply by running migrate-ds command >> multiple times or did you succeeded with the limits? >> > I re-ran migrate-ds about 30 times to complete the migration of users. Hm, this is definitely not how the migrate-ds is supposed work :-/ I wish we can find the problem to avoid such difficulties for other users. ... >>> One thing that is also confusing me, is that I am getting this error: >>> [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: GID >> number 11 of migrated user anyone does not point to a known group. >> >> migrate-ds command runs a search against the migrated OpenLDAP database >> and tries to find a group with gidNumber 11. When it fails to locate it, it >> reports this error. Do you have all the groups in DN >> "ou=people,ou=agroup,dc=example,dc=com"? >> > Groups are in "ou=groups,ou=agroup,dc=example,dc=com" > I use --base-dn="ou=agroup,dc=example,dc=com" as an option to migrate-ds Right, sorry - I see I mistyped the DN. Does the container then contain a group with gidNumber 11? It would explain the error you were asking about. >> >>> And it never migrates my groups. The ou=Groups is used in my source >> openLDAP tree, so I'm not sure why it wouldn't migrate. Maybe your groups use some scheme that migrate-ds does not recognize as group. Can you show an example/LDIF of a group stored in ou=Groups? migrate-ds will search for groups with this default filter BTW: (&(|(objectClass=groupofuniquenames)(objectClass=groupofnames))(cn=*)) >> >> If i crashes during user migration, it won't even continue with groups. I know >> this is not a proper fix, but you could make sure the user migration part does >> not find anything (e.g. with --user-objectclass=foo) and using --continue >> option. Then it will jump directly to group migration. >> > I had actually already tried doing that. I just re-tried using the debug=True, and here's the contents of error_log: Ah. Yes, this revealed one error, although this one just means that neither user or group search did not return any errors. I created a ticket for it: https://fedorahosted.org/freeipa/ticket/4846 The fix for this will be easy, but it will not fix the actual root cause of the migration problems you are hitting > [Fri Jan 16 13:07:42.819342 2015] [:error] [pid 15335] ipa: DEBUG: WSGI wsgi_dispatch.__call__: > [Fri Jan 16 13:07:42.819462 2015] [:error] [pid 15335] ipa: DEBUG: WSGI xmlserver_session.__call__: > [Fri Jan 16 13:07:42.819649 2015] [:error] [pid 15335] ipa: DEBUG: found session cookie_id = 7efb4fc24d37b7fe064fa2a4f0af447b > [Fri Jan 16 13:07:42.819926 2015] [:error] [pid 15335] ipa: DEBUG: found session data in cache with id=7efb4fc24d37b7fe064fa2a4f0af447b > [Fri Jan 16 13:07:42.820031 2015] [:error] [pid 15335] ipa: DEBUG: xmlserver_session.__call__: session_id=7efb4fc24d37b7fe064fa2a4f0af447b start_timestamp=2015-01-16T13:06:02 access_timestamp=2015-01-16T13:07:42 expiration_timestamp=2015-01-16T13:26:02 > [Fri Jan 16 13:07:42.820113 2015] [:error] [pid 15335] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_15335" > [Fri Jan 16 13:07:42.820724 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 > [Fri Jan 16 13:07:42.821070 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 > [Fri Jan 16 13:07:42.821370 2015] [:error] [pid 15335] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_15335 endtime=1421448244 (01/16/15 16:44:04) > [Fri Jan 16 13:07:42.821480 2015] [:error] [pid 15335] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1421447944 expiration=1421436462.82 (2015-01-16T13:27:42) > [Fri Jan 16 13:07:42.821539 2015] [:error] [pid 15335] ipa: DEBUG: WSGI xmlserver.__call__: > [Fri Jan 16 13:07:42.850018 2015] [:error] [pid 15335] ipa: DEBUG: Created connection context.ldap2 > [Fri Jan 16 13:07:42.850117 2015] [:error] [pid 15335] ipa: DEBUG: WSGI WSGIExecutioner.__call__: > [Fri Jan 16 13:07:42.851403 2015] [:error] [pid 15335] ipa: DEBUG: raw: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None) > [Fri Jan 16 13:07:42.852159 2015] [:error] [pid 15335] ipa: DEBUG: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=ipapython.dn.DN('uid=me,ou=people,ou=agroup,dc=example,dc=com'), usercontainer=ipapython.dn.DN('ou=people'), groupcontainer=ipapython.dn.DN('ou=groups'), userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=ipapython.dn.DN('ou=agroup,dc=example,dc=com'), compat=False, version=u'2.65', exclude_groups=None, exclude_users=None) > [Fri Jan 16 13:07:42.933433 2015] [:error] [pid 15335] ipa: DEBUG: Created connection context.ldap2_140625322494032 > [Fri Jan 16 13:07:42.944655 2015] [:error] [pid 15335] ipa: ERROR: non-public: UnboundLocalError: local variable 'pkey' referenced before assignment > [Fri Jan 16 13:07:42.944666 2015] [:error] [pid 15335] Traceback (most recent call last): > [Fri Jan 16 13:07:42.944668 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute > [Fri Jan 16 13:07:42.944670 2015] [:error] [pid 15335] result = self.Command[name](*args, **options) > [Fri Jan 16 13:07:42.944671 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ > [Fri Jan 16 13:07:42.944673 2015] [:error] [pid 15335] ret = self.run(*args, **options) > [Fri Jan 16 13:07:42.944683 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run > [Fri Jan 16 13:07:42.944686 2015] [:error] [pid 15335] result = self.execute(*args, **options) > [Fri Jan 16 13:07:42.944687 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 894, in execute > [Fri Jan 16 13:07:42.944689 2015] [:error] [pid 15335] ldap, config, ds_ldap, ds_base_dn, options > [Fri Jan 16 13:07:42.944691 2015] [:error] [pid 15335] File "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 843, in migrate > [Fri Jan 16 13:07:42.944692 2015] [:error] [pid 15335] _update_default_group(ldap, pkey, config, context, True) > [Fri Jan 16 13:07:42.944694 2015] [:error] [pid 15335] UnboundLocalError: local variable 'pkey' referenced before assignment > [Fri Jan 16 13:07:42.944888 2015] [:error] [pid 15335] ipa: INFO: admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', exclude_groups=None, exclude_users=None): UnboundLocalError > [Fri Jan 16 13:07:42.944952 2015] [:error] [pid 15335] ipa: DEBUG: response: InternalError: an internal error has occurred > [Fri Jan 16 13:07:42.945645 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2 > [Fri Jan 16 13:07:42.945757 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2_140625322494032 > [Fri Jan 16 13:07:42.945846 2015] [:error] [pid 15335] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_15335" > [Fri Jan 16 13:07:42.946019 2015] [:error] [pid 15335] ipa: DEBUG: store session: session_id=7efb4fc24d37b7fe064fa2a4f0af447b start_timestamp=2015-01-16T13:06:02 access_timestamp=2015-01-16T13:07:42 expiration_timestamp=2015-01-16T13:27:42 > >> I am still thinking it would make sense to also check the migrated OpenLDAP >> logs and see if there is anything interesting when the migration breaks. > > I've been watching the logs on the OpenLDAP servers, and they just see the connection close. access log excerpt may help, if it contains any error logs we could use. I was also thinking it would be also useful to know which LDAP search exactly failed as it is not clear from the error. If you modify the FreeIPA server this way: # cp /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py.bkp # sed -i "s/error = e$/error = e\n import traceback\n traceback.print_exc()/" /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py # service httpd restart The traceback of where the NetworkError is raised should be added to /var/log/httpd/error_log. From mkosek at redhat.com Mon Jan 19 08:53:15 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 Jan 2015 09:53:15 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54B992DC.1090305@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> <54B97BC2.407@redhat.com> <54B992DC.1090305@redhat.com> Message-ID: <54BCC5FB.5050409@redhat.com> On 01/16/2015 11:38 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 01/16/2015 02:21 PM, Quayle, Bill wrote: >>> >>>> -----Original Message----- >>>> From: Martin Kosek [mailto:mkosek at redhat.com] >>>> Sent: Friday, January 16, 2015 12:51 PM >>>> To: Quayle, Bill; Ludwig Krispenz >>>> Cc: 'freeipa-users at redhat.com' >>>> Subject: Re: [Freeipa-users] migrate-ds aborts >>>> >>>> On 01/16/2015 04:48 PM, Quayle, Bill wrote: >>>>> Thanks for looking into this! >>>>> >>>>> I was finally able to import all 11811 user records into IPA, but >>>>> even now, >>>> when I re-run the migrate, I get the same failure. >>>> >>>> How did you do it in the end? Simply by running migrate-ds command >>>> multiple times or did you succeeded with the limits? >>>> >>> I re-ran migrate-ds about 30 times to complete the migration of users. >>>>> I enabled debug in the default.cfg, and this is the tail of the >>>>> httpd error_log: >>>>> >>>>> . >>>>> . >>>>> . >>>>> [Fri Jan 16 09:28:29.046991 2015] [:error] [pid 14924] ipa: >>>>> WARNING: GID >>>> number 11 of migrated user andy does not point to a known group. >>>>> [Fri Jan 16 09:28:29.051353 2015] [:error] [pid 14924] ipa: INFO: >>>>> admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', >>>> u'********', >>>> binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >>>> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >>>> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >>>> u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, >>>> groupignoreobjectclass=None, groupignoreattribute=None, >>>> groupoverwritegid=False, schema=u'RFC2307bis', continue=True, >>>> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >>>> exclude_groups=None, exclude_users=None): NetworkError [Fri Jan 16 >>>> 09:28:29.051428 2015] [:error] [pid 14924] ipa: DEBUG: response: >>>> NetworkError: cannot connect to 'ldap://10.x.x.x:389': >>>>> [Fri Jan 16 09:28:29.054057 2015] [:error] [pid 14924] ipa: DEBUG: no >>>>> session id in request, generating empty session data with >>>>> id=c0d2c8b3803593b30684e15ff1f57e0e >>>>> [Fri Jan 16 09:28:29.054173 2015] [:error] [pid 14924] ipa: DEBUG: >>>>> store session: session_id=c0d2c8b3803593b30684e15ff1f57e0e >>>>> start_timestamp=2015-01-16T09:28:29 >>>>> access_timestamp=2015-01-16T09:28:29 >>>>> expiration_timestamp=1969-12-31T18:00:00 >>>>> [Fri Jan 16 09:28:29.054395 2015] [:error] [pid 14924] ipa: DEBUG: >>>> finalize_kerberos_acquisition: xmlserver >>>> ccache_name="FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku" >>>> session_id="c0d2c8b3803593b30684e15ff1f57e0e" >>>>> [Fri Jan 16 09:28:29.054463 2015] [:error] [pid 14924] ipa: DEBUG: >>>>> reading >>>> ccache data from file "/run/httpd/krbcache/krb5cc_apache_zTGsku" >>>>> [Fri Jan 16 09:28:29.054851 2015] [:error] [pid 14924] ipa: DEBUG: >>>>> get_credential_times: >>>>> principal=HTTP/myipatestserver.example.com at IDMTEST.EXAMPLE.COM, >>>>> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >>>>> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 >>>>> 09:28:29.055014 2015] [:error] [pid 14924] ipa: DEBUG: KRB5_CCache >>>>> FILE:/run/httpd/krbcache/krb5cc_apache_zTGsku endtime=1421448244 >>>>> (01/16/15 16:44:04) [Fri Jan 16 09:28:29.055109 2015] [:error] [pid >>>>> 14924] ipa: DEBUG: set_session_expiration_time: >>>>> duration_type=inactivity_timeout duration=1200 max_age=1421447944 >>>>> expiration=1421423309.06 (2015-01-16T09:48:29) [Fri Jan 16 >>>>> 09:28:29.055217 2015] [:error] [pid 14924] ipa: DEBUG: store session: >>>>> session_id=c0d2c8b3803593b30684e15ff1f57e0e >>>>> start_timestamp=2015-01-16T09:28:29 >>>>> access_timestamp=2015-01-16T09:28:29 >>>>> expiration_timestamp=2015-01-16T09:48:29 >>>>> [Fri Jan 16 09:28:29.055806 2015] [:error] [pid 14924] ipa: DEBUG: >>>>> Destroyed connection context.ldap2_140392345753040 [Fri Jan 16 >>>>> 09:28:29.056471 2015] [:error] [pid 14924] ipa: DEBUG: Destroyed >>>>> connection context.ldap2 >>>>> >>>>> One thing that is also confusing me, is that I am getting this error: >>>>> [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: >>>>> GID >>>> number 11 of migrated user anyone does not point to a known group. >>>> >>>> migrate-ds command runs a search against the migrated OpenLDAP database >>>> and tries to find a group with gidNumber 11. When it fails to locate >>>> it, it >>>> reports this error. Do you have all the groups in DN >>>> "ou=people,ou=agroup,dc=example,dc=com"? >>>> >>> Groups are in "ou=groups,ou=agroup,dc=example,dc=com" >>> I use --base-dn="ou=agroup,dc=example,dc=com" as an option to migrate-ds >>>>> And it never migrates my groups. The ou=Groups is used in my source >>>> openLDAP tree, so I'm not sure why it wouldn't migrate. >>>> >>>> If i crashes during user migration, it won't even continue with >>>> groups. I know >>>> this is not a proper fix, but you could make sure the user migration >>>> part does >>>> not find anything (e.g. with --user-objectclass=foo) and using >>>> --continue >>>> option. Then it will jump directly to group migration. >>>> >>> I had actually already tried doing that. I just re-tried using the >>> debug=True, and here's the contents of error_log: >>> [Fri Jan 16 13:07:42.819342 2015] [:error] [pid 15335] ipa: DEBUG: >>> WSGI wsgi_dispatch.__call__: >>> [Fri Jan 16 13:07:42.819462 2015] [:error] [pid 15335] ipa: DEBUG: >>> WSGI xmlserver_session.__call__: >>> [Fri Jan 16 13:07:42.819649 2015] [:error] [pid 15335] ipa: DEBUG: >>> found session cookie_id = 7efb4fc24d37b7fe064fa2a4f0af447b >>> [Fri Jan 16 13:07:42.819926 2015] [:error] [pid 15335] ipa: DEBUG: >>> found session data in cache with id=7efb4fc24d37b7fe064fa2a4f0af447b >>> [Fri Jan 16 13:07:42.820031 2015] [:error] [pid 15335] ipa: DEBUG: >>> xmlserver_session.__call__: >>> session_id=7efb4fc24d37b7fe064fa2a4f0af447b >>> start_timestamp=2015-01-16T13:06:02 >>> access_timestamp=2015-01-16T13:07:42 >>> expiration_timestamp=2015-01-16T13:26:02 >>> [Fri Jan 16 13:07:42.820113 2015] [:error] [pid 15335] ipa: DEBUG: >>> storing ccache data into file "/var/run/ipa_memcached/krbcc_15335" >>> [Fri Jan 16 13:07:42.820724 2015] [:error] [pid 15335] ipa: DEBUG: >>> get_credential_times: >>> principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, >>> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >>> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 >>> [Fri Jan 16 13:07:42.821070 2015] [:error] [pid 15335] ipa: DEBUG: >>> get_credential_times: >>> principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, >>> authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, >>> endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 >>> [Fri Jan 16 13:07:42.821370 2015] [:error] [pid 15335] ipa: DEBUG: >>> KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_15335 endtime=1421448244 >>> (01/16/15 16:44:04) >>> [Fri Jan 16 13:07:42.821480 2015] [:error] [pid 15335] ipa: DEBUG: >>> set_session_expiration_time: duration_type=inactivity_timeout >>> duration=1200 max_age=1421447944 expiration=1421436462.82 >>> (2015-01-16T13:27:42) >>> [Fri Jan 16 13:07:42.821539 2015] [:error] [pid 15335] ipa: DEBUG: >>> WSGI xmlserver.__call__: >>> [Fri Jan 16 13:07:42.850018 2015] [:error] [pid 15335] ipa: DEBUG: >>> Created connection context.ldap2 >>> [Fri Jan 16 13:07:42.850117 2015] [:error] [pid 15335] ipa: DEBUG: >>> WSGI WSGIExecutioner.__call__: >>> [Fri Jan 16 13:07:42.851403 2015] [:error] [pid 15335] ipa: DEBUG: >>> raw: migrate_ds(u'ldap://10.x.x.x:389', u'********', >>> binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >>> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >>> userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', >>> u'groupOfNames'), userignoreobjectclass=None, >>> userignoreattribute=None, groupignoreobjectclass=None, >>> groupignoreattribute=None, groupoverwritegid=False, >>> schema=u'RFC2307bis', continue=True, >>> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >>> exclude_groups=None, exclude_users=None) >>> [Fri Jan 16 13:07:42.852159 2015] [:error] [pid 15335] ipa: DEBUG: >>> migrate_ds(u'ldap://10.x.x.x:389', u'********', >>> binddn=ipapython.dn.DN('uid=me,ou=people,ou=agroup,dc=example,dc=com'), usercontainer=ipapython.dn.DN('ou=people'), >>> groupcontainer=ipapython.dn.DN('ou=groups'), >>> userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', >>> u'groupOfNames'), userignoreobjectclass=None, >>> userignoreattribute=None, groupignoreobjectclass=None, >>> groupignoreattribute=None, groupoverwritegid=False, >>> schema=u'RFC2307bis', continue=True, >>> basedn=ipapython.dn.DN('ou=agroup,dc=example,dc=com'), compat=False, >>> version=u'2.65', exclude_groups=None, exclude_users=None) >>> [Fri Jan 16 13:07:42.933433 2015] [:error] [pid 15335] ipa: DEBUG: >>> Created connection context.ldap2_140625322494032 >>> [Fri Jan 16 13:07:42.944655 2015] [:error] [pid 15335] ipa: ERROR: >>> non-public: UnboundLocalError: local variable 'pkey' referenced before >>> assignment >>> [Fri Jan 16 13:07:42.944666 2015] [:error] [pid 15335] Traceback (most >>> recent call last): >>> [Fri Jan 16 13:07:42.944668 2015] [:error] [pid 15335] File >>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, >>> in wsgi_execute >>> [Fri Jan 16 13:07:42.944670 2015] [:error] [pid 15335] result = >>> self.Command[name](*args, **options) >>> [Fri Jan 16 13:07:42.944671 2015] [:error] [pid 15335] File >>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in >>> __call__ >>> [Fri Jan 16 13:07:42.944673 2015] [:error] [pid 15335] ret = >>> self.run(*args, **options) >>> [Fri Jan 16 13:07:42.944683 2015] [:error] [pid 15335] File >>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run >>> [Fri Jan 16 13:07:42.944686 2015] [:error] [pid 15335] result = >>> self.execute(*args, **options) >>> [Fri Jan 16 13:07:42.944687 2015] [:error] [pid 15335] File >>> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line >>> 894, in execute >>> [Fri Jan 16 13:07:42.944689 2015] [:error] [pid 15335] ldap, >>> config, ds_ldap, ds_base_dn, options >>> [Fri Jan 16 13:07:42.944691 2015] [:error] [pid 15335] File >>> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line >>> 843, in migrate >>> [Fri Jan 16 13:07:42.944692 2015] [:error] [pid 15335] >>> _update_default_group(ldap, pkey, config, context, True) >>> [Fri Jan 16 13:07:42.944694 2015] [:error] [pid 15335] >>> UnboundLocalError: local variable 'pkey' referenced before assignment >>> [Fri Jan 16 13:07:42.944888 2015] [:error] [pid 15335] ipa: INFO: >>> admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', >>> u'********', binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', >>> usercontainer=u'ou=people', groupcontainer=u'ou=groups', >>> userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', >>> u'groupOfNames'), userignoreobjectclass=None, >>> userignoreattribute=None, groupignoreobjectclass=None, >>> groupignoreattribute=None, groupoverwritegid=False, >>> schema=u'RFC2307bis', continue=True, >>> basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', >>> exclude_groups=None, exclude_users=None): UnboundLocalError >>> [Fri Jan 16 13:07:42.944952 2015] [:error] [pid 15335] ipa: DEBUG: >>> response: InternalError: an internal error has occurred >>> [Fri Jan 16 13:07:42.945645 2015] [:error] [pid 15335] ipa: DEBUG: >>> Destroyed connection context.ldap2 >>> [Fri Jan 16 13:07:42.945757 2015] [:error] [pid 15335] ipa: DEBUG: >>> Destroyed connection context.ldap2_140625322494032 >>> [Fri Jan 16 13:07:42.945846 2015] [:error] [pid 15335] ipa: DEBUG: >>> reading ccache data from file "/var/run/ipa_memcached/krbcc_15335" >>> [Fri Jan 16 13:07:42.946019 2015] [:error] [pid 15335] ipa: DEBUG: >>> store session: session_id=7efb4fc24d37b7fe064fa2a4f0af447b >>> start_timestamp=2015-01-16T13:06:02 >>> access_timestamp=2015-01-16T13:07:42 >>> expiration_timestamp=2015-01-16T13:27:42 >>> >>>> I am still thinking it would make sense to also check the migrated >>>> OpenLDAP >>>> logs and see if there is anything interesting when the migration breaks. >>> I've been watching the logs on the OpenLDAP servers, and they just see >>> the connection close. >> >> >> We would probably need Rob to take a look at this but my gut feeling >> based on the internal error above is that there is some data >> inconsistency in one (or more) of your entries that we choke on. >> For example an entry does not have a proper object class and thus a >> mandatory attribute we expect is missing. > > I'm with Martin. I think we need to see the access log of the server > being migrated from so we can see the exactly queries and results. +1 > > The exception being thrown is rather unusual and the only way I can see > that it could happen is if all the entries were either search references > or had invalid DN formatting (or a combination of the two). I think I have pretty clear understanding how the pkey exception is thrown: https://fedorahosted.org/freeipa/ticket/4846 But this one is not related to the main root cause of these migration issues, unfortunately. > > Any chance you can provide a small ldif of an entry that is failing? +1 Additional details in my other reply in this thread. Martin From rob.harper at stfc.ac.uk Mon Jan 19 15:54:21 2015 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Mon, 19 Jan 2015 15:54:21 +0000 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS Message-ID: Hi all, I have successfully set up a test FreeIPA server and run it for a while, but the time has come to move towards a production service. I am currently running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I know this is an older FreeIPA, but I am going through the path of least resistance given our site's current standard configuration. On our site there is a central DNS service and it is unlikely we will be allowed to run our own DNS service (other than as a slave/cacheing NS). I have been trying to set up SRV records for the FreeIPA server by providing the autogenerated zone file to our DNS manager, who has incorporated the configuration. When we deployed these changes, I used dig to confirm that SRV queries were giving appropriate responses, which they appear to be. I then tried setting up a client using ipa-client-install and got an error: Failed to verify that freeipa01. is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. The install worked on a client before deploying the SRV records, using manual specification of the server. I disabled iptables on the server to eliminate potential problems there, and got the same result. If we disable the SRV records, I am able to do the manual set-up again. So it looks like the problem is at the DNS end of things, so maybe our zone configuration is missing something. The zone config we currently have in place is as follows (we changed hostnames in the sample file to fqdns for this attempt, but the same symptoms came from bare hostnames)... ; ldap servers _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. ; ; kerberos realm _kerberos.my.domain. IN TXT my.domain. ; ; kerberos servers _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. ; ; ntp server _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. ...So that is where I am. I was hoping that someone could give me a pointer or two as to how I might debug this problem and actually get service discovery working. Many thanks for reading this far! Rob From pspacek at redhat.com Mon Jan 19 17:04:25 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 19 Jan 2015 18:04:25 +0100 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: References: Message-ID: <54BD3919.4070008@redhat.com> On 19.1.2015 16:54, rob.harper at stfc.ac.uk wrote: > Hi all, > > I have successfully set up a test FreeIPA server and run it for a while, but the time has come to move towards a production service. I am currently running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I know this is an older FreeIPA, but I am going through the path of least resistance given our site's current standard configuration. > > On our site there is a central DNS service and it is unlikely we will be allowed to run our own DNS service (other than as a slave/cacheing NS). > > I have been trying to set up SRV records for the FreeIPA server by providing the autogenerated zone file to our DNS manager, who has incorporated the configuration. When we deployed these changes, I used dig to confirm that SRV queries were giving appropriate responses, which they appear to be. > > I then tried setting up a client using ipa-client-install and got an error: > > Failed to verify that freeipa01. is an IPA Server. > This may mean that the remote server is not up or is not reachable due to network or firewall settings. > > The install worked on a client before deploying the SRV records, using manual specification of the server. I disabled iptables on the server to eliminate potential problems there, and got the same result. If we disable the SRV records, I am able to do the manual set-up again. > > So it looks like the problem is at the DNS end of things, so maybe our zone configuration is missing something. > > The zone config we currently have in place is as follows (we changed hostnames in the sample file to fqdns for this attempt, but the same symptoms came from bare hostnames)... > > ; ldap servers > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > ; > ; kerberos realm > _kerberos.my.domain. IN TXT my.domain. > ; > ; kerberos servers > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > ; > ; ntp server > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. > > > ...So that is where I am. I was hoping that someone could give me a pointer or two as to how I might debug this problem and actually get service discovery working. > > Many thanks for reading this far! Interesting. Please provide us with information listed on http://www.freeipa.org/page/Troubleshooting#Client_Installation Additionally not-obfuscated output from dig could help too. Also, please keep in mind that: 1) Log obfuscation will make debugging harder for us. 2) Obfuscating DNS names does not bring any real security. Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is in there ... Have a nice day! -- Petr^2 Spacek From sipazzo at yahoo.com Mon Jan 19 18:50:11 2015 From: sipazzo at yahoo.com (sipazzo) Date: Mon, 19 Jan 2015 18:50:11 +0000 (UTC) Subject: [Freeipa-users] freeipa managed sudoers on Solaris 10 Message-ID: <759625883.2039340.1421693411249.JavaMail.yahoo@jws100202.mail.ne1.yahoo.com> I am having trouble finding relevant documentation on using freeipa to manage sudoers for a Solaris client. Has anyone successfully set this up without adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and any help is appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jan 19 19:01:53 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 19 Jan 2015 14:01:53 -0500 Subject: [Freeipa-users] freeipa managed sudoers on Solaris 10 In-Reply-To: <759625883.2039340.1421693411249.JavaMail.yahoo@jws100202.mail.ne1.yahoo.com> References: <759625883.2039340.1421693411249.JavaMail.yahoo@jws100202.mail.ne1.yahoo.com> Message-ID: <54BD54A1.3040808@redhat.com> On 01/19/2015 01:50 PM, sipazzo wrote: > I am having trouble finding relevant documentation on using freeipa to > manage sudoers for a Solaris client. Has anyone successfully set this > up without adding a bunch of non-standard packages? I am running > freeipa 3.0.0-42 and any help is appreciated. > > AFAIR Solaris does not carry sudo packages so if you plan to use sudo you would need to get packages from upstream. Other than that it is not different from using SUDO from a Linux client that does not have SSSD. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From amurty at deloitte.com Mon Jan 19 19:24:56 2015 From: amurty at deloitte.com (Murty, Ajeet (US - Arlington)) Date: Mon, 19 Jan 2015 19:24:56 +0000 Subject: [Freeipa-users] freeipa managed sudoers on Solaris 10 In-Reply-To: <54BD54A1.3040808@redhat.com> References: <759625883.2039340.1421693411249.JavaMail.yahoo@jws100202.mail.ne1.yahoo.com> <54BD54A1.3040808@redhat.com> Message-ID: We had to use OpenCSW packages. run this on cmd-line - pkgadd -d http://get.opencsw.org/now /opt/csw/bin/pkgutil -y -i CSWbdb4 CSWcommon CSWlibnet CSWosslutils CSWsasl CSWsudo-common CSWsudoldap cswpki gcc4core gcc4g++ gmake libssl_dev openldap_client openldap_dev optional one pkg at a time install - /opt/csw/bin/pkgutil -y -i CSWbdb4 /opt/csw/bin/pkgutil -y -i CSWcommon /opt/csw/bin/pkgutil -y -i CSWlibnet /opt/csw/bin/pkgutil -y -i CSWosslutils /opt/csw/bin/pkgutil -y -i CSWsasl /opt/csw/bin/pkgutil -y -i CSWsudo-common /opt/csw/bin/pkgutil -y -i CSWsudoldap /opt/csw/bin/pkgutil -y -i cswpki Ajeet Murty Deloitte & Touche LLP Tel: +1 571 882 5614 | Mobile: +1 704 421 8756 amurty at deloitte.com | www.deloitte.com This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Monday, January 19, 2015 2:02 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] freeipa managed sudoers on Solaris 10 On 01/19/2015 01:50 PM, sipazzo wrote: I am having trouble finding relevant documentation on using freeipa to manage sudoers for a Solaris client. Has anyone successfully set this up without adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and any help is appreciated. AFAIR Solaris does not carry sudo packages so if you plan to use sudo you would need to get packages from upstream. Other than that it is not different from using SUDO from a Linux client that does not have SSSD. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From subscribe.becke at gmail.com Wed Jan 14 22:34:37 2015 From: subscribe.becke at gmail.com (Raoul Becke) Date: Wed, 14 Jan 2015 22:34:37 +0000 (UTC) Subject: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu References: <22036664.121131.1395927382024.JavaMail.zimbra@chemaxon.com> <5334570B.1040103@redhat.com> <2068400394.73207.1395997013774.JavaMail.zimbra@chemaxon.com> <53355DC9.3050908@redhat.com> <15930145-D35A-4032-9273-8218B6515EDA@jasonwoods.me.uk> <20140328141529.GL21211@redhat.com> Message-ID: Alexander Bokovoy writes: > > On Fri, 28 Mar 2014, Jason Woods wrote: > >Hi > >(Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.) > > > >> On 28 Mar 2014, at 11:32, Petr Spacek wrote: > >> > >> Please let us know if it worked for you or not. I'm curious! > > > >I'm pretty curious too. > > > >I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I > >needed to add two patches though to 3.0 to fix 'valid users' group > >resolution and also performance. They're merged into master and 3.3 > >and will be in RHEL 7. > > > >Apart from the patching it was easy to do - just needed ipa-server and > >ipa-server-adtrust installed and setup and it did all the config for me > >(the adtrust part sets up samba with ipasam.so for you). > > > >Problem is running ipasam.so without the ipa-server locally - is how to > >get it so the host can see ipaNTHash in the schema to check password. > >If ipa-server is local the host has access, otherwise it doesn't. > > > >So be good to find out what aci or service principal stuff makes that > >available in an elegant and secure way. > We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it > all and may be creating a simple configuration tool. > > Timing is not yet defined. > Is there any news on this issue? I tried the following work-around which unfortunately did not work. 1. On the IPA Server: ]# yum install ipa-server-trust-ad 2. On the IPA Server: Run "ipa-adtrust-install" ]# ipa-adtrust-install 3. On ipa-server: Copy "ipasam.so" to samba server: ]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/ 4. On ipa-server:Create the following CIFS service: ]# ipa service-add cifs/file--s0-v1.becke.ch at BECKE.CH 5. On ipa-server: Create keytab for samba server and copy over to samba server ]# ipa-getkeytab -s directory--s0-v1.becke.ch -p cifs/file--s0-v1.becke.ch at BECKE.CH -k /tmp/samba.keytab ]# scp /tmp/samba.keytab root at file--s0-v1.becke.ch:/etc/samba/samba.keytab 6. On samba server: vi /etc/samba/smb.conf ... [global] workgroup = BECKECH server string = Samba Server Version %v netbios name = FILES0V1 log file = /var/log/samba/%m.log max log size = 50 realm = BECKE.CH kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user # passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch ldapsam:trusted=yes ldap ssl = off ldap suffix = dc=becke,dc=ch ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ... But all this did not help and I always get: ]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 ... NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE ... Doing the same against the IPA Server everything works fine: # smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 ... Maybe there is something wrong in: "cli_init_creds" ... but now after hours of research, debugging and testing I will give up and switch to "tdbsam" which is not optimal but should at least work ... From mkosek at redhat.com Tue Jan 20 06:56:46 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Jan 2015 07:56:46 +0100 Subject: [Freeipa-users] freeipa managed sudoers on Solaris 10 In-Reply-To: <54BD54A1.3040808@redhat.com> References: <759625883.2039340.1421693411249.JavaMail.yahoo@jws100202.mail.ne1.yahoo.com> <54BD54A1.3040808@redhat.com> Message-ID: <54BDFC2E.1020604@redhat.com> On 01/19/2015 08:01 PM, Dmitri Pal wrote: > On 01/19/2015 01:50 PM, sipazzo wrote: >> I am having trouble finding relevant documentation on using freeipa to manage >> sudoers for a Solaris client. Has anyone successfully set this up without >> adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and >> any help is appreciated. >> >> > AFAIR Solaris does not carry sudo packages so if you plan to use sudo you would > need to get packages from upstream. > Other than that it is not different from using SUDO from a Linux client that > does not have SSSD. BTW, I see you are using quite old FreeIPA version. If you are running on RHEL/CentOS, I would suggest using RHEL/CentOS 7.0 (IPA 3.3.3) or RHEL/CentOS 7.1 (IPA 4.1) when it is GA. (demo on ipa.demo1.freeipa.org) From abokovoy at redhat.com Tue Jan 20 08:01:43 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 20 Jan 2015 10:01:43 +0200 Subject: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu In-Reply-To: References: <22036664.121131.1395927382024.JavaMail.zimbra@chemaxon.com> <5334570B.1040103@redhat.com> <2068400394.73207.1395997013774.JavaMail.zimbra@chemaxon.com> <53355DC9.3050908@redhat.com> <15930145-D35A-4032-9273-8218B6515EDA@jasonwoods.me.uk> <20140328141529.GL21211@redhat.com> Message-ID: <20150120080143.GA31960@redhat.com> On Wed, 14 Jan 2015, Raoul Becke wrote: >Alexander Bokovoy writes: > >> >> On Fri, 28 Mar 2014, Jason Woods wrote: >> >Hi >> >(Apologies - resending to the list - I'm so used to the Reply-To already >set but it appears not to be here my bad.) >> > >> >> On 28 Mar 2014, at 11:32, Petr Spacek wrote: >> >> >> >> Please let us know if it worked for you or not. I'm curious! >> > >> >I'm pretty curious too. >> > >> >I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I >> >needed to add two patches though to 3.0 to fix 'valid users' group >> >resolution and also performance. They're merged into master and 3.3 >> >and will be in RHEL 7. >> > >> >Apart from the patching it was easy to do - just needed ipa-server and >> >ipa-server-adtrust installed and setup and it did all the config for me >> >(the adtrust part sets up samba with ipasam.so for you). >> > >> >Problem is running ipasam.so without the ipa-server locally - is how to >> >get it so the host can see ipaNTHash in the schema to check password. >> >If ipa-server is local the host has access, otherwise it doesn't. >> > >> >So be good to find out what aci or service principal stuff makes that >> >available in an elegant and secure way. >> We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it >> all and may be creating a simple configuration tool. >> >> Timing is not yet defined. >> > >Is there any news on this issue? Yes, the solution based on SSSD providing a winbindd-compatible interface is available in Fedora 21 and RHEL7.1beta. >I tried the following work-around which unfortunately did not work. >1. On the IPA Server: >]# yum install ipa-server-trust-ad >2. On the IPA Server: Run "ipa-adtrust-install" >]# ipa-adtrust-install >3. On ipa-server: Copy "ipasam.so" to samba server: >]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/ >4. On ipa-server:Create the following CIFS service: >]# ipa service-add cifs/file--s0-v1.becke.ch at BECKE.CH you also need to add cifs/file--s0-v1.becke.ch at BECK.CH to an ACI that would allow it to read ipaNTHash attribute. >5. On ipa-server: Create keytab for samba server and copy over to samba server >]# ipa-getkeytab -s directory--s0-v1.becke.ch -p >cifs/file--s0-v1.becke.ch at BECKE.CH -k /tmp/samba.keytab >]# scp /tmp/samba.keytab root at file--s0-v1.becke.ch:/etc/samba/samba.keytab > >6. On samba server: >vi /etc/samba/smb.conf >... >[global] > workgroup = BECKECH > server string = Samba Server Version %v > netbios name = FILES0V1 > > log file = /var/log/samba/%m.log > max log size = 50 > > realm = BECKE.CH > kerberos method = dedicated keytab > dedicated keytab file = FILE:/etc/samba/samba.keytab > create krb5 conf = no > > security = user > ># passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket > passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch > > ldapsam:trusted=yes > ldap ssl = off > ldap suffix = dc=becke,dc=ch > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > ldap machine suffix = cn=computers,cn=accounts >... > >But all this did not help and I always get: >]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 >... > NTLMSSP_NEGOTIATE_KEY_EXCH >SPNEGO login failed: Logon failure >session setup failed: NT_STATUS_LOGON_FAILURE >... > >Doing the same against the IPA Server everything works fine: ># smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 > >... Maybe there is something wrong in: "cli_init_creds" ... but now after >hours of research, debugging and testing I will give up and switch to >"tdbsam" which is not optimal but should at least work ... As I said above, your cifs/file-* service is unable to read out password values from ipaNTHash attribute of a user entry. It has to be added to a pre-defined group first. That group is then added into a specialized ACI granting access to the attributes required by Samba. It could be done through role/privilege/permission process in IPA 4.0+: 0. Add service on host foo.bar: # ipa service-add cifs/foo.bar 1. Add permission: # ipa permission-add "CIFS server can read user passwords" \ --attrs={ipaNTHash,ipaNTSecurityIdentifier} \ --type=user --right={read,search,compare} --bindtype=permission 2. Add privilege: # ipa privilege-add-permission 'CIFS server privilege' --permission='CIFS server can read user passwords' 3. Add role to bind privilege to specific services: # ipa role-add 'CIFS server' # ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege' # ipa role-add-member 'CIFS server' --services=cifs/foo.bar If you have keytab for the service cifs/foo.bar, you can verify that it indeed can read ipaNTHash: [root at master ~]# kdestroy -A [root at master ~]# kinit -kt foobar.keytab cifs/foo.bar [root at master ~]# ldapsearch -Y GSSAPI uid=admin ipaNTHash SASL/GSSAPI authentication started SASL username: cifs/foo.bar at F21.TEST SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: uid=admin # requesting: ipaNTHash # # admin, users, compat, f21.test dn: uid=admin,cn=users,cn=compat,dc=f21,dc=test # admin, users, accounts, f21.test dn: uid=admin,cn=users,cn=accounts,dc=f21,dc=test ipaNTHash:: # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 This would work more or less same in 3.0 but you would need to add permissions differently because 3.x doesn't have as easy permission constructing means as 4.0 has. An approach we chose with SSSD in Fedora 21/RHEL7.1beta is totally different -- SSSD provides needed information to perform identity management and authentication via libwinbind replacement library. The only issue with this approach is that NTLM authentication is not supported, one have to use Kerberos auth all the time. -- / Alexander Bokovoy From rob.harper at stfc.ac.uk Tue Jan 20 15:20:52 2015 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Tue, 20 Jan 2015 15:20:52 +0000 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: <54BD3919.4070008@redhat.com> References: <54BD3919.4070008@redhat.com> Message-ID: Hi Petr, Thanks for the reply. I wrote: > > I have been trying to set up SRV records for the FreeIPA server by > providing the autogenerated zone file to our DNS manager, who has > incorporated the configuration. When we deployed these changes, I used > dig to confirm that SRV queries were giving appropriate responses, which > they appear to be. > > > > I then tried setting up a client using ipa-client-install and got an error: > > > > Failed to verify that freeipa01. is an IPA Server. > > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same > symptoms came from bare hostnames)... > > > > ; ldap servers > > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > > ; > > ; kerberos realm > > _kerberos.my.domain. IN TXT my.domain. > > ; > > ; kerberos servers > > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > > ; > > ; ntp server > > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. Petr wrote: > Interesting. Please provide us with information listed on > http://www.freeipa.org/page/Troubleshooting#Client_Installation OK, log file attached. > Additionally not-obfuscated output from dig could help too. Transcript of some dig commands attached (script output edited to clear up control characters). > Also, please keep in mind that: > 1) Log obfuscation will make debugging harder for us. > 2) Obfuscating DNS names does not bring any real security. > > Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is > in there ... Point taken, I won't do that again. :) And thanks again. Rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipaclient-install.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dig_queries Type: application/octet-stream Size: 9188 bytes Desc: dig_queries URL: From dbischof at hrz.uni-kassel.de Tue Jan 20 15:37:50 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Tue, 20 Jan 2015 16:37:50 +0100 (CET) Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: References: Message-ID: Rob, On Mon, 19 Jan 2015, rob.harper at stfc.ac.uk wrote: > I have successfully set up a test FreeIPA server and run it for a while, > but the time has come to move towards a production service. I am > currently running ipa-server version 3.0.0-25 on Scientific Linux 6.4 > (if you don't know it, Scientific Linux is basically a rebuild of > RedHat, much like CentOS). Yes, I know this is an older FreeIPA, but I > am going through the path of least resistance given our site's current > standard configuration. > > On our site there is a central DNS service and it is unlikely we will be > allowed to run our own DNS service (other than as a slave/cacheing NS). > > I have been trying to set up SRV records for the FreeIPA server by > providing the autogenerated zone file to our DNS manager, who has > incorporated the configuration. When we deployed these changes, I used > dig to confirm that SRV queries were giving appropriate responses, which > they appear to be. > > I then tried setting up a client using ipa-client-install and got an > error: > > Failed to verify that freeipa01. is an IPA Server. This > may mean that the remote server is not up or is not reachable due to > network or firewall settings. > > The install worked on a client before deploying the SRV records, using > manual specification of the server. I disabled iptables on the server > to eliminate potential problems there, and got the same result. If we > disable the SRV records, I am able to do the manual set-up again. > > So it looks like the problem is at the DNS end of things, so maybe our > zone configuration is missing something. > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same > symptoms came from bare hostnames)... > > ; ldap servers > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > ; > ; kerberos realm > _kerberos.my.domain. IN TXT my.domain. this looks odd to me, our central DNS TXT record zone entry looks like --- _kerberos 86400 IN TXT "MY.DOMAIN" --- where "MY.DOMAIN" is my Kerberos realm (usually the domain name in capital letters). If you do a --- dig +short -t TXT _kerberos.my.domain --- it should answer --- "MY.DOMAIN" --- > ; > ; kerberos servers > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > ; > ; ntp server > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. > > > ...So that is where I am. I was hoping that someone could give me a > pointer or two as to how I might debug this problem and actually get > service discovery working. Mit freundlichen Gruessen/With best regards, --Daniel. From rob.harper at stfc.ac.uk Tue Jan 20 15:58:55 2015 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Tue, 20 Jan 2015 15:58:55 +0000 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: References: Message-ID: Daniel wrote: > > ; kerberos realm > > _kerberos.my.domain. IN TXT my.domain. > > this looks odd to me, our central DNS TXT record zone entry looks like > > --- > _kerberos 86400 IN TXT "MY.DOMAIN" > --- > > where "MY.DOMAIN" is my Kerberos realm (usually the domain name in > capital letters). > > If you do a > > --- > dig +short -t TXT _kerberos.my.domain > --- > > it should answer > > --- > "MY.DOMAIN" > --- Hi Daniel, thanks for the suggestion. I get: [root at rhtest02 ~]# dig +short -t TXT _kerberos.gridpp.rl.ac.uk "gridpp.rl.ac.uk." So not in uppercase. I will ask to get the TXT record changed. Unfortunately I can't do it myself, so can't check this instantly, but I will see what happens... Thanks, Rob From mbasti at redhat.com Tue Jan 20 16:20:05 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 20 Jan 2015 17:20:05 +0100 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: References: Message-ID: <54BE8035.3030201@redhat.com> On 20/01/15 16:58, rob.harper at stfc.ac.uk wrote: > Daniel wrote: >>> ; kerberos realm >>> _kerberos.my.domain. IN TXT my.domain. >> this looks odd to me, our central DNS TXT record zone entry looks like >> >> --- >> _kerberos 86400 IN TXT "MY.DOMAIN" >> --- >> >> where "MY.DOMAIN" is my Kerberos realm (usually the domain name in >> capital letters). >> >> If you do a >> >> --- >> dig +short -t TXT _kerberos.my.domain >> --- >> >> it should answer >> >> --- >> "MY.DOMAIN" >> --- > Hi Daniel, thanks for the suggestion. > > I get: > > [root at rhtest02 ~]# dig +short -t TXT _kerberos.gridpp.rl.ac.uk > "gridpp.rl.ac.uk." > > So not in uppercase. I will ask to get the TXT record changed. Unfortunately I can't do it myself, so can't check this instantly, but I will see what happens... > > Thanks, > Rob > > Hello, remove the trailing dot in TXT record, it could cause problems. -- Martin Basti From rob.harper at stfc.ac.uk Tue Jan 20 16:47:32 2015 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Tue, 20 Jan 2015 16:47:32 +0000 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: <54BE8035.3030201@redhat.com> References: <54BE8035.3030201@redhat.com> Message-ID: Martin wrote: > remove the trailing dot in TXT record, it could cause problems. OK. We'll try that too. Many thanks for your input. Rob From Bill.Quayle at citadel.com Tue Jan 20 15:49:35 2015 From: Bill.Quayle at citadel.com (Quayle, Bill) Date: Tue, 20 Jan 2015 15:49:35 +0000 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <54BCC5A4.9070909@redhat.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> <54BCC5A4.9070909@redhat.com> Message-ID: <3B3279E8CC13744EBA253F4A27758F23619326DA@NT-CHEX10MB01.citadelgroup.com> We are making progress. > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Monday, January 19, 2015 2:52 AM > To: Quayle, Bill; Ludwig Krispenz > Cc: 'freeipa-users at redhat.com' > Subject: Re: [Freeipa-users] migrate-ds aborts > > On 01/16/2015 08:21 PM, Quayle, Bill wrote: > > > > > >> -----Original Message----- > >> From: Martin Kosek [mailto:mkosek at redhat.com] > >> Sent: Friday, January 16, 2015 12:51 PM > >> To: Quayle, Bill; Ludwig Krispenz > >> Cc: 'freeipa-users at redhat.com' > >> Subject: Re: [Freeipa-users] migrate-ds aborts > >> > >> On 01/16/2015 04:48 PM, Quayle, Bill wrote: > >>> Thanks for looking into this! > >>> > >>> I was finally able to import all 11811 user records into IPA, but > >>> even now, > >> when I re-run the migrate, I get the same failure. > >> > >> How did you do it in the end? Simply by running migrate-ds command > >> multiple times or did you succeeded with the limits? > >> > > I re-ran migrate-ds about 30 times to complete the migration of users. > > Hm, this is definitely not how the migrate-ds is supposed work :-/ I wish we > can find the problem to avoid such difficulties for other users. > As this is an evaluation setup, I can tear-down and rebuild to try to capture more data, if you want. > ... > >>> One thing that is also confusing me, is that I am getting this error: > >>> [Fri Jan 16 09:28:29.007575 2015] [:error] [pid 14924] ipa: WARNING: > >>> GID > >> number 11 of migrated user anyone does not point to a known group. > >> > >> migrate-ds command runs a search against the migrated OpenLDAP > >> database and tries to find a group with gidNumber 11. When it fails > >> to locate it, it reports this error. Do you have all the groups in DN > >> "ou=people,ou=agroup,dc=example,dc=com"? > >> > > Groups are in "ou=groups,ou=agroup,dc=example,dc=com" > > I use --base-dn="ou=agroup,dc=example,dc=com" as an option to > > migrate-ds > > Right, sorry - I see I mistyped the DN. Does the container then contain a > group with gidNumber 11? It would explain the error you were asking about. > I also mistyped the dn. We use "group" instead of "groups", which explains a lot. > >> > >>> And it never migrates my groups. The ou=Groups is used in my source > >> openLDAP tree, so I'm not sure why it wouldn't migrate. > > Maybe your groups use some scheme that migrate-ds does not recognize as > group. > Can you show an example/LDIF of a group stored in ou=Groups? > > migrate-ds will search for groups with this default filter BTW: > > (&(|(objectClass=groupofuniquenames)(objectClass=groupofnames))(cn=*) > ) > We also do not use this objectClass. I've set: --group-contain="ou=group" --group-objectclass=posixGroup --user-objectclass=foo And re-run the migrate-ds. It populated my groups! :-) > >> > >> If i crashes during user migration, it won't even continue with > >> groups. I know this is not a proper fix, but you could make sure the > >> user migration part does not find anything (e.g. with > >> --user-objectclass=foo) and using --continue option. Then it will jump > directly to group migration. > >> > > I had actually already tried doing that. I just re-tried using the debug=True, > and here's the contents of error_log: > > Ah. Yes, this revealed one error, although this one just means that neither > user or group search did not return any errors. I created a ticket for it: > > https://fedorahosted.org/freeipa/ticket/4846 > > The fix for this will be easy, but it will not fix the actual root cause of the > migration problems you are hitting > > > [Fri Jan 16 13:07:42.819342 2015] [:error] [pid 15335] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > > [Fri Jan 16 13:07:42.819462 2015] [:error] [pid 15335] ipa: DEBUG: WSGI > xmlserver_session.__call__: > > [Fri Jan 16 13:07:42.819649 2015] [:error] [pid 15335] ipa: DEBUG: > > found session cookie_id = 7efb4fc24d37b7fe064fa2a4f0af447b [Fri Jan 16 > > 13:07:42.819926 2015] [:error] [pid 15335] ipa: DEBUG: found session > > data in cache with id=7efb4fc24d37b7fe064fa2a4f0af447b > > [Fri Jan 16 13:07:42.820031 2015] [:error] [pid 15335] ipa: DEBUG: > > xmlserver_session.__call__: > > session_id=7efb4fc24d37b7fe064fa2a4f0af447b > > start_timestamp=2015-01-16T13:06:02 > > access_timestamp=2015-01-16T13:07:42 > > expiration_timestamp=2015-01-16T13:26:02 > > [Fri Jan 16 13:07:42.820113 2015] [:error] [pid 15335] ipa: DEBUG: storing > ccache data into file "/var/run/ipa_memcached/krbcc_15335" > > [Fri Jan 16 13:07:42.820724 2015] [:error] [pid 15335] ipa: DEBUG: > > get_credential_times: > > principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, > > authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, > > endtime=01/16/15 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 > 13:07:42.821070 2015] [:error] [pid 15335] ipa: DEBUG: get_credential_times: > principal=HTTP/testserver.example.com at IDMTEST.EXAMPLE.COM, > authtime=01/15/15 16:44:10, starttime=01/15/15 16:44:17, endtime=01/16/15 > 16:44:04, renew_till=12/31/69 18:00:00 [Fri Jan 16 13:07:42.821370 2015] > [:error] [pid 15335] ipa: DEBUG: KRB5_CCache > FILE:/var/run/ipa_memcached/krbcc_15335 endtime=1421448244 (01/16/15 > 16:44:04) [Fri Jan 16 13:07:42.821480 2015] [:error] [pid 15335] ipa: DEBUG: > set_session_expiration_time: duration_type=inactivity_timeout > duration=1200 max_age=1421447944 expiration=1421436462.82 (2015-01- > 16T13:27:42) [Fri Jan 16 13:07:42.821539 2015] [:error] [pid 15335] ipa: DEBUG: > WSGI xmlserver.__call__: > > [Fri Jan 16 13:07:42.850018 2015] [:error] [pid 15335] ipa: DEBUG: > > Created connection context.ldap2 [Fri Jan 16 13:07:42.850117 2015] [:error] > [pid 15335] ipa: DEBUG: WSGI WSGIExecutioner.__call__: > > [Fri Jan 16 13:07:42.851403 2015] [:error] [pid 15335] ipa: DEBUG: > > raw: migrate_ds(u'ldap://10.x.x.x:389', u'********', > > binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', > > usercontainer=u'ou=people', groupcontainer=u'ou=groups', > > userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', > u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, > groupignoreobjectclass=None, groupignoreattribute=None, > groupoverwritegid=False, schema=u'RFC2307bis', continue=True, > basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', > exclude_groups=None, exclude_users=None) [Fri Jan 16 13:07:42.852159 > 2015] [:error] [pid 15335] ipa: DEBUG: migrate_ds(u'ldap://10.x.x.x:389', > u'********', > binddn=ipapython.dn.DN('uid=me,ou=people,ou=agroup,dc=example,dc=c > om'), usercontainer=ipapython.dn.DN('ou=people'), > groupcontainer=ipapython.dn.DN('ou=groups'), userobjectclass=(u'foo',), > groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), > userignoreobjectclass=None, userignoreattribute=None, > groupignoreobjectclass=None, groupignoreattribute=None, > groupoverwritegid=False, schema=u'RFC2307bis', continue=True, > basedn=ipapython.dn.DN('ou=agroup,dc=example,dc=com'), compat=False, > version=u'2.65', exclude_groups=None, exclude_users=None) [Fri Jan 16 > 13:07:42.933433 2015] [:error] [pid 15335] ipa: DEBUG: Created connection > context.ldap2_140625322494032 [Fri Jan 16 13:07:42.944655 2015] [:error] [pid > 15335] ipa: ERROR: non-public: UnboundLocalError: local variable 'pkey' > referenced before assignment [Fri Jan 16 13:07:42.944666 2015] [:error] [pid > 15335] Traceback (most recent call last): > > [Fri Jan 16 13:07:42.944668 2015] [:error] [pid 15335] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in > wsgi_execute > > [Fri Jan 16 13:07:42.944670 2015] [:error] [pid 15335] result = > self.Command[name](*args, **options) > > [Fri Jan 16 13:07:42.944671 2015] [:error] [pid 15335] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ > > [Fri Jan 16 13:07:42.944673 2015] [:error] [pid 15335] ret = self.run(*args, > **options) > > [Fri Jan 16 13:07:42.944683 2015] [:error] [pid 15335] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run > > [Fri Jan 16 13:07:42.944686 2015] [:error] [pid 15335] result = > self.execute(*args, **options) > > [Fri Jan 16 13:07:42.944687 2015] [:error] [pid 15335] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 894, in > execute > > [Fri Jan 16 13:07:42.944689 2015] [:error] [pid 15335] ldap, config, ds_ldap, > ds_base_dn, options > > [Fri Jan 16 13:07:42.944691 2015] [:error] [pid 15335] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 843, in > migrate > > [Fri Jan 16 13:07:42.944692 2015] [:error] [pid 15335] > _update_default_group(ldap, pkey, config, context, True) > > [Fri Jan 16 13:07:42.944694 2015] [:error] [pid 15335] > > UnboundLocalError: local variable 'pkey' referenced before assignment > > [Fri Jan 16 13:07:42.944888 2015] [:error] [pid 15335] ipa: INFO: > > admin at IDMTEST.EXAMPLE.COM: migrate_ds(u'ldap://10.x.x.x:389', > > u'********', > binddn=u'uid=me,ou=people,ou=agroup,dc=example,dc=com', > > usercontainer=u'ou=people', groupcontainer=u'ou=groups', > userobjectclass=(u'foo',), groupobjectclass=(u'groupOfUniqueNames', > u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, > groupignoreobjectclass=None, groupignoreattribute=None, > groupoverwritegid=False, schema=u'RFC2307bis', continue=True, > basedn=u'ou=agroup,dc=example,dc=com', compat=False, version=u'2.65', > exclude_groups=None, exclude_users=None): UnboundLocalError [Fri Jan > 16 13:07:42.944952 2015] [:error] [pid 15335] ipa: DEBUG: response: > InternalError: an internal error has occurred [Fri Jan 16 13:07:42.945645 2015] > [:error] [pid 15335] ipa: DEBUG: Destroyed connection context.ldap2 [Fri Jan > 16 13:07:42.945757 2015] [:error] [pid 15335] ipa: DEBUG: Destroyed > connection context.ldap2_140625322494032 [Fri Jan 16 13:07:42.945846 2015] > [:error] [pid 15335] ipa: DEBUG: reading ccache data from file > "/var/run/ipa_memcached/krbcc_15335" > > [Fri Jan 16 13:07:42.946019 2015] [:error] [pid 15335] ipa: DEBUG: > > store session: session_id=7efb4fc24d37b7fe064fa2a4f0af447b > > start_timestamp=2015-01-16T13:06:02 > > access_timestamp=2015-01-16T13:07:42 > > expiration_timestamp=2015-01-16T13:27:42 > > > >> I am still thinking it would make sense to also check the migrated > >> OpenLDAP logs and see if there is anything interesting when the > migration breaks. > > > > I've been watching the logs on the OpenLDAP servers, and they just see > the connection close. > > access log excerpt may help, if it contains any error logs we could use. I was > also thinking it would be also useful to know which LDAP search exactly failed > as it is not clear from the error. If you modify the FreeIPA server this way: > > # cp /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py > /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py.bkp > # sed -i "s/error = e$/error = e\n import traceback\n > traceback.print_exc()/" /usr/lib/python2.7/site- > packages/ipaserver/rpcserver.py > # service httpd restart > > The traceback of where the NetworkError is raised should be added to > /var/log/httpd/error_log. > So we have successfully migrated the users and groups. I can't seem to find any pointers on migrating netgroups and automount maps. Is this done via an LDIF dump and import? Thanks! -Bill ________________________________ CONFIDENTIALITY AND SECURITY NOTICE The contents of this message and any attachments may be confidential and proprietary. If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, distributing or copying the contents. From rcritten at redhat.com Tue Jan 20 19:24:54 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 Jan 2015 14:24:54 -0500 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <3B3279E8CC13744EBA253F4A27758F23619326DA@NT-CHEX10MB01.citadelgroup.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> <54BCC5A4.9070909@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619326DA@NT-CHEX10MB01.citadelgroup.com> Message-ID: <54BEAB86.6050009@redhat.com> Quayle, Bill wrote: > We are making progress. ... >> >> The traceback of where the NetworkError is raised should be added to >> /var/log/httpd/error_log. >> > So we have successfully migrated the users and groups. I can't seem to find any pointers on migrating netgroups and automount maps. Is this done via an LDIF dump and import? You'd be better off writing some simple scripts using the ipa command-line tool for these. rob From Steven.Jones at vuw.ac.nz Tue Jan 20 22:07:44 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 20 Jan 2015 22:07:44 +0000 Subject: [Freeipa-users] IPA with OTP Message-ID: <1421791628031.56955@vuw.ac.nz> Hi, Any docs for RHEL7.1 for his? regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jan 20 22:18:47 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 20 Jan 2015 17:18:47 -0500 Subject: [Freeipa-users] IPA with OTP In-Reply-To: <1421791628031.56955@vuw.ac.nz> References: <1421791628031.56955@vuw.ac.nz> Message-ID: <54BED447.4030200@redhat.com> On 01/20/2015 05:07 PM, Steven Jones wrote: > > Hi, > > > Any docs for RHEL7.1 for his? > > > regards > > Steven > > > > Docs will be based on this: http://www.freeipa.org/page/V3/OTP -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jan 20 22:20:56 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Jan 2015 23:20:56 +0100 Subject: [Freeipa-users] migrate-ds aborts In-Reply-To: <3B3279E8CC13744EBA253F4A27758F23619326DA@NT-CHEX10MB01.citadelgroup.com> References: <3B3279E8CC13744EBA253F4A27758F236193099C@NT-CHEX10MB01.citadelgroup.com> <54B8C13B.7030903@redhat.com> <54B8C858.7040109@redhat.com> <54B8CAEB.2090703@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619311FE@NT-CHEX10MB01.citadelgroup.com> <54B95D7B.3020408@redhat.com> <3B3279E8CC13744EBA253F4A27758F2361931384@NT-CHEX10MB01.citadelgroup.com> <54BCC5A4.9070909@redhat.com> <3B3279E8CC13744EBA253F4A27758F23619326DA@NT-CHEX10MB01.citadelgroup.com> Message-ID: <54BED4C8.80600@redhat.com> On 01/20/2015 04:49 PM, Quayle, Bill wrote: ... >> Hm, this is definitely not how the migrate-ds is supposed work :-/ I wish we >> can find the problem to avoid such difficulties for other users. >> > As this is an evaluation setup, I can tear-down and rebuild to try to capture more data, if you want. That would be great. Finding the reason why the migration ends with NetworkError would be awesome. So far, my last debugging idea was to see where exactly is the NetworkError thrown: # cd /usr/lib/python2.7/site-packages/ipaserver/ # rpcserver.py rpcserver.py.orig # wget http://mkosek.fedorapeople.org/0001-Print-PublicError-traceback-when-in-debug-mode.patch -O /tmp/ipa.patch # patch -p2 < /tmp/ipa.patch # service httpd reload The when server is put in debug=True mode, /var/log/httpd/error_log should contain traceback for the NetworkError. Maybe Rob has also other ideas how to find the root cause. ... >> Right, sorry - I see I mistyped the DN. Does the container then contain a >> group with gidNumber 11? It would explain the error you were asking about. >> > I also mistyped the dn. We use "group" instead of "groups", which explains a lot. >>>> >>>>> And it never migrates my groups. The ou=Groups is used in my source >>>> openLDAP tree, so I'm not sure why it wouldn't migrate. >> >> Maybe your groups use some scheme that migrate-ds does not recognize as >> group. >> Can you show an example/LDIF of a group stored in ou=Groups? >> >> migrate-ds will search for groups with this default filter BTW: >> >> (&(|(objectClass=groupofuniquenames)(objectClass=groupofnames))(cn=*) >> ) >> > We also do not use this objectClass. I've set: > --group-contain="ou=group" --group-objectclass=posixGroup --user-objectclass=foo > And re-run the migrate-ds. > > It populated my groups! :-) Ah, cool! Rob, why is posixGroup missing in the list of possible migrated group objectclass anyway? We only search for groupofuniquenames/groupofnames by default. Adding posixGroup to the default list sounds fine to me. Martin From jbaird at follett.com Tue Jan 20 22:40:13 2015 From: jbaird at follett.com (Baird, Josh) Date: Tue, 20 Jan 2015 22:40:13 +0000 Subject: [Freeipa-users] Automount and home directory creation Message-ID: Hi, I'm considering migrating to automounted home directories (via NFS), but would like to avoid having to manually create/provision the home directories on the NFS server. This [1] blog covers the very topic, but I'm not sure that any progress was ever made. Does anyone have any ideas or suggestions? [1] - http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Thanks, Josh From dpal at redhat.com Tue Jan 20 23:00:58 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 20 Jan 2015 18:00:58 -0500 Subject: [Freeipa-users] Automount and home directory creation In-Reply-To: References: Message-ID: <54BEDE2A.4020408@redhat.com> On 01/20/2015 05:40 PM, Baird, Josh wrote: > Hi, > > I'm considering migrating to automounted home directories (via NFS), but would like to avoid having to manually create/provision the home directories on the NFS server. This [1] blog covers the very topic, but I'm not sure that any progress was ever made. > > Does anyone have any ideas or suggestions? > > [1] - http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ > > Thanks, > > Josh > > Well... there is not simple solution and there was not much demand so it is sitting on the back burner. A help would be really appreciated to move this forward. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From Steven.Jones at vuw.ac.nz Tue Jan 20 23:06:14 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 20 Jan 2015 23:06:14 +0000 Subject: [Freeipa-users] IPA with OTP In-Reply-To: <54BED447.4030200@redhat.com> References: <1421791628031.56955@vuw.ac.nz>,<54BED447.4030200@redhat.com> Message-ID: <1421795138018.20787@vuw.ac.nz> Hi, I am getting re-directed to, http://www.freeipa.org/page/V4/OTP This is the same thing? regards Steven J ________________________________ From: freeipa-users-bounces at redhat.com on behalf of Dmitri Pal Sent: Wednesday, 21 January 2015 11:18 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA with OTP On 01/20/2015 05:07 PM, Steven Jones wrote: Hi, Any docs for RHEL7.1 for his? regards Steven Docs will be based on this: http://www.freeipa.org/page/V3/OTP -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jan 20 23:11:08 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 20 Jan 2015 18:11:08 -0500 Subject: [Freeipa-users] IPA with OTP In-Reply-To: <1421795138018.20787@vuw.ac.nz> References: <1421791628031.56955@vuw.ac.nz>, <54BED447.4030200@redhat.com> <1421795138018.20787@vuw.ac.nz> Message-ID: <54BEE08C.5080303@redhat.com> On 01/20/2015 06:06 PM, Steven Jones wrote: > > Hi, > > > I am getting re-directed to, > > > http://www.freeipa.org/page/V4/OTP > > > This is the same thing? > Yes. The page got renamed some time ago but my browser history keeps the old one. Sorry for confusion. > > regards > > Steven J > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > on behalf of Dmitri Pal > > *Sent:* Wednesday, 21 January 2015 11:18 a.m. > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] IPA with OTP > On 01/20/2015 05:07 PM, Steven Jones wrote: >> >> Hi, >> >> >> Any docs for RHEL7.1 for his? >> >> >> regards >> >> Steven >> >> >> >> > Docs will be based on this: http://www.freeipa.org/page/V3/OTP > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbaird at follett.com Wed Jan 21 14:09:45 2015 From: jbaird at follett.com (Baird, Josh) Date: Wed, 21 Jan 2015 14:09:45 +0000 Subject: [Freeipa-users] Automount and home directory creation In-Reply-To: <54BEDE2A.4020408@redhat.com> References: <54BEDE2A.4020408@redhat.com> Message-ID: The RHEL6/7 manuals say this: Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. I suppose this may be one option that is worth investigating. Thanks, Josh > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Dmitri Pal > Sent: Tuesday, January 20, 2015 6:01 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Automount and home directory creation > > On 01/20/2015 05:40 PM, Baird, Josh wrote: > > Hi, > > > > I'm considering migrating to automounted home directories (via NFS), but > would like to avoid having to manually create/provision the home directories > on the NFS server. This [1] blog covers the very topic, but I'm not sure that > any progress was ever made. > > > > Does anyone have any ideas or suggestions? > > > > [1] - > > http://adam.younglogic.com/2011/06/automount-and-home-directory- > creati > > on/ > > > > Thanks, > > > > Josh > > > > > Well... there is not simple solution and there was not much demand so it is > sitting on the back burner. > > A help would be really appreciated to move this forward. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From notify.sina at gmail.com Thu Jan 22 08:25:33 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 22 Jan 2015 08:25:33 +0000 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask Message-ID: Hi List I'm at a client who has no support subscriptions, using Red Hat IdM on RHEL 6.3 64-bit servers with ipa-server-3.0.0-37.el6.x86_64 and ipa-client-3.0.0-42.el6.x86_64 . I've been playing around with autocreating user homedirs with the recommended incantations in the ipa-client-install and restarting oddjobd afterwards. I noticed that logging in on the clients as an IPA user creates the user homedir as: [root at node5 ~]# su - sina Creating home directory for sina. -sh-4.1$ I changed permissions on the user folder but it doesnt change anything, I changed the mask in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf to 0077 as advised after doing some googling. But nothing changes. Please does anyone know why this is happening, and what can be done to fix? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jan 22 09:03:26 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 22 Jan 2015 10:03:26 +0100 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask In-Reply-To: References: Message-ID: <54C0BCDE.2050408@redhat.com> On 22.1.2015 09:25, Sina Owolabi wrote: > Hi List > > I'm at a client who has no support subscriptions, using Red Hat IdM on RHEL > 6.3 64-bit servers with ipa-server-3.0.0-37.el6.x86_64 > and ipa-client-3.0.0-42.el6.x86_64 . > I've been playing around with autocreating user homedirs with the > recommended incantations in the ipa-client-install and restarting oddjobd > afterwards. > I noticed that logging in on the clients as an IPA user creates the user > homedir as: > > [root at node5 ~]# su - sina > Creating home directory for sina. > -sh-4.1$ > I changed permissions on the user folder but it doesnt change anything, I > changed the mask in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf > to 0077 as advised after doing some googling. > But nothing changes. I guess that default .bash* files were not copied into the new directory for some reason but I have no idea why. -- Petr^2 Spacek From jhrozek at redhat.com Thu Jan 22 09:12:09 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 22 Jan 2015 10:12:09 +0100 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask In-Reply-To: References: Message-ID: <20150122091209.GR2859@hendrix.lan> On Thu, Jan 22, 2015 at 08:25:33AM +0000, Sina Owolabi wrote: > Hi List > > I'm at a client who has no support subscriptions, using Red Hat IdM on RHEL > 6.3 64-bit servers with ipa-server-3.0.0-37.el6.x86_64 > and ipa-client-3.0.0-42.el6.x86_64 . > I've been playing around with autocreating user homedirs with the > recommended incantations in the ipa-client-install and restarting oddjobd > afterwards. > I noticed that logging in on the clients as an IPA user creates the user > homedir as: Have you verified SSSD outputs the home directory value as you'd like it to? Does "getent passwd sina" print the expected homedir? > > [root at node5 ~]# su - sina One note -- calling su - sina bypasses the PAM stack mostly and doesn't ask for password. This might be OK for a quick test, but sometimes it hides SSSD misconfigurations. > Creating home directory for sina. > -sh-4.1$ > I changed permissions on the user folder but it doesnt change anything, I > changed the mask in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf > to 0077 as advised after doing some googling. > But nothing changes. > > Please does anyone know why this is happening, and what can be done to fix? > > Thanks! > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From jhrozek at redhat.com Thu Jan 22 09:22:47 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 22 Jan 2015 10:22:47 +0100 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask In-Reply-To: <20150122091209.GR2859@hendrix.lan> References: <20150122091209.GR2859@hendrix.lan> Message-ID: <20150122092247.GT2859@hendrix.lan> On Thu, Jan 22, 2015 at 10:12:09AM +0100, Jakub Hrozek wrote: > > [root at node5 ~]# su - sina > > One note -- calling su - sina bypasses the PAM stack mostly Sorry, this was really inaccurate. I meant to say "calling su - sina from root". The reason is the pam_rootok.so module in the PAM stack returns success and doesn't query the other modules. If you called "su - sina" from another non-privileged user, you'd be asked for a password. From rob.harper at stfc.ac.uk Thu Jan 22 09:44:42 2015 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Thu, 22 Jan 2015 09:44:42 +0000 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: References: Message-ID: Hi, Many thanks to everyone who offered advice on this. My problem appears to be fixed. My solution was to change the TXT record defining the Kerberos realm to ensure the realm name was in upper case, in quotes, and did not have a trailing period: _kerberos.my.domain. IN TXT "GRIDPP.RL.AC.UK" I'm not sure which of these changes was the critical one (maybe all!), but the upshot is that I can now enrol clients using service discovery. Thanks again for your help. Rob > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of rob.harper at stfc.ac.uk > Sent: 19 January 2015 15:54 > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on > externally managed DNS > > Hi all, > > I have successfully set up a test FreeIPA server and run it for a while, but the > time has come to move towards a production service. I am currently running > ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, > Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I > know this is an older FreeIPA, but I am going through the path of least > resistance given our site's current standard configuration. > > On our site there is a central DNS service and it is unlikely we will be allowed > to run our own DNS service (other than as a slave/cacheing NS). > > I have been trying to set up SRV records for the FreeIPA server by providing > the autogenerated zone file to our DNS manager, who has incorporated the > configuration. When we deployed these changes, I used dig to confirm that > SRV queries were giving appropriate responses, which they appear to be. > > I then tried setting up a client using ipa-client-install and got an error: > > Failed to verify that freeipa01. is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > > The install worked on a client before deploying the SRV records, using > manual specification of the server. I disabled iptables on the server to > eliminate potential problems there, and got the same result. If we disable > the SRV records, I am able to do the manual set-up again. > > So it looks like the problem is at the DNS end of things, so maybe our zone > configuration is missing something. > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same > symptoms came from bare hostnames)... > > ; ldap servers > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > ; > ; kerberos realm > _kerberos.my.domain. IN TXT my.domain. > ; > ; kerberos servers > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > ; > ; ntp server > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. > > > ...So that is where I am. I was hoping that someone could give me a pointer > or two as to how I might debug this problem and actually get service > discovery working. > > Many thanks for reading this far! > > Rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From notify.sina at gmail.com Thu Jan 22 10:12:52 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 22 Jan 2015 10:12:52 +0000 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> Message-ID: Hi And thanks for the replies.. The default bash files are represented in the user's home: [root at node5 ~]# ls -la /home/sina/ total 24 drwx------. 2 sina sina 4096 Jan 22 09:24 . drwxr-xr-x. 8 root root 4096 Jan 22 09:23 .. -rw-------. 1 sina sina 5 Jan 22 09:24 .bash_history -rw-------. 1 sina sina 18 Jan 22 09:23 .bash_logout -rw-------. 1 sina sina 176 Jan 22 09:23 .bash_profile -rw-------. 1 sina sina 124 Jan 22 09:23 .bashrc And yes, it does ask for a password if I try to login as another non-priviledged user. [root at node5 ~]# su - hofozor -sh-4.1$ su - sina Password: -sh-4.1$ -sh-4.1$ pwd /home/sina On Thu Jan 22 2015 at 10:24:42 AM Jakub Hrozek wrote: > On Thu, Jan 22, 2015 at 10:12:09AM +0100, Jakub Hrozek wrote: > > > [root at node5 ~]# su - sina > > > > One note -- calling su - sina bypasses the PAM stack mostly > > Sorry, this was really inaccurate. I meant to say "calling su - sina > from root". The reason is the pam_rootok.so module in the PAM stack > returns success and doesn't query the other modules. > > If you called "su - sina" from another non-privileged user, you'd be > asked for a password. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jan 22 10:27:31 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 22 Jan 2015 12:27:31 +0200 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask In-Reply-To: References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> Message-ID: <20150122102731.GT4383@redhat.com> On Thu, 22 Jan 2015, Sina Owolabi wrote: >Hi >And thanks for the replies.. >The default bash files are represented in the user's home: >[root at node5 ~]# ls -la /home/sina/ >total 24 >drwx------. 2 sina sina 4096 Jan 22 09:24 . >drwxr-xr-x. 8 root root 4096 Jan 22 09:23 .. >-rw-------. 1 sina sina 5 Jan 22 09:24 .bash_history >-rw-------. 1 sina sina 18 Jan 22 09:23 .bash_logout >-rw-------. 1 sina sina 176 Jan 22 09:23 .bash_profile >-rw-------. 1 sina sina 124 Jan 22 09:23 .bashrc > >And yes, it does ask for a password if I try to login as another >non-priviledged user. >[root at node5 ~]# su - hofozor >-sh-4.1$ su - sina >Password: >-sh-4.1$ >-sh-4.1$ pwd >/home/sina I think this is correct behavior for a /bin/sh. What is your user's shell? -- / Alexander Bokovoy From notify.sina at gmail.com Thu Jan 22 10:31:16 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 22 Jan 2015 10:31:16 +0000 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> <20150122102731.GT4383@redhat.com> Message-ID: Umm... /bin/sh? On Thu Jan 22 2015 at 11:27:36 AM Alexander Bokovoy wrote: > On Thu, 22 Jan 2015, Sina Owolabi wrote: > >Hi > >And thanks for the replies.. > >The default bash files are represented in the user's home: > >[root at node5 ~]# ls -la /home/sina/ > >total 24 > >drwx------. 2 sina sina 4096 Jan 22 09:24 . > >drwxr-xr-x. 8 root root 4096 Jan 22 09:23 .. > >-rw-------. 1 sina sina 5 Jan 22 09:24 .bash_history > >-rw-------. 1 sina sina 18 Jan 22 09:23 .bash_logout > >-rw-------. 1 sina sina 176 Jan 22 09:23 .bash_profile > >-rw-------. 1 sina sina 124 Jan 22 09:23 .bashrc > > > >And yes, it does ask for a password if I try to login as another > >non-priviledged user. > >[root at node5 ~]# su - hofozor > >-sh-4.1$ su - sina > >Password: > >-sh-4.1$ > >-sh-4.1$ pwd > >/home/sina > I think this is correct behavior for a /bin/sh. What is your user's > shell? > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jan 22 10:36:58 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 22 Jan 2015 12:36:58 +0200 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask In-Reply-To: References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> <20150122102731.GT4383@redhat.com> Message-ID: <20150122103658.GU4383@redhat.com> On Thu, 22 Jan 2015, Sina Owolabi wrote: >Umm... /bin/sh? Yes, POSIX shell. So, what do you get as an output with $ getent passwd sina ? Bash emulates POSIX shell with a specific behavior (you can read bash manual page, chapter INVOCATION, starting with "If bash is invoked with the name sh, it tries to mimic the startup behavior of historical versions of sh as closely as possible". In such case bash doesn't read own profile files and sets PS1 to something close to \s-\v\$ which is what you get in your sessions below: >> >[root at node5 ~]# su - hofozor >> >-sh-4.1$ su - sina >> >Password: >> >-sh-4.1$ >> >-sh-4.1$ pwd >> >/home/sina -- / Alexander Bokovoy From notify.sina at gmail.com Thu Jan 22 10:43:12 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 22 Jan 2015 10:43:12 +0000 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> <20150122102731.GT4383@redhat.com> <20150122103658.GU4383@redhat.com> Message-ID: Sorry I was misunderstood. The umm.../bin/sh? Was me being sheepish after causing all the ruckus this morning. -sh-4.1$ getent passwd sina sina:*:392100000:392100000:Sina Owolabi:/home/sina:/bin/sh How do I change the default to /bin/bash? On Thu Jan 22 2015 at 11:37:03 AM Alexander Bokovoy wrote: > On Thu, 22 Jan 2015, Sina Owolabi wrote: > >Umm... /bin/sh? > Yes, POSIX shell. So, what do you get as an output with > > $ getent passwd sina > > ? > > Bash emulates POSIX shell with a specific behavior (you can read bash > manual page, chapter INVOCATION, starting with "If bash is invoked with > the name sh, it tries to mimic the startup behavior of historical > versions of sh as closely as possible". In such case bash doesn't read > own profile files and sets PS1 to something close to \s-\v\$ which is > what you get in your sessions below: > > >> >[root at node5 ~]# su - hofozor > >> >-sh-4.1$ su - sina > >> >Password: > >> >-sh-4.1$ > >> >-sh-4.1$ pwd > >> >/home/sina > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jan 22 11:12:30 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 22 Jan 2015 13:12:30 +0200 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask In-Reply-To: References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> <20150122102731.GT4383@redhat.com> <20150122103658.GU4383@redhat.com> Message-ID: <20150122111230.GV4383@redhat.com> On Thu, 22 Jan 2015, Sina Owolabi wrote: >Sorry I was misunderstood. The umm.../bin/sh? Was me being sheepish after >causing all the ruckus this morning. >-sh-4.1$ getent passwd sina >sina:*:392100000:392100000:Sina Owolabi:/home/sina:/bin/sh > >How do I change the default to /bin/bash? If it is IPA user, do following: $ kinit sina $ ipa user-mod sina --shell=/bin/bash The default is to have the shell set to /bin/sh because bash isn't available on all platforms by default and OpenSSH will refuse to log in a user which uses non-existing shell. /bin/sh is guaranteed to exist in all POSIX-compatible environments. You can change defaults via $ kinit admin $ ipa config-mod --defaultshell=/bin/bash The defaults will only apply to users that will be created after the change. > >On Thu Jan 22 2015 at 11:37:03 AM Alexander Bokovoy >wrote: > >> On Thu, 22 Jan 2015, Sina Owolabi wrote: >> >Umm... /bin/sh? >> Yes, POSIX shell. So, what do you get as an output with >> >> $ getent passwd sina >> >> ? >> >> Bash emulates POSIX shell with a specific behavior (you can read bash >> manual page, chapter INVOCATION, starting with "If bash is invoked with >> the name sh, it tries to mimic the startup behavior of historical >> versions of sh as closely as possible". In such case bash doesn't read >> own profile files and sets PS1 to something close to \s-\v\$ which is >> what you get in your sessions below: >> >> >> >[root at node5 ~]# su - hofozor >> >> >-sh-4.1$ su - sina >> >> >Password: >> >> >-sh-4.1$ >> >> >-sh-4.1$ pwd >> >> >/home/sina >> >> -- >> / Alexander Bokovoy >> -- / Alexander Bokovoy From notify.sina at gmail.com Thu Jan 22 11:18:39 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 22 Jan 2015 11:18:39 +0000 Subject: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask References: <20150122091209.GR2859@hendrix.lan> <20150122092247.GT2859@hendrix.lan> <20150122102731.GT4383@redhat.com> <20150122103658.GU4383@redhat.com> <20150122111230.GV4383@redhat.com> Message-ID: Thank you! Everything is bash-ful again. On Thu Jan 22 2015 at 12:12:35 PM Alexander Bokovoy wrote: > On Thu, 22 Jan 2015, Sina Owolabi wrote: > >Sorry I was misunderstood. The umm.../bin/sh? Was me being sheepish after > >causing all the ruckus this morning. > >-sh-4.1$ getent passwd sina > >sina:*:392100000:392100000:Sina Owolabi:/home/sina:/bin/sh > > > >How do I change the default to /bin/bash? > If it is IPA user, do following: > > $ kinit sina > $ ipa user-mod sina --shell=/bin/bash > > The default is to have the shell set to /bin/sh because bash isn't > available on all platforms by default and OpenSSH will refuse to log in > a user which uses non-existing shell. /bin/sh is guaranteed to exist in > all POSIX-compatible environments. > > You can change defaults via > > $ kinit admin > $ ipa config-mod --defaultshell=/bin/bash > > The defaults will only apply to users that will be created after the > change. > > > > >On Thu Jan 22 2015 at 11:37:03 AM Alexander Bokovoy > >wrote: > > > >> On Thu, 22 Jan 2015, Sina Owolabi wrote: > >> >Umm... /bin/sh? > >> Yes, POSIX shell. So, what do you get as an output with > >> > >> $ getent passwd sina > >> > >> ? > >> > >> Bash emulates POSIX shell with a specific behavior (you can read bash > >> manual page, chapter INVOCATION, starting with "If bash is invoked with > >> the name sh, it tries to mimic the startup behavior of historical > >> versions of sh as closely as possible". In such case bash doesn't read > >> own profile files and sets PS1 to something close to \s-\v\$ which is > >> what you get in your sessions below: > >> > >> >> >[root at node5 ~]# su - hofozor > >> >> >-sh-4.1$ su - sina > >> >> >Password: > >> >> >-sh-4.1$ > >> >> >-sh-4.1$ pwd > >> >> >/home/sina > >> > >> -- > >> / Alexander Bokovoy > >> > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From firemanxbr at fedoraproject.org Thu Jan 22 12:13:26 2015 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Thu, 22 Jan 2015 10:13:26 -0200 Subject: [Freeipa-users] My simple examples for FreeIPA API using python Message-ID: Guys, I am sharing my github repository with an example of use of FreeIPA via API, suggestions and tips are welcome: https://github.com/firemanxbr/freeipa-tools Cheers, firemanxbr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jan 22 13:55:52 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 22 Jan 2015 14:55:52 +0100 Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS In-Reply-To: References: Message-ID: <54C10168.3000602@redhat.com> On 22.1.2015 10:44, rob.harper at stfc.ac.uk wrote: > Hi, > > Many thanks to everyone who offered advice on this. My problem appears to be fixed. > > My solution was to change the TXT record defining the Kerberos realm to ensure the realm name was in upper case, in quotes, and did not have a trailing period: > _kerberos.my.domain. IN TXT "GRIDPP.RL.AC.UK" > > I'm not sure which of these changes was the critical one (maybe all!), but the upshot is that I can now enrol clients using service discovery. BTW new version of ipa-client-install will give you more specific error message if DNS realm and LDAP realm does not match. Petr^2 Spacek >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >> bounces at redhat.com] On Behalf Of rob.harper at stfc.ac.uk >> Sent: 19 January 2015 15:54 >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on >> externally managed DNS >> >> Hi all, >> >> I have successfully set up a test FreeIPA server and run it for a while, but the >> time has come to move towards a production service. I am currently running >> ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, >> Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I >> know this is an older FreeIPA, but I am going through the path of least >> resistance given our site's current standard configuration. >> >> On our site there is a central DNS service and it is unlikely we will be allowed >> to run our own DNS service (other than as a slave/cacheing NS). >> >> I have been trying to set up SRV records for the FreeIPA server by providing >> the autogenerated zone file to our DNS manager, who has incorporated the >> configuration. When we deployed these changes, I used dig to confirm that >> SRV queries were giving appropriate responses, which they appear to be. >> >> I then tried setting up a client using ipa-client-install and got an error: >> >> Failed to verify that freeipa01. is an IPA Server. >> This may mean that the remote server is not up or is not reachable due to >> network or firewall settings. >> >> The install worked on a client before deploying the SRV records, using >> manual specification of the server. I disabled iptables on the server to >> eliminate potential problems there, and got the same result. If we disable >> the SRV records, I am able to do the manual set-up again. >> >> So it looks like the problem is at the DNS end of things, so maybe our zone >> configuration is missing something. >> >> The zone config we currently have in place is as follows (we changed >> hostnames in the sample file to fqdns for this attempt, but the same >> symptoms came from bare hostnames)... >> >> ; ldap servers >> _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. >> ; >> ; kerberos realm >> _kerberos.my.domain. IN TXT my.domain. >> ; >> ; kerberos servers >> _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. >> _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. >> ; >> ; ntp server >> _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. >> >> >> ...So that is where I am. I was hoping that someone could give me a pointer >> or two as to how I might debug this problem and actually get service >> discovery working. >> >> Many thanks for reading this far! >> >> Rob From baptiste.agasse at lyra-network.com Thu Jan 22 15:37:47 2015 From: baptiste.agasse at lyra-network.com (Baptiste Agasse) Date: Thu, 22 Jan 2015 16:37:47 +0100 (CET) Subject: [Freeipa-users] RFEs In-Reply-To: <968846.780998.1421936940052.JavaMail.zimbra@lyra-network.com> Message-ID: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> Hi, I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 'little' RFEs to suggest to enhance automation and usability: 1) Cross FreeIPA domain trust. Example use case: As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. 2) PKI subordinate CA support. Example use case: In the Example.com company, we use certificate authentication for cross services authentication or user authentication. I want, for example to allow only a group of source services (or users) to connect to a target service. On the target service, i filter client certificates by providing the subordinate CA as the trusted CA. 3) "autoservice rules", Ability to create rules to automatically create services on the host that match the rule, like automember rules for host groups. Example use cases: * When you create a bunch of 'clone' servers that use kerberos for authentication like kerberized webservers, you don't have to add each to 'webserversX' group because you can have an automember rule that automaticaly add them to the good hostgroup, but you must manually add 'http' service on each. This "autoservice rules" will be nice to make some HBAC rules work out of the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup members on 'http' service" * Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality for puppet agents. When you create an host via foreman proxy, it will create the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must manually add puppet service on your host, and then get the certificate. Any comments ? Have a nice day. Regards. Baptiste. From bram.vandoren at ster.kuleuven.be Thu Jan 22 18:26:46 2015 From: bram.vandoren at ster.kuleuven.be (Bram Vandoren) Date: Thu, 22 Jan 2015 19:26:46 +0100 Subject: [Freeipa-users] invalid cn=CACert,cn=ipa,cn=etc entry In-Reply-To: <54B66BAB.9050308@redhat.com> References: <54B53F7B.80006@ster.kuleuven.be> <54B66BAB.9050308@redhat.com> Message-ID: <54C140E6.4010903@ster.kuleuven.be> Hi Martin, On 01/14/2015 02:14 PM, Martin Kosek wrote: > Good investigation! You already found the root cause. You are most possibly > hitting https://bugzilla.redhat.com/show_bug.cgi?id=948928 that is fixed in > ipa-3.0.0-30.el6 or later. this was indeed the problem. I converted the certificate back to binary and everything works fine now. Thanks! Bram From simo at redhat.com Thu Jan 22 21:06:30 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 22 Jan 2015 16:06:30 -0500 Subject: [Freeipa-users] RFEs In-Reply-To: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> References: <968846.780998.1421936940052.JavaMail.zimbra@lyra-network.com> <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> Message-ID: <20150122160630.64401f1b@willson.usersys.redhat.com> On Thu, 22 Jan 2015 16:37:47 +0100 (CET) Baptiste Agasse wrote: > Hi, Hi Baptiste, thank you for the ideas. I'll address each inline. > I'm a FreeIPA user for years now and i'm happy with this tool, but > I've some 'little' RFEs to suggest to enhance automation and > usability: > > 1) Cross FreeIPA domain trust. > Example use case: > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want > to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. This is something we are planning to do, but it will take some time. > 2) PKI subordinate CA support. > Example use case: > In the Example.com company, we use certificate authentication for > cross services authentication or user authentication. I want, for > example to allow only a group of source services (or users) to > connect to a target service. On the target service, i filter client > certificates by providing the subordinate CA as the trusted CA. I think this is what you are asking: http://www.freeipa.org/page/V4/Security_domains Does it meet your expectations ? > 3) "autoservice rules", Ability to create rules to automatically > create services on the host that match the rule, like automember > rules for host groups. Example use cases: > * When you create a bunch of 'clone' servers that use kerberos for > authentication like kerberized webservers, you don't have to add each > to 'webserversX' group because you can have an automember rule that > automaticaly add them to the good hostgroup, but you must manually > add 'http' service on each. This "autoservice rules" will be nice to > make some HBAC rules work out of the box. For example the HBAC rule > that said "Some user(s)/usergroup(s) are allowed to connect to > 'webserversX' hostgroup members on 'http' service" > * Puppet/Foreman integration: Use the FreeIPA pki with autosign > functionality for puppet agents. When you create an host via foreman > proxy, it will create the host in FreeIPA but if you want to use the > FreeIPA PKI for puppet, you must manually add puppet service on your > host, and then get the certificate. This is something that has come up once before but I do not think we have a ticket, it would be nice if you could open a RFE ticket with this text. > Any comments ? Good ideas, Thank you. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jan 22 21:21:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Jan 2015 16:21:01 -0500 Subject: [Freeipa-users] RFEs In-Reply-To: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> References: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> Message-ID: <54C169BD.2030004@redhat.com> Baptiste Agasse wrote: > Hi, > > I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 'little' RFEs to suggest to enhance automation and usability: > > 1) Cross FreeIPA domain trust. > Example use case: > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. This is on the radar though I couldn't find an open ticket on it. It isn't something for the very near-term though AFAIK. At least part of this is captured in https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA -> Kerberos trusts today. > 2) PKI subordinate CA support. > Example use case: > In the Example.com company, we use certificate authentication for cross services authentication or user authentication. I want, for example to allow only a group of source services (or users) to connect to a target service. On the target service, i filter client certificates by providing the subordinate CA as the trusted CA. A developer is looking into something like this on the dogtag side, http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > 3) "autoservice rules", Ability to create rules to automatically create services on the host that match the rule, like automember rules for host groups. Example use cases: > * When you create a bunch of 'clone' servers that use kerberos for authentication like kerberized webservers, you don't have to add each to 'webserversX' group because you can have an automember rule that automaticaly add them to the good hostgroup, but you must manually add 'http' service on each. This "autoservice rules" will be nice to make some HBAC rules work out of the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup members on 'http' service" > * Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality for puppet agents. When you create an host via foreman proxy, it will create the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must manually add puppet service on your host, and then get the certificate. An interesting idea. I filed https://fedorahosted.org/freeipa/ticket/4862 to track it. > Any comments ? Thanks for the suggestions! rob > > Have a nice day. > > Regards. > > Baptiste. > From Steven.Jones at vuw.ac.nz Thu Jan 22 22:46:09 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 22 Jan 2015 22:46:09 +0000 Subject: [Freeipa-users] RFEs In-Reply-To: <54C169BD.2030004@redhat.com> References: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com>, <54C169BD.2030004@redhat.com> Message-ID: <1421966736496.30383@vuw.ac.nz> Hi, "> As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. This is on the radar though I couldn't find an open ticket on it. It isn't something for the very near-term though AFAIK." I will open a ticket via support as it is being asked for with us as well. Also multiple trusts is possible? ie other IPA domains and AD at the same time? regards Steven From ftweedal at redhat.com Fri Jan 23 02:23:00 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Jan 2015 12:23:00 +1000 Subject: [Freeipa-users] RFEs In-Reply-To: <54C169BD.2030004@redhat.com> References: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> <54C169BD.2030004@redhat.com> Message-ID: <20150123022300.GR5536@dhcp-40-8.bne.redhat.com> On Thu, Jan 22, 2015 at 04:21:01PM -0500, Rob Crittenden wrote: > Baptiste Agasse wrote: > > Hi, > > > > I'm a FreeIPA user for years now and i'm happy with this tool, but I've some 'little' RFEs to suggest to enhance automation and usability: > > > > 1) Cross FreeIPA domain trust. > > Example use case: > > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. > > This is on the radar though I couldn't find an open ticket on it. It > isn't something for the very near-term though AFAIK. > > At least part of this is captured in > https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA -> > Kerberos trusts today. > > > 2) PKI subordinate CA support. > > Example use case: > > In the Example.com company, we use certificate authentication for cross services authentication or user authentication. I want, for example to allow only a group of source services (or users) to connect to a target service. On the target service, i filter client certificates by providing the subordinate CA as the trusted CA. > > A developer is looking into something like this on the dogtag side, > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > This work in Dogtag is the groundwork to have this capability in FreeIPA. The design document for the FreeIPA sub-CA support (a work in progress) is http://www.freeipa.org/page/V4/Security_domains. Cheers, Fraser > > 3) "autoservice rules", Ability to create rules to automatically create services on the host that match the rule, like automember rules for host groups. Example use cases: > > * When you create a bunch of 'clone' servers that use kerberos for authentication like kerberized webservers, you don't have to add each to 'webserversX' group because you can have an automember rule that automaticaly add them to the good hostgroup, but you must manually add 'http' service on each. This "autoservice rules" will be nice to make some HBAC rules work out of the box. For example the HBAC rule that said "Some user(s)/usergroup(s) are allowed to connect to 'webserversX' hostgroup members on 'http' service" > > * Puppet/Foreman integration: Use the FreeIPA pki with autosign functionality for puppet agents. When you create an host via foreman proxy, it will create the host in FreeIPA but if you want to use the FreeIPA PKI for puppet, you must manually add puppet service on your host, and then get the certificate. > > An interesting idea. I filed > https://fedorahosted.org/freeipa/ticket/4862 to track it. > > > Any comments ? > > Thanks for the suggestions! > > rob > > > > > Have a nice day. > > > > Regards. > > > > Baptiste. > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From dpal at redhat.com Fri Jan 23 15:13:09 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 Jan 2015 10:13:09 -0500 Subject: [Freeipa-users] My simple examples for FreeIPA API using python In-Reply-To: References: Message-ID: <54C26505.9010907@redhat.com> On 01/22/2015 07:13 AM, Marcelo Barbosa wrote: > Guys, > > I am sharing my github repository with an example of use of FreeIPA > via API, suggestions and tips are welcome: > > https://github.com/firemanxbr/freeipa-tools > > Cheers, > > firemanxbr > > This looks like a good start. I would leave to real gurus to make an assessment but procedurally it would make sense to create a wiki page in freeipa.org with list of the examples available and pointers to them. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From baptiste.agasse at lyra-network.com Fri Jan 23 15:26:26 2015 From: baptiste.agasse at lyra-network.com (Baptiste Agasse) Date: Fri, 23 Jan 2015 16:26:26 +0100 (CET) Subject: [Freeipa-users] RFEs In-Reply-To: <20150123022300.GR5536@dhcp-40-8.bne.redhat.com> References: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> <54C169BD.2030004@redhat.com> <20150123022300.GR5536@dhcp-40-8.bne.redhat.com> Message-ID: <1763705087.1037880.1422026786185.JavaMail.zimbra@lyra-network.com> Hi, > > > 1) Cross FreeIPA domain trust. > > > Example use case: > > > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to > > > connect to some hosts in BAR.EXAMPLE.COM FreeIPA. > > > > This is on the radar though I couldn't find an open ticket on it. It > > isn't something for the very near-term though AFAIK. > > > > At least part of this is captured in > > https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA -> > > Kerberos trusts today. Thank you, i missed this one when i searched issues related to these RFEs before send a mail on the list. > > > > > 2) PKI subordinate CA support. > > > Example use case: > > > In the Example.com company, we use certificate authentication for cross > > > services authentication or user authentication. I want, for example to > > > allow only a group of source services (or users) to connect to a target > > > service. On the target service, i filter client certificates by > > > providing the subordinate CA as the trusted CA. > > > > A developer is looking into something like this on the dogtag side, > > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > > > This work in Dogtag is the groundwork to have this capability in > FreeIPA. The design document for the FreeIPA sub-CA support (a work > in progress) is http://www.freeipa.org/page/V4/Security_domains. Yes, this describe that we want to achieve: have a sub-ca by functionality/usecase. On this point, one comment. Hosts in FreeIPA can have an x.509 certificate for the host principal, you don't have to create any service on the host to request this certificate. If the security domains land in FreeIPA, it would be nice to have 'some' defaults security domains, like one that sign hosts certificates by default, and why not another that sign user certificates by default. > > Cheers, > Fraser > > > > 3) "autoservice rules", Ability to create rules to automatically create > > > services on the host that match the rule, like automember rules for host > > > groups. Example use cases: > > > * When you create a bunch of 'clone' servers that use kerberos for > > > authentication like kerberized webservers, you don't have to add each > > > to 'webserversX' group because you can have an automember rule that > > > automaticaly add them to the good hostgroup, but you must manually add > > > 'http' service on each. This "autoservice rules" will be nice to make > > > some HBAC rules work out of the box. For example the HBAC rule that > > > said "Some user(s)/usergroup(s) are allowed to connect to > > > 'webserversX' hostgroup members on 'http' service" > > > * Puppet/Foreman integration: Use the FreeIPA pki with autosign > > > functionality for puppet agents. When you create an host via foreman > > > proxy, it will create the host in FreeIPA but if you want to use the > > > FreeIPA PKI for puppet, you must manually add puppet service on your > > > host, and then get the certificate. > > > > An interesting idea. I filed > > https://fedorahosted.org/freeipa/ticket/4862 to track it. Thank you, i didn't have an fedora account but i created one to follow this. Have a nice day. Regards. Baptiste. From nagemnna at gmail.com Fri Jan 23 20:58:59 2015 From: nagemnna at gmail.com (Megan .) Date: Fri, 23 Jan 2015 15:58:59 -0500 Subject: [Freeipa-users] Decrypt integrity check failed on client Message-ID: Good Day! I installed a new IPA server (same name as the old one) on a new server. I added a single user for testing. I have a client that was previously a client on the old IPA server, i ran ipa-client-install --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, and rebooted. I then updated /etc/hosts to point to the new IPA server, and ran ipa-client-install --no-ntp. The install went fine. Now when i try to login to the client using my new test user, it doesn't work. I get the below errors. I am able to login to the new directory server with my new user, was prompted to change my password, and was able to log back in just fine. Any help is appreciated. Thanks. Client: [root at test3-vm ~]# uname -a Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root at test3-vm ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root at test3-vm ~]# rpm -qa | grep ipa-client ipa-client-3.0.0-42.el6.centos.x86_64 Server: [root at dir1 ~]# uname -a Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root at dir1 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root at dir1 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 >From client: [root at test3-vm sssd]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM 1 01/23/15 14:27:06 host/test3-vm.mydomain.com at MYDOMAIN.COM [root at test3-vm sssd] This works fine: [root at test3-vm sssd]# kinit tester1 Password for tester1 at MYDOMAIN.COM: [root at test3-vm sssd]# [root at test3-vm sssd]# tail -200 krb5_child.log (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain.com at MYDOMAIN.COM] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain.com at MYDOMAIN.COM] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data] (0x0200): Received error code 1432158218 [root at test3-vm sssd]# cat /etc/sssd/sssd.conf # Do not edit Managed by Spacewalk [domain/MYDOMAIN.COM] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = MYDOMAIN.COM id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = test3-vm.MYDOMAIN.COM chpass_provider = ipa ipa_server = _srv_, dir1.MYDOMAIN.COM dns_discovery_domain = MYDOMAIN.COM sudo_provider = ldap ldap_uri = ldap://dir1.MYDOMAIN.COM ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM ldap_sasl_realm = MYDOMAIN.COM krb5_server = dir1.MYDOMAIN.COM debug_level = 5 [sssd] services = nss, pam, ssh, sudo config_file_version = 2 debug_level = 5 domains = MYDOMAIN.COM [nss] [pam] [sudo] debug_level = 5 [autofs] [ssh] [pac] From sipazzo at yahoo.com Fri Jan 23 23:11:07 2015 From: sipazzo at yahoo.com (sipazzo) Date: Fri, 23 Jan 2015 23:11:07 +0000 (UTC) Subject: [Freeipa-users] freeipa managed sudoers on Solaris 10 In-Reply-To: References: Message-ID: <985116207.263886.1422054667815.JavaMail.yahoo@mail.yahoo.com> Thank you all for your input. I am still unable to get this working but I am going to ask one of our Solaris admins to take a look at the config as I am no Solaris expert. We do have sudo packages installed:libintl-3.4.0-sol10-x86-local.pkglibiconv-1.14-sol10-x86-local.pkglibgcc-3.4.6-sol10-x86-local.pkgsudo-1.8.5p2-sol10-x86-local.pkg and I modified the ldapclient init to include: NS_LDAP_SERVICE_SEARCH_DESC=sudoers:cn=sysaccounts,cn=etc,dc=example,dc=com And added this line to nsswitch.confsudoers: files ldap I set the NIS domainname as suggested here:http://www.freeipa.org/page/ConfiguringUnixClients#Client_Configuration_Files - echo ?example.com? > /etc/defaultdomain - domainname `cat /etc/defaultdomain` /etc/ldap.conf does not exist so I tried adding that as well following this:http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html And when none of these work I did follow Ajeet's instructions for using the opencsw packages but to no avail. I saw several posts about changing pam.conf but any time I followed those suggestions freeipa shell logins did not work. I do understand we are on an old version of IPA but can't change all our servers to run rhel7 at this time. On Monday, January 19, 2015 11:42 AM, "freeipa-users-request at redhat.com" wrote: Send Freeipa-users mailing list submissions to ??? freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit ??? https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to ??? freeipa-users-request at redhat.com You can reach the person managing the list at ??? freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: ? 1. Re: Having trouble running FreeIPA with SRV records on ? ? ? externally managed DNS (Petr Spacek) ? 2. freeipa managed sudoers on Solaris 10 (sipazzo) ? 3. Re: freeipa managed sudoers on Solaris 10 (Dmitri Pal) ? 4. Re: freeipa managed sudoers on Solaris 10 ? ? ? (Murty, Ajeet (US - Arlington)) ---------------------------------------------------------------------- Message: 1 Date: Mon, 19 Jan 2015 18:04:25 +0100 From: Petr Spacek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Having trouble running FreeIPA with SRV ??? records on externally managed DNS Message-ID: <54BD3919.4070008 at redhat.com> Content-Type: text/plain; charset=windows-1252 On 19.1.2015 16:54, rob.harper at stfc.ac.uk wrote: > Hi all, > > I have successfully set up a test FreeIPA server and run it for a while, but the time has come to move towards a production service.? I am currently running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, Scientific Linux is basically a rebuild of RedHat, much like CentOS).? Yes, I know this is an older FreeIPA, but I am going through the path of least resistance given our site's current standard configuration. > > On our site there is a central DNS service and it is unlikely we will be allowed to run our own DNS service (other than as a slave/cacheing NS). > > I have been trying to set up SRV records for the FreeIPA server by providing the autogenerated zone file to our DNS manager, who has incorporated the configuration.? When we deployed these changes, I used dig to confirm that SRV queries were giving appropriate responses, which they appear to be. > > I then tried setting up a client using ipa-client-install and got an error: > > Failed to verify that freeipa01. is an IPA Server. > This may mean that the remote server is not up or is not reachable due to network or firewall settings. > > The install worked on a client before deploying the SRV records, using manual specification of the server.? I disabled iptables on the server to eliminate potential problems there, and got the same result.? If we disable the SRV records, I am able to do the manual set-up again. > > So it looks like the problem is at the DNS end of things, so maybe our zone configuration is missing something.? > > The zone config we currently have in place is as follows (we changed hostnames in the sample file to fqdns for this attempt, but the same symptoms came from bare hostnames)... > > ; ldap servers > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > ; > ; kerberos realm > _kerberos.my.domain. IN TXT my.domain. > ; > ; kerberos servers > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > ; > ; ntp server > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. > > > ...So that is where I am.? I was hoping that someone could give me a pointer or two as to how I might debug this problem and actually get service discovery working. > > Many thanks for reading this far! Interesting. Please provide us with information listed on http://www.freeipa.org/page/Troubleshooting#Client_Installation Additionally not-obfuscated output from dig could help too. Also, please keep in mind that: 1) Log obfuscation will make debugging harder for us. 2) Obfuscating DNS names does not bring any real security. Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is in there ... Have a nice day! -- Petr^2 Spacek ------------------------------ Message: 2 Date: Mon, 19 Jan 2015 18:50:11 +0000 (UTC) From: sipazzo To: "freeipa-users at redhat.com" Subject: [Freeipa-users] freeipa managed sudoers on Solaris 10 Message-ID: ??? <759625883.2039340.1421693411249.JavaMail.yahoo at jws100202.mail.ne1.yahoo.com> ??? Content-Type: text/plain; charset="utf-8" I am having trouble finding relevant documentation on using freeipa to manage sudoers for a Solaris client. Has anyone successfully set this up without adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and any help is appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 3 Date: Mon, 19 Jan 2015 14:01:53 -0500 From: Dmitri Pal To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] freeipa managed sudoers on Solaris 10 Message-ID: <54BD54A1.3040808 at redhat.com> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" On 01/19/2015 01:50 PM, sipazzo wrote: > I am having trouble finding relevant documentation on using freeipa to > manage sudoers for a Solaris client. Has anyone successfully set this > up without adding a bunch of non-standard packages? I am running > freeipa 3.0.0-42 and any help is appreciated. > > AFAIR Solaris does not carry sudo packages so if you plan to use sudo you would need to get packages from upstream. Other than that it is not different from using SUDO from a Linux client that does not have SSSD. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 4 Date: Mon, 19 Jan 2015 19:24:56 +0000 From: "Murty, Ajeet (US - Arlington)" To: "dpal at redhat.com" , "freeipa-users at redhat.com" ??? Subject: Re: [Freeipa-users] freeipa managed sudoers on Solaris 10 Message-ID: ??? Content-Type: text/plain; charset="us-ascii" We had to use OpenCSW packages. run this on cmd-line - ? ? ? pkgadd -d http://get.opencsw.org/now ? ? ? /opt/csw/bin/pkgutil -y -i CSWbdb4 CSWcommon CSWlibnet CSWosslutils CSWsasl CSWsudo-common CSWsudoldap cswpki gcc4core gcc4g++ gmake libssl_dev openldap_client openldap_dev optional one pkg at a time install - ? ? ? /opt/csw/bin/pkgutil -y -i CSWbdb4 ? ? ? /opt/csw/bin/pkgutil -y -i CSWcommon ? ? ? /opt/csw/bin/pkgutil -y -i CSWlibnet ? ? ? /opt/csw/bin/pkgutil -y -i CSWosslutils ? ? ? /opt/csw/bin/pkgutil -y -i CSWsasl ? ? ? /opt/csw/bin/pkgutil -y -i CSWsudo-common ? ? ? /opt/csw/bin/pkgutil -y -i CSWsudoldap ? ? ? /opt/csw/bin/pkgutil -y -i cswpki Ajeet Murty Deloitte & Touche LLP Tel: +1 571 882 5614 | Mobile: +1 704 421 8756 amurty at deloitte.com | www.deloitte.com This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Monday, January 19, 2015 2:02 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] freeipa managed sudoers on Solaris 10 On 01/19/2015 01:50 PM, sipazzo wrote: I am having trouble finding relevant documentation on using freeipa to manage sudoers for a Solaris client. Has anyone successfully set this up without adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and any help is appreciated. AFAIR Solaris does not carry sudo packages so if you plan to use sudo you would need to get packages from upstream. Other than that it is not different from using SUDO from a Linux client that does not have SSSD. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 74 ********************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jan 23 23:40:00 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 Jan 2015 18:40:00 -0500 Subject: [Freeipa-users] Decrypt integrity check failed on client In-Reply-To: References: Message-ID: <54C2DBD0.5020900@redhat.com> On 01/23/2015 03:58 PM, Megan . wrote: > Good Day! > > I installed a new IPA server (same name as the old one) on a new > server. I added a single user for testing. I have a client that was > previously a client on the old IPA server, i ran ipa-client-install > --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, > and rebooted. I then updated /etc/hosts to point to the new IPA > server, and ran ipa-client-install --no-ntp. The install went fine. > Now when i try to login to the client using my new test user, it > doesn't work. I get the below errors. I am able to login to the new > directory server with my new user, was prompted to change my password, > and was able to log back in just fine. > > Any help is appreciated. Thanks. > > Client: > [root at test3-vm ~]# uname -a > Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov > 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > [root at test3-vm ~]# cat /etc/redhat-release > CentOS release 6.6 (Final) > [root at test3-vm ~]# rpm -qa | grep ipa-client > ipa-client-3.0.0-42.el6.centos.x86_64 > > Server: > [root at dir1 ~]# uname -a > Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 > 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > [root at dir1 ~]# cat /etc/redhat-release > CentOS release 6.6 (Final) > [root at dir1 ~]# rpm -qa | grep ipa-server > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > ipa-server-3.0.0-42.el6.centos.x86_64 > > > > >From client: > [root at test3-vm sssd]# klist -kt /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- -------------------------------------------------------- > 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM > 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM > 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM > 1 01/23/15 14:27:06 host/test3-vm.mydomain.com at MYDOMAIN.COM > [root at test3-vm sssd] > > > This works fine: > > [root at test3-vm sssd]# kinit tester1 > Password for tester1 at MYDOMAIN.COM: > [root at test3-vm sssd]# > > > [root at test3-vm sssd]# tail -200 krb5_child.log > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise > principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM] > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: > [/etc/krb5.keytab] > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/test3-vm.mydomain.com at MYDOMAIN.COM] > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] > [check_fast_ccache] (0x0200): FAST TGT is still valid. > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] > [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity > check failed] > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error] > (0x0020): 1043: [-1765328353][Decrypt integrity check failed] > (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data] > (0x0200): Received error code 1432158218 > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise > principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM] > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: > [/etc/krb5.keytab] > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/test3-vm.mydomain.com at MYDOMAIN.COM] > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] > [check_fast_ccache] (0x0200): FAST TGT is still valid. > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] > [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity > check failed] > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error] > (0x0020): 1043: [-1765328353][Decrypt integrity check failed] > (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data] > (0x0200): Received error code 1432158218 > > > > > > [root at test3-vm sssd]# cat /etc/sssd/sssd.conf > # Do not edit Managed by Spacewalk > [domain/MYDOMAIN.COM] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = MYDOMAIN.COM > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = test3-vm.MYDOMAIN.COM > chpass_provider = ipa > ipa_server = _srv_, dir1.MYDOMAIN.COM > dns_discovery_domain = MYDOMAIN.COM > > sudo_provider = ldap > ldap_uri = ldap://dir1.MYDOMAIN.COM > ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM > ldap_sasl_realm = MYDOMAIN.COM > krb5_server = dir1.MYDOMAIN.COM > debug_level = 5 > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > debug_level = 5 > > domains = MYDOMAIN.COM > [nss] > > [pam] > > [sudo] > debug_level = 5 > > [autofs] > > [ssh] > > [pac] > I seems that you have several keys in the keytab for the same principal. AFAIR (vaguely) kinit and SSSD try keys in different order, something like: one uses last key in the list and another uses first. There was even a ticket I think. Try removing all the keys and leaving only one - latest. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From nagemnna at gmail.com Sun Jan 25 00:11:34 2015 From: nagemnna at gmail.com (Megan .) Date: Sat, 24 Jan 2015 19:11:34 -0500 Subject: [Freeipa-users] Decrypt integrity check failed on client In-Reply-To: <54C2DBD0.5020900@redhat.com> References: <54C2DBD0.5020900@redhat.com> Message-ID: Thank you, that worked. On Fri, Jan 23, 2015 at 6:40 PM, Dmitri Pal wrote: > On 01/23/2015 03:58 PM, Megan . wrote: >> >> Good Day! >> >> I installed a new IPA server (same name as the old one) on a new >> server. I added a single user for testing. I have a client that was >> previously a client on the old IPA server, i ran ipa-client-install >> --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, >> and rebooted. I then updated /etc/hosts to point to the new IPA >> server, and ran ipa-client-install --no-ntp. The install went fine. >> Now when i try to login to the client using my new test user, it >> doesn't work. I get the below errors. I am able to login to the new >> directory server with my new user, was prompted to change my password, >> and was able to log back in just fine. >> >> Any help is appreciated. Thanks. >> >> Client: >> [root at test3-vm ~]# uname -a >> Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov >> 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> [root at test3-vm ~]# cat /etc/redhat-release >> CentOS release 6.6 (Final) >> [root at test3-vm ~]# rpm -qa | grep ipa-client >> ipa-client-3.0.0-42.el6.centos.x86_64 >> >> Server: >> [root at dir1 ~]# uname -a >> Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 >> 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> [root at dir1 ~]# cat /etc/redhat-release >> CentOS release 6.6 (Final) >> [root at dir1 ~]# rpm -qa | grep ipa-server >> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >> ipa-server-3.0.0-42.el6.centos.x86_64 >> >> >> >> >From client: >> [root at test3-vm sssd]# klist -kt /etc/krb5.keytab >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM >> 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM >> 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM >> 1 01/23/15 14:27:06 host/test3-vm.mydomain.com at MYDOMAIN.COM >> [root at test3-vm sssd] >> >> >> This works fine: >> >> [root at test3-vm sssd]# kinit tester1 >> Password for tester1 at MYDOMAIN.COM: >> [root at test3-vm sssd]# >> >> >> [root at test3-vm sssd]# tail -200 krb5_child.log >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise >> principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: >> [/etc/krb5.keytab] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [set_lifetime_options] (0x0100): Cannot read >> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to >> [true] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to >> [host/test3-vm.mydomain.com at MYDOMAIN.COM] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [check_fast_ccache] (0x0200): FAST TGT is still valid. >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity >> check failed] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error] >> (0x0020): 1043: [-1765328353][Decrypt integrity check failed] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data] >> (0x0200): Received error code 1432158218 >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise >> principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: >> [/etc/krb5.keytab] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [set_lifetime_options] (0x0100): Cannot read >> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to >> [true] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to >> [host/test3-vm.mydomain.com at MYDOMAIN.COM] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [check_fast_ccache] (0x0200): FAST TGT is still valid. >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity >> check failed] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error] >> (0x0020): 1043: [-1765328353][Decrypt integrity check failed] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data] >> (0x0200): Received error code 1432158218 >> >> >> >> >> >> [root at test3-vm sssd]# cat /etc/sssd/sssd.conf >> # Do not edit Managed by Spacewalk >> [domain/MYDOMAIN.COM] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = MYDOMAIN.COM >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ldap_tls_cacert = /etc/ipa/ca.crt >> ipa_hostname = test3-vm.MYDOMAIN.COM >> chpass_provider = ipa >> ipa_server = _srv_, dir1.MYDOMAIN.COM >> dns_discovery_domain = MYDOMAIN.COM >> >> sudo_provider = ldap >> ldap_uri = ldap://dir1.MYDOMAIN.COM >> ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM >> ldap_sasl_realm = MYDOMAIN.COM >> krb5_server = dir1.MYDOMAIN.COM >> debug_level = 5 >> >> [sssd] >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> debug_level = 5 >> >> domains = MYDOMAIN.COM >> [nss] >> >> [pam] >> >> [sudo] >> debug_level = 5 >> >> [autofs] >> >> [ssh] >> >> [pac] >> > > > I seems that you have several keys in the keytab for the same principal. > AFAIR (vaguely) kinit and SSSD try keys in different order, something like: > one uses last key in the list and another uses first. > There was even a ticket I think. > > Try removing all the keys and leaving only one - latest. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From firemanxbr at fedoraproject.org Mon Jan 26 19:21:43 2015 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Mon, 26 Jan 2015 17:21:43 -0200 Subject: [Freeipa-users] My simple examples for FreeIPA API using python In-Reply-To: <54C26505.9010907@redhat.com> References: <54C26505.9010907@redhat.com> Message-ID: Thank you Dimitri, I am available to help if you have access to Wiki I could write a draft for developers, today only have this link on the API: https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt Cheers, firemanxbr On Fri, Jan 23, 2015 at 1:13 PM, Dmitri Pal wrote: > On 01/22/2015 07:13 AM, Marcelo Barbosa wrote: > > Guys, > > I am sharing my github repository with an example of use of FreeIPA > via API, suggestions and tips are welcome: > > https://github.com/firemanxbr/freeipa-tools > > Cheers, > > firemanxbr > > > This looks like a good start. > I would leave to real gurus to make an assessment but procedurally it > would make sense to create a wiki page in freeipa.org with list of the > examples available and pointers to them. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Jan 26 22:01:25 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 27 Jan 2015 08:01:25 +1000 Subject: [Freeipa-users] RFEs In-Reply-To: <1763705087.1037880.1422026786185.JavaMail.zimbra@lyra-network.com> References: <1156687611.805599.1421941067430.JavaMail.zimbra@lyra-network.com> <54C169BD.2030004@redhat.com> <20150123022300.GR5536@dhcp-40-8.bne.redhat.com> <1763705087.1037880.1422026786185.JavaMail.zimbra@lyra-network.com> Message-ID: <20150126220125.GW5536@dhcp-40-8.bne.redhat.com> On Fri, Jan 23, 2015 at 04:26:26PM +0100, Baptiste Agasse wrote: > Hi, > > > > > 1) Cross FreeIPA domain trust. > > > > Example use case: > > > > As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to > > > > connect to some hosts in BAR.EXAMPLE.COM FreeIPA. > > > > > > This is on the radar though I couldn't find an open ticket on it. It > > > isn't something for the very near-term though AFAIK. > > > > > > At least part of this is captured in > > > https://fedorahosted.org/freeipa/ticket/4791 which prevents IPA -> > > > Kerberos trusts today. > > Thank you, i missed this one when i searched issues related to these RFEs before send a mail on the list. > > > > > > > > 2) PKI subordinate CA support. > > > > Example use case: > > > > In the Example.com company, we use certificate authentication for cross > > > > services authentication or user authentication. I want, for example to > > > > allow only a group of source services (or users) to connect to a target > > > > service. On the target service, i filter client certificates by > > > > providing the subordinate CA as the trusted CA. > > > > > > A developer is looking into something like this on the dogtag side, > > > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > > > > > This work in Dogtag is the groundwork to have this capability in > > FreeIPA. The design document for the FreeIPA sub-CA support (a work > > in progress) is http://www.freeipa.org/page/V4/Security_domains. > > Yes, this describe that we want to achieve: have a sub-ca by functionality/usecase. > > On this point, one comment. Hosts in FreeIPA can have an x.509 > certificate for the host principal, you don't have to create any > service on the host to request this certificate. If the security > domains land in FreeIPA, it would be nice to have 'some' defaults > security domains, like one that sign hosts certificates by > default, and why not another that sign user certificates by > default. > That's definitely worth considering. I'll add this suggestion to the design proposal. Fraser > > > > Cheers, > > Fraser > > > > > > 3) "autoservice rules", Ability to create rules to automatically create > > > > services on the host that match the rule, like automember rules for host > > > > groups. Example use cases: > > > > * When you create a bunch of 'clone' servers that use kerberos for > > > > authentication like kerberized webservers, you don't have to add each > > > > to 'webserversX' group because you can have an automember rule that > > > > automaticaly add them to the good hostgroup, but you must manually add > > > > 'http' service on each. This "autoservice rules" will be nice to make > > > > some HBAC rules work out of the box. For example the HBAC rule that > > > > said "Some user(s)/usergroup(s) are allowed to connect to > > > > 'webserversX' hostgroup members on 'http' service" > > > > * Puppet/Foreman integration: Use the FreeIPA pki with autosign > > > > functionality for puppet agents. When you create an host via foreman > > > > proxy, it will create the host in FreeIPA but if you want to use the > > > > FreeIPA PKI for puppet, you must manually add puppet service on your > > > > host, and then get the certificate. > > > > > > An interesting idea. I filed > > > https://fedorahosted.org/freeipa/ticket/4862 to track it. > > Thank you, i didn't have an fedora account but i created one to follow this. > > Have a nice day. > > Regards. > > Baptiste. From ckollar at xanadu.ie Tue Jan 27 16:33:23 2015 From: ckollar at xanadu.ie (Csaba Kollar) Date: Tue, 27 Jan 2015 16:33:23 +0000 Subject: [Freeipa-users] replication question Message-ID: <3808A6BC-476E-41B3-8015-2BBB8D4B695C@xanadu.ie> Hi there, I?ve installed ipa-server-3.0.0-42.el6.centos.x86_64 on CentOS 6.6 servers. Configured first as a master. Configured second as a replica. Everything went smooth, no errors. If I create a user on the master, it automatically shows up on the replica. BUT If I create a user on the replica, I cannot see on the master the created user. (or if i delete a user on replica which was created on master, it stays on the masters) I?ve tried to force-sync the master without luck: [root at centosm ~]# ipa-replica-manage force-sync --from centosr.macp.sh ipa: INFO: Setting agreement cn=meTocentosm.macp.sh,cn=replica,cn=dc\=macp\,dc\=sh,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTocentosm.macp.sh,cn=replica,cn=dc\=macp\,dc\=sh,cn=mapping tree,cn=config Example: [root at centosr ~]# ipa user-add First name: test Last name: test User login [ttest]: ------------------ Added user "ttest" ------------------ User login: ttest First name: test Last name: test Full name: test test Display name: test test Initials: tt Home directory: /home/ttest GECOS field: test test Login shell: /bin/sh Kerberos principal: ttest at MACP.SH Email address: ttest at macp.sh UID: 1213900501 GID: 1213900501 Password: False Kerberos keys available: False [root at centosm ~]# ipa user-show ttest ipa: ERROR: ttest: user not found I?ve checked replication statuses: Master: [root at centosm ~]# ldapsearch -x -h centosm.macp.sh -D "cn=directory manager" -w xxxxxx1 -b cn=config '(objectclass=nsds5replicationagreement)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=nsds5replicationagreement) # requesting: ALL # # meTocentosr.macp.sh, replica, dc\3Dmacp\2Cdc\3Dsh, mapping tree, config dn: cn=meTocentosr.macp.sh,cn=replica,cn=dc\3Dmacp\2Cdc\3Dsh,cn=mapping tree,c n=config cn: meTocentosr.macp.sh objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to centosr.macp.sh nsDS5ReplicaRoot: dc=macp,dc=sh nsDS5ReplicaHost: centosr.macp.sh nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150127162748Z nsds5replicaLastUpdateEnd: 20150127162751Z nsds5replicaChangesSentSinceStartup:: NDoxMzkxLzMg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150127145831Z nsds5replicaLastInitEnd: 20150127145834Z nsds5replicaLastInitStatus: 0 Total update succeeded # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Slave: [root at centosr ~]# ldapsearch -x -h centosr.macp.sh -D "cn=directory manager" -w almafa12 -b cn=config '(objectclass=nsds5replicationagreement)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=nsds5replicationagreement) # requesting: ALL # # meTocentosm.macp.sh, replica, dc\3Dmacp\2Cdc\3Dsh, mapping tree, config dn: cn=meTocentosm.macp.sh,cn=replica,cn=dc\3Dmacp\2Cdc\3Dsh,cn=mapping tree,c n=config cn: meTocentosm.macp.sh objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to centosm.macp.sh nsDS5ReplicaRoot: dc=macp,dc=sh nsDS5ReplicaHost: centosm.macp.sh nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds50ruv: {replicageneration} 54c7a797000000040000 nsds50ruv: {replica 4 ldap://centosm.macp.sh:389} nsds50ruv: {replica 3 ldap://centosr.macp.sh:389} 54c7a79b000000030000 54c7a7a 1000400030000 nsruvReplicaLastModified: {replica 4 ldap://centosm.macp.sh:389} 00000000 nsruvReplicaLastModified: {replica 3 ldap://centosr.macp.sh:389} 00000000 nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150127162747Z nsds5replicaLastUpdateEnd: 20150127162747Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate started nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root at centosm ~]# ipa-replica-manage list centosm.macp.sh: master centosr.macp.sh: master [root at centosm ~]# ipa-replica-manage -v list centosr.macp.sh centosm.macp.sh: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2015-01-27 16:29:00+00:00 [root at centosm ~]# [root at centosr ~]# ipa-replica-manage list centosm.macp.sh: master centosr.macp.sh: master [root at centosr ~]# ipa-replica-manage list -v centosm.macp.sh centosr.macp.sh: replica last init status: 0 Total update succeeded last init ended: 2015-01-27 14:58:34+00:00 last update status: 0 Replica acquired successfully: Incremental update started last update ended: None [root at centosr ~]# Probably I?m missing something really obvious, so if anyone can tell me what, I would be really grateful :). Kind regards, Csaba Kollar -- ***** Email confidentiality notice ***** Xanadu Consultancy Limited is a limited company registered in Ireland with registered number 500416 and VAT registered number IE 9793319P. Our registered office is at Floor 2, River House, Blackpool Retail & Business Park, Cork, Ireland. We have a branch office registered in England and Wales with company number FC030315, whose address is at Unit 710 Highgate Studios, 53-79 Highgate Road, London, NW5 1TL. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to us, and immediately and permanently delete it. Do not use, copy or disclose the information contained in this message or in any attachment. Xanadu Consultancy Limited cannot accept liability for any statements made which are clearly the sender?s own and not expressly made on behalf of Xanadu Consultancy Limited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dbischof at hrz.uni-kassel.de Tue Jan 27 17:44:28 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Tue, 27 Jan 2015 18:44:28 +0100 (CET) Subject: [Freeipa-users] replication question In-Reply-To: <3808A6BC-476E-41B3-8015-2BBB8D4B695C@xanadu.ie> References: <3808A6BC-476E-41B3-8015-2BBB8D4B695C@xanadu.ie> Message-ID: Hi, On Tue, 27 Jan 2015, Csaba Kollar wrote: > I?ve installed ipa-server-3.0.0-42.el6.centos.x86_64 on CentOS 6.6 > servers. Configured first as a master. Configured second as a replica. > Everything went smooth, no errors. If I create a user on the master, it > automatically shows up on the replica. BUT If I create a user on the > replica, I cannot see on the master the created user. (or if i delete a > user on replica which was created on master, it stays on the masters) > > I?ve tried to force-sync the master without luck: > > [root at centosm ~]# ipa-replica-manage force-sync --from centosr.macp.sh > [...] sounds like the problem I had recently, please check https://fedorahosted.org/freeipa/ticket/4807 for details. Mit freundlichen Gruessen/With best regards, --Daniel. From CWhite at skytouchtechnology.com Tue Jan 27 20:49:36 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Tue, 27 Jan 2015 20:49:36 +0000 Subject: [Freeipa-users] Sign certificates with subjectAltName Message-ID: $ rpm -q ipa-server ipa-server-3.0.0-42.el6.x86_64 I tend to revert to openssl as I have some familiarity with it. ipa service-add HTTP/p1nxut01.stt.local excellent except we wanted human friendly certificates/SSL So I created a one-off openssl.cnf file with subjectAltName configured and generated csr and key files... grep subjectAltName openssl.cnf subjectAltName="nexus.stt.local" openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout p1nxut01.key and then passed them on to IPA for signing... ipa cert-request p1nxut01.csr --principal host/p1nxut01.stt.local at STT.LOCAL and it was reported serial #44 so I retrieved the certificate... ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt openssl x509 -in p1nxut01.stt.local.crt -noout -text but no subjectAltNames are listed :-( can someone hit me with a cluestick? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png at 01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7660 bytes Desc: image001.png URL: From abokovoy at redhat.com Tue Jan 27 21:09:10 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 27 Jan 2015 23:09:10 +0200 Subject: [Freeipa-users] Sign certificates with subjectAltName In-Reply-To: References: Message-ID: <20150127210910.GE6592@redhat.com> On Tue, 27 Jan 2015, Craig White wrote: >$ rpm -q ipa-server >ipa-server-3.0.0-42.el6.x86_64 > >I tend to revert to openssl as I have some familiarity with it. > >ipa service-add HTTP/p1nxut01.stt.local > >excellent except we wanted human friendly certificates/SSL > >So I created a one-off openssl.cnf file with subjectAltName configured and generated csr and key files... >grep subjectAltName openssl.cnf >subjectAltName="nexus.stt.local" >openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout p1nxut01.key > >and then passed them on to IPA for signing... >ipa cert-request p1nxut01.csr --principal host/p1nxut01.stt.local at STT.LOCAL >and it was reported serial #44 > >so I retrieved the certificate... >ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt > >openssl x509 -in p1nxut01.stt.local.crt -noout -text > >but no subjectAltNames are listed :-( > >can someone hit me with a cluestick? Yes, this is not supported in 3.0.0. We implemented support for it in 4.1, see https://bugzilla.redhat.com/show_bug.cgi?id=1112605 -- / Alexander Bokovoy From CWhite at skytouchtechnology.com Tue Jan 27 21:20:32 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Tue, 27 Jan 2015 21:20:32 +0000 Subject: [Freeipa-users] Sign certificates with subjectAltName In-Reply-To: <20150127210910.GE6592@redhat.com> References: <20150127210910.GE6592@redhat.com> Message-ID: -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Tuesday, January 27, 2015 2:09 PM To: Craig White Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Sign certificates with subjectAltName On Tue, 27 Jan 2015, Craig White wrote: >$ rpm -q ipa-server >ipa-server-3.0.0-42.el6.x86_64 > >I tend to revert to openssl as I have some familiarity with it. > >ipa service-add HTTP/p1nxut01.stt.local > >excellent except we wanted human friendly certificates/SSL > >So I created a one-off openssl.cnf file with subjectAltName configured and generated csr and key files... >grep subjectAltName openssl.cnf >subjectAltName="nexus.stt.local" >openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout p1nxut01.key > >and then passed them on to IPA for signing... >ipa cert-request p1nxut01.csr --principal host/p1nxut01.stt.local at STT.LOCAL >and it was reported serial #44 > >so I retrieved the certificate... >ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt > >openssl x509 -in p1nxut01.stt.local.crt -noout -text > >but no subjectAltNames are listed :-( > >can someone hit me with a cluestick? Yes, this is not supported in 3.0.0. We implemented support for it in 4.1, see https://bugzilla.redhat.com/show_bug.cgi?id=1112605 ---- Thanks Alexander - not the cluestick I was hoping for but obviously definitive. From rmj at ast.cam.ac.uk Tue Jan 27 22:03:37 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Tue, 27 Jan 2015 22:03:37 +0000 Subject: [Freeipa-users] netgroups not working for exports in freeipa Message-ID: <54C80B39.1000406@ast.cam.ac.uk> Hi I'm migrating from a legacy NIS setup to ipa. I have a number of NIS netgroups (of hosts) that are being used to export (non-kerberos) nfs shares to which I would like to migrate to ipa. I've create a new netgroup in ipa (for testing) and added some hosts to it (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when exporting an nfs share using the @netgroup syntax in /etc/exports that the netgroup will be looked up in ipa and the share will be exported to the hosts in the netgroup. /etc/nsswitch.conf has a line: netgroup: files nis sss /etc/exports has a line: /var/tmp/testexport @rmjnetgroup1(ro) I haven't, so far, been able to mount the exported share on a client so I'm wondering if this setup would be expected to work? What is confusing to me is that the section in the Redhat 6 Identity Management guide on netgroups also has information on running the NIS listener plugin so I'm wondering if perhaps this only works when running the nis listener. I'm trying to avoid that. I'd welcome any clarification on how to do non-kerberised nfs exports to groups of hosts. Thanks. Roderick Johnstone From ckollar at xanadu.ie Wed Jan 28 10:37:17 2015 From: ckollar at xanadu.ie (Csaba Kollar) Date: Wed, 28 Jan 2015 10:37:17 +0000 Subject: [Freeipa-users] replication question In-Reply-To: References: <3808A6BC-476E-41B3-8015-2BBB8D4B695C@xanadu.ie> Message-ID: <5DA4011C-317F-4B06-BF42-A0F351C1476B@xanadu.ie> Hi Danel, thanks a million! Raising the nsslapd-sasl-max-buffer-size to 2 megs from 65k did the trick!! Kind regards, Csaba Kollar > On 27 Jan 2015, at 17:44, dbischof at hrz.uni-kassel.de wrote: > > Hi, > > On Tue, 27 Jan 2015, Csaba Kollar wrote: > >> I?ve installed ipa-server-3.0.0-42.el6.centos.x86_64 on CentOS 6.6 servers. Configured first as a master. Configured second as a replica. Everything went smooth, no errors. If I create a user on the master, it automatically shows up on the replica. BUT If I create a user on the replica, I cannot see on the master the created user. (or if i delete a user on replica which was created on master, it stays on the masters) >> >> I?ve tried to force-sync the master without luck: >> >> [root at centosm ~]# ipa-replica-manage force-sync --from centosr.macp.sh >> [...] > > sounds like the problem I had recently, please check > > https://fedorahosted.org/freeipa/ticket/4807 > > for details. > > > Mit freundlichen Gruessen/With best regards, > > --Daniel. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- ***** Email confidentiality notice ***** Xanadu Consultancy Limited is a limited company registered in Ireland with registered number 500416 and VAT registered number IE 9793319P. Our registered office is at Floor 2, River House, Blackpool Retail & Business Park, Cork, Ireland. We have a branch office registered in England and Wales with company number FC030315, whose address is at Unit 710 Highgate Studios, 53-79 Highgate Road, London, NW5 1TL. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to us, and immediately and permanently delete it. Do not use, copy or disclose the information contained in this message or in any attachment. Xanadu Consultancy Limited cannot accept liability for any statements made which are clearly the sender?s own and not expressly made on behalf of Xanadu Consultancy Limited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Jan 28 10:57:55 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 28 Jan 2015 11:57:55 +0100 Subject: [Freeipa-users] netgroups not working for exports in freeipa In-Reply-To: <54C80B39.1000406@ast.cam.ac.uk> References: <54C80B39.1000406@ast.cam.ac.uk> Message-ID: <20150128105755.GQ11150@hendrix.brq.redhat.com> On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote: > Hi > > I'm migrating from a legacy NIS setup to ipa. I have a number of NIS > netgroups (of hosts) that are being used to export (non-kerberos) nfs shares > to which I would like to migrate to ipa. > > I've create a new netgroup in ipa (for testing) and added some hosts to it > (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when > exporting an nfs share using the @netgroup syntax in /etc/exports that the > netgroup will be looked up in ipa and the share will be exported to the > hosts in the netgroup. > > /etc/nsswitch.conf has a line: > netgroup: files nis sss > > /etc/exports has a line: > /var/tmp/testexport @rmjnetgroup1(ro) > > I haven't, so far, been able to mount the exported share on a client so I'm > wondering if this setup would be expected to work? > > What is confusing to me is that the section in the Redhat 6 Identity > Management guide on netgroups also has information on running the NIS > listener plugin so I'm wondering if perhaps this only works when running the > nis listener. I'm trying to avoid that. > > I'd welcome any clarification on how to do non-kerberised nfs exports to > groups of hosts. Does getent netgroup rmjnetgroup1 show the hosts you'd expect? From rmj at ast.cam.ac.uk Wed Jan 28 13:57:28 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Wed, 28 Jan 2015 13:57:28 +0000 Subject: [Freeipa-users] netgroups not working for exports in freeipa In-Reply-To: <20150128105755.GQ11150@hendrix.brq.redhat.com> References: <54C80B39.1000406@ast.cam.ac.uk> <20150128105755.GQ11150@hendrix.brq.redhat.com> Message-ID: <54C8EAC8.8030800@ast.cam.ac.uk> On 28/01/15 10:57, Jakub Hrozek wrote: > On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote: >> Hi >> >> I'm migrating from a legacy NIS setup to ipa. I have a number of NIS >> netgroups (of hosts) that are being used to export (non-kerberos) nfs shares >> to which I would like to migrate to ipa. >> >> I've create a new netgroup in ipa (for testing) and added some hosts to it >> (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when >> exporting an nfs share using the @netgroup syntax in /etc/exports that the >> netgroup will be looked up in ipa and the share will be exported to the >> hosts in the netgroup. >> >> /etc/nsswitch.conf has a line: >> netgroup: files nis sss >> >> /etc/exports has a line: >> /var/tmp/testexport @rmjnetgroup1(ro) >> >> I haven't, so far, been able to mount the exported share on a client so I'm >> wondering if this setup would be expected to work? >> >> What is confusing to me is that the section in the Redhat 6 Identity >> Management guide on netgroups also has information on running the NIS >> listener plugin so I'm wondering if perhaps this only works when running the >> nis listener. I'm trying to avoid that. >> >> I'd welcome any clarification on how to do non-kerberised nfs exports to >> groups of hosts. > > Does getent netgroup rmjnetgroup1 show the hosts you'd expect? > Indeed it does. The individual triples listed for the netgroup contain entries like: (host,-,domain) where host is a fully qualified hostname which is dns resolvable. (For info if I do ypcat on one of my NIS netgroups I get a triple like this: (host,,) where host is the fully qualified host name, and nothing in the domain field. I've actually tried two netgroups with different domains set. The first one (rmjnetgroup) I made without specifying the --nisdomain option to ipa netgroup-add and domain in the output above shows as my dns domain (which is a lower case version of my kerberos realm). I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked that I could mount the shares when I exported explicitly to the fully qualified host name, and that worked ok. So, thinking that the problem was with the domain name I made a new netgroup (rmjnetgroup1) with the option --nisdomain=xxx where xxx is the proper name for our nis domain as shown with the domainname command. I couldn't mount nfs shares when exporting to @rmjnetgroup1 either. Roderick From subscribe.becke at gmail.com Tue Jan 27 17:25:14 2015 From: subscribe.becke at gmail.com (Raoul Becke) Date: Tue, 27 Jan 2015 17:25:14 +0000 (UTC) Subject: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu References: <22036664.121131.1395927382024.JavaMail.zimbra@chemaxon.com> <5334570B.1040103@redhat.com> <2068400394.73207.1395997013774.JavaMail.zimbra@chemaxon.com> <53355DC9.3050908@redhat.com> <15930145-D35A-4032-9273-8218B6515EDA@jasonwoods.me.uk> <20140328141529.GL21211@redhat.com> <20150120080143.GA31960@redhat.com> Message-ID: Alexander Bokovoy writes: > > On Wed, 14 Jan 2015, Raoul Becke wrote: > >Alexander Bokovoy ...> writes: > > Thank you very much for this detailed instructions. It seems not to be too complicated and I think giving it a 2nd try - the only thing that worries me a bit is: > > This would work more or less same in 3.0 but you would need to add > permissions differently because 3.x doesn't have as easy permission > constructing means as 4.0 has. > Is there a document that describes how to do this in: Name : ipa-server Arch : x86_64 Version : 3.3.3 Or a document that describes the differences then I can take it from there. From Steven.Auerbach at flbog.edu Thu Jan 29 13:43:21 2015 From: Steven.Auerbach at flbog.edu (Auerbach, Steven) Date: Thu, 29 Jan 2015 13:43:21 +0000 Subject: [Freeipa-users] IPA-Server v3.0 Replication Broken Message-ID: We have a pair of IPA Servers for our network. Our servers are Oracle Linux 6 x86_64 with the ipa-server.3.0.X packages [up to date as distributed by Oracle Linux]. Recently we noticed that the master (IPA01) is replicating fine to the designated replicant. But changes that are made on the replicant do not get back to the master. This is true when ipa-clients register (if the registration script grabs the replicant for registration then the host enrollment and DNS will not make it back to the master. This is true when users make a password change. If the password process grabs the master then replication to the replicant is fine, but if the change process grabs the replicant it will not make it back to the master. Then the user login is broken. This is true when, in the IPA Admin Web Interface we delete a host entry or DNS record. If done on the master the change replicates to the replicant. If the change is made on the replicant it does not make it to the master. We have not found anything in the documentation that helps us understand where to proceed or what to do to diagnose the replication problem. We have tried removing the replicant from the IPA server configuration and powering off the box, creating a new server and reconstructing a new replica on that new server. The problem persists. We suspect the issue lies in some configuration somewhere on the master, but know not where to go next. Anyone have a similar experience and overcome it? We will take any advice we can get! With appreciation and respect; Steven Auerbach Systems Administrator State University System of Florida Board of Governors 325 West Gaines Street Tallahassee, Florida 32399 (850) 245-9592 | Fax (850) 245-0419 www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 4047 bytes Desc: image003.jpg URL: From dkupka at redhat.com Thu Jan 29 13:55:00 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 29 Jan 2015 14:55:00 +0100 Subject: [Freeipa-users] IPA-Server v3.0 Replication Broken In-Reply-To: References: Message-ID: <54CA3BB4.6000101@redhat.com> On 01/29/2015 02:43 PM, Auerbach, Steven wrote: > We have a pair of IPA Servers for our network. Our servers are Oracle Linux 6 x86_64 with the ipa-server.3.0.X packages [up to date as distributed by Oracle Linux]. > > Recently we noticed that the master (IPA01) is replicating fine to the designated replicant. But changes that are made on the replicant do not get back to the master. > > This is true when ipa-clients register (if the registration script grabs the replicant for registration then the host enrollment and DNS will not make it back to the master. > This is true when users make a password change. If the password process grabs the master then replication to the replicant is fine, but if the change process grabs the replicant it will not make it back to the master. Then the user login is broken. > This is true when, in the IPA Admin Web Interface we delete a host entry or DNS record. If done on the master the change replicates to the replicant. If the change is made on the replicant it does not make it to the master. > > We have not found anything in the documentation that helps us understand where to proceed or what to do to diagnose the replication problem. We have tried removing the replicant from the IPA server configuration and powering off the box, creating a new server and reconstructing a new replica on that new server. The problem persists. We suspect the issue lies in some configuration somewhere on the master, but know not where to go next. > > Anyone have a similar experience and overcome it? We will take any advice we can get! > > With appreciation and respect; > > Steven Auerbach > Systems Administrator > State University System of Florida > Board of Governors > 325 West Gaines Street > Tallahassee, Florida 32399 > (850) 245-9592 | Fax (850) 245-0419 > www.flbog.edu > [BOG-wordmark-wideFOR EMAIL-color] > > > > Hi, this looks similar to: https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html and https://fedorahosted.org/freeipa/ticket/4807 Did you try to raise the nsslapd-sasl-max-buffer-size? -- David Kupka From abokovoy at redhat.com Thu Jan 29 14:47:48 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 29 Jan 2015 16:47:48 +0200 Subject: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu In-Reply-To: References: <22036664.121131.1395927382024.JavaMail.zimbra@chemaxon.com> <5334570B.1040103@redhat.com> <2068400394.73207.1395997013774.JavaMail.zimbra@chemaxon.com> <53355DC9.3050908@redhat.com> <15930145-D35A-4032-9273-8218B6515EDA@jasonwoods.me.uk> <20140328141529.GL21211@redhat.com> <20150120080143.GA31960@redhat.com> Message-ID: <20150129144748.GN6592@redhat.com> On Tue, 27 Jan 2015, Raoul Becke wrote: >Alexander Bokovoy writes: > >> >> On Wed, 14 Jan 2015, Raoul Becke wrote: >> >Alexander Bokovoy ...> writes: >> > > >Thank you very much for this detailed instructions. It seems not to be too >complicated and I think giving it a 2nd try - the only thing that worries me >a bit is: > >> >> This would work more or less same in 3.0 but you would need to add >> permissions differently because 3.x doesn't have as easy permission >> constructing means as 4.0 has. >> > >Is there a document that describes how to do this in: >Name : ipa-server >Arch : x86_64 >Version : 3.3.3 > >Or a document that describes the differences then I can take it from there. I think the difference would be in unavailability of 'ipa privilege-add-permission' command. You still need to create the privilege and the role but then create ACI manually referencing the privilege. # ipa privilege-add 'CIFS server privilege' --------------------------------------- Added privilege "CIFS server privilege" --------------------------------------- Privilege name: CIFS server privilege # ipa role-add 'CIFS server' ------------------------ Added role "CIFS server" ------------------------ Role name: CIFS server # ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege' Role name: CIFS server Privileges: CIFS server privilege ---------------------------- Number of privileges added 1 ---------------------------- And add ACI based on the privilege group DN: # cat 89-cifs-privilege-aci.update dn: $SUFFIX add:aci: '(targetattr = "ipaNTHash || ipaNTSecurityIdentifier")(version 3.0; acl "CIFS server privilege permission"; allow (read,search,compare) groupdn="ldap:///cn=CIFS server privilege,cn=privileges,cn=pbac,$SUFFIX";)' # ipa-ldap-updater -l ./89-cifs-privilege-aci.update Parsing update file './89-cifs-privilege-aci.update' Updating existing entry: dc=f21,dc=test Done The ipa-ldap-updater command was successful The add:aci line in the .update file shold be that long. Note that changing ACI as opposed to using permission CLI in FreeIPA 4.x is not really recommended. You need to understand what are you doing and that wrong operations may cause slowness or even total malfunctioning of the LDAP server. -- / Alexander Bokovoy From dan.ouellet at goisc.com Thu Jan 29 14:49:14 2015 From: dan.ouellet at goisc.com (Dan Ouellet) Date: Thu, 29 Jan 2015 14:49:14 +0000 Subject: [Freeipa-users] IPA-Server v3.0 Replication Broken In-Reply-To: <54CA3BB4.6000101@redhat.com> References: <54CA3BB4.6000101@redhat.com> Message-ID: Thank you for your reply. An "ldapsearch" revealed that the buffer is set to 64k on both the master and the replica. I will increase to size to 2M and test to see if this resolves the problem. Best regards, Dan ? -----Original Message----- From: David Kupka [mailto:dkupka at redhat.com] Sent: Thursday, January 29, 2015 8:55 AM To: Auerbach, Steven; IPA User Maillist (freeipa-users at redhat.com) Cc: Dan Ouellet Subject: Re: [Freeipa-users] IPA-Server v3.0 Replication Broken On 01/29/2015 02:43 PM, Auerbach, Steven wrote: > We have a pair of IPA Servers for our network. Our servers are Oracle Linux 6 x86_64 with the ipa-server.3.0.X packages [up to date as distributed by Oracle Linux]. > > Recently we noticed that the master (IPA01) is replicating fine to the designated replicant. But changes that are made on the replicant do not get back to the master. > > This is true when ipa-clients register (if the registration script grabs the replicant for registration then the host enrollment and DNS will not make it back to the master. > This is true when users make a password change. If the password process grabs the master then replication to the replicant is fine, but if the change process grabs the replicant it will not make it back to the master. Then the user login is broken. > This is true when, in the IPA Admin Web Interface we delete a host entry or DNS record. If done on the master the change replicates to the replicant. If the change is made on the replicant it does not make it to the master. > > We have not found anything in the documentation that helps us understand where to proceed or what to do to diagnose the replication problem. We have tried removing the replicant from the IPA server configuration and powering off the box, creating a new server and reconstructing a new replica on that new server. The problem persists. We suspect the issue lies in some configuration somewhere on the master, but know not where to go next. > > Anyone have a similar experience and overcome it? We will take any advice we can get! > > With appreciation and respect; > > Steven Auerbach > Systems Administrator > State University System of Florida > Board of Governors > 325 West Gaines Street > Tallahassee, Florida 32399 > (850) 245-9592 | Fax (850) 245-0419 > www.flbog.edu > [BOG-wordmark-wideFOR EMAIL-color] > > > > Hi, this looks similar to: https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html and https://fedorahosted.org/freeipa/ticket/4807 Did you try to raise the nsslapd-sasl-max-buffer-size? -- David Kupka From dan.ouellet at goisc.com Thu Jan 29 15:49:48 2015 From: dan.ouellet at goisc.com (Dan Ouellet) Date: Thu, 29 Jan 2015 15:49:48 +0000 Subject: [Freeipa-users] IPA-Server v3.0 Replication Broken In-Reply-To: <54CA3BB4.6000101@redhat.com> References: <54CA3BB4.6000101@redhat.com> Message-ID: Hi, Thank you once again for your reply. Increasing the nsslapd-sasl-max-buffer-size to 2M on both servers and restarting the IPA services seems to have resolved the issue. Best regards, Dan ? -----Original Message----- From: David Kupka [mailto:dkupka at redhat.com] Sent: Thursday, January 29, 2015 8:55 AM To: Auerbach, Steven; IPA User Maillist (freeipa-users at redhat.com) Cc: Dan Ouellet Subject: Re: [Freeipa-users] IPA-Server v3.0 Replication Broken On 01/29/2015 02:43 PM, Auerbach, Steven wrote: > We have a pair of IPA Servers for our network. Our servers are Oracle Linux 6 x86_64 with the ipa-server.3.0.X packages [up to date as distributed by Oracle Linux]. > > Recently we noticed that the master (IPA01) is replicating fine to the designated replicant. But changes that are made on the replicant do not get back to the master. > > This is true when ipa-clients register (if the registration script grabs the replicant for registration then the host enrollment and DNS will not make it back to the master. > This is true when users make a password change. If the password process grabs the master then replication to the replicant is fine, but if the change process grabs the replicant it will not make it back to the master. Then the user login is broken. > This is true when, in the IPA Admin Web Interface we delete a host entry or DNS record. If done on the master the change replicates to the replicant. If the change is made on the replicant it does not make it to the master. > > We have not found anything in the documentation that helps us understand where to proceed or what to do to diagnose the replication problem. We have tried removing the replicant from the IPA server configuration and powering off the box, creating a new server and reconstructing a new replica on that new server. The problem persists. We suspect the issue lies in some configuration somewhere on the master, but know not where to go next. > > Anyone have a similar experience and overcome it? We will take any advice we can get! > > With appreciation and respect; > > Steven Auerbach > Systems Administrator > State University System of Florida > Board of Governors > 325 West Gaines Street > Tallahassee, Florida 32399 > (850) 245-9592 | Fax (850) 245-0419 > www.flbog.edu > [BOG-wordmark-wideFOR EMAIL-color] > > > > Hi, this looks similar to: https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html and https://fedorahosted.org/freeipa/ticket/4807 Did you try to raise the nsslapd-sasl-max-buffer-size? -- David Kupka From jhrozek at redhat.com Thu Jan 29 17:32:43 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 29 Jan 2015 18:32:43 +0100 Subject: [Freeipa-users] netgroups not working for exports in freeipa In-Reply-To: <54C8EAC8.8030800@ast.cam.ac.uk> References: <54C80B39.1000406@ast.cam.ac.uk> <20150128105755.GQ11150@hendrix.brq.redhat.com> <54C8EAC8.8030800@ast.cam.ac.uk> Message-ID: <20150129173243.GC20632@hendrix.lan> On Wed, Jan 28, 2015 at 01:57:28PM +0000, Roderick Johnstone wrote: > On 28/01/15 10:57, Jakub Hrozek wrote: > >On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote: > >>Hi > >> > >>I'm migrating from a legacy NIS setup to ipa. I have a number of NIS > >>netgroups (of hosts) that are being used to export (non-kerberos) nfs shares > >>to which I would like to migrate to ipa. > >> > >>I've create a new netgroup in ipa (for testing) and added some hosts to it > >>(using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when > >>exporting an nfs share using the @netgroup syntax in /etc/exports that the > >>netgroup will be looked up in ipa and the share will be exported to the > >>hosts in the netgroup. > >> > >>/etc/nsswitch.conf has a line: > >>netgroup: files nis sss > >> > >>/etc/exports has a line: > >>/var/tmp/testexport @rmjnetgroup1(ro) > >> > >>I haven't, so far, been able to mount the exported share on a client so I'm > >>wondering if this setup would be expected to work? > >> > >>What is confusing to me is that the section in the Redhat 6 Identity > >>Management guide on netgroups also has information on running the NIS > >>listener plugin so I'm wondering if perhaps this only works when running the > >>nis listener. I'm trying to avoid that. > >> > >>I'd welcome any clarification on how to do non-kerberised nfs exports to > >>groups of hosts. > > > >Does getent netgroup rmjnetgroup1 show the hosts you'd expect? > > > > Indeed it does. > > The individual triples listed for the netgroup contain entries like: > (host,-,domain) > where host is a fully qualified hostname which is dns resolvable. > > (For info if I do ypcat on one of my NIS netgroups I get a triple like this: > (host,,) > where host is the fully qualified host name, and nothing in the domain > field. > > I've actually tried two netgroups with different domains set. The first one > (rmjnetgroup) I made without specifying the --nisdomain option to ipa > netgroup-add and domain in the output above shows as my dns domain (which is > a lower case version of my kerberos realm). > > I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked that I > could mount the shares when I exported explicitly to the fully qualified > host name, and that worked ok. > > So, thinking that the problem was with the domain name I made a new netgroup > (rmjnetgroup1) with the option --nisdomain=xxx where xxx is the proper name > for our nis domain as shown with the domainname command. > > I couldn't mount nfs shares when exporting to @rmjnetgroup1 either. > > Roderick Thank you for your reply, then we know the SSSD's netgroup handling is correct. To be honest, we're getting a bit out of my comfort zone into the NFS area. Maybe Roland (CC) knows how to debug the issue further? From rmj at ast.cam.ac.uk Thu Jan 29 21:43:08 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 29 Jan 2015 21:43:08 +0000 Subject: [Freeipa-users] netgroups not working for exports in freeipa In-Reply-To: <20150129173243.GC20632@hendrix.lan> References: <54C80B39.1000406@ast.cam.ac.uk> <20150128105755.GQ11150@hendrix.brq.redhat.com> <54C8EAC8.8030800@ast.cam.ac.uk> <20150129173243.GC20632@hendrix.lan> Message-ID: <54CAA96C.1080001@ast.cam.ac.uk> On 29/01/2015 17:32, Jakub Hrozek wrote: > On Wed, Jan 28, 2015 at 01:57:28PM +0000, Roderick Johnstone wrote: >> On 28/01/15 10:57, Jakub Hrozek wrote: >>> On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote: >>>> Hi >>>> >>>> I'm migrating from a legacy NIS setup to ipa. I have a number of NIS >>>> netgroups (of hosts) that are being used to export (non-kerberos) nfs shares >>>> to which I would like to migrate to ipa. >>>> >>>> I've create a new netgroup in ipa (for testing) and added some hosts to it >>>> (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when >>>> exporting an nfs share using the @netgroup syntax in /etc/exports that the >>>> netgroup will be looked up in ipa and the share will be exported to the >>>> hosts in the netgroup. >>>> >>>> /etc/nsswitch.conf has a line: >>>> netgroup: files nis sss >>>> >>>> /etc/exports has a line: >>>> /var/tmp/testexport @rmjnetgroup1(ro) >>>> >>>> I haven't, so far, been able to mount the exported share on a client so I'm >>>> wondering if this setup would be expected to work? >>>> >>>> What is confusing to me is that the section in the Redhat 6 Identity >>>> Management guide on netgroups also has information on running the NIS >>>> listener plugin so I'm wondering if perhaps this only works when running the >>>> nis listener. I'm trying to avoid that. >>>> >>>> I'd welcome any clarification on how to do non-kerberised nfs exports to >>>> groups of hosts. >>> >>> Does getent netgroup rmjnetgroup1 show the hosts you'd expect? >>> >> >> Indeed it does. >> >> The individual triples listed for the netgroup contain entries like: >> (host,-,domain) >> where host is a fully qualified hostname which is dns resolvable. >> >> (For info if I do ypcat on one of my NIS netgroups I get a triple like this: >> (host,,) >> where host is the fully qualified host name, and nothing in the domain >> field. >> >> I've actually tried two netgroups with different domains set. The first one >> (rmjnetgroup) I made without specifying the --nisdomain option to ipa >> netgroup-add and domain in the output above shows as my dns domain (which is >> a lower case version of my kerberos realm). >> >> I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked that I >> could mount the shares when I exported explicitly to the fully qualified >> host name, and that worked ok. >> >> So, thinking that the problem was with the domain name I made a new netgroup >> (rmjnetgroup1) with the option --nisdomain=xxx where xxx is the proper name >> for our nis domain as shown with the domainname command. >> >> I couldn't mount nfs shares when exporting to @rmjnetgroup1 either. >> >> Roderick > > Thank you for your reply, then we know the SSSD's netgroup handling is > correct. To be honest, we're getting a bit out of my comfort zone into > the NFS area. > > Maybe Roland (CC) knows how to debug the issue further? > Thanks for your interest Jakub. From api at psychopig.com Thu Jan 29 21:39:35 2015 From: api at psychopig.com (Hugh) Date: Thu, 29 Jan 2015 15:39:35 -0600 Subject: [Freeipa-users] AD/IPA login compatibility Message-ID: All, I've been trying to get our new AD environment and our existing IPA environment all happy, but am having little luck. To start, our info and a few questions: IPA servers running CentOS 6.5 and ipa-server-3.0.0-42 Windows DC servers running Windows Server 2012 Anonymized domain info: IPA NetBIOS domain: IPA IPA DNS domain: domain.com WIN NetBIOS domain: AD WIN DNS domain: win.domain.com AD environment using itself for DNS, IPA environment using external DNS (Cobbler/Bind). The appropriate _tcp, _ldap, etc. DNS entries have been created in the domain.com domain in Bind. I have set up users in IPA and AD with the same username and added a name mapping in AD to username at DOMAIN.COM. 1) Is it possible to log into a workstation that's been joined to a domain with IPA credentials? 2) If so, what are the minimum requirements for that? Do I need to run FreeIPA 3.3 on CentOS 7? FreeIPA 4 on Fedora? Something else? 3) Is there any way to log into the domain workstation with the NetBIOS domain and username and have it authenticate against the IPA environment? As in AD\username instead of username at DOMAIN.COM? If only the latter will work, will users be able to map drives and access other AD resources without being prompted for username/pass? 4) For initial setup of users, do the passwords for the AD and IPA accounts need to be the same? Will a password change in the Windows environment change the IPA password? Any other hints, etc. for how to get this all working would be appreciated. I've gone through the FreeIPA AD Trust page(s) and various other sources, but am unclear on how things should work and whether or not I'm doing something wrong. Our old Windows 2003 domain is authenticating fine against MIT Kerberos, so I'm rather surprised how difficult this is proving to be. Many thanks in advance, Hugh -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jan 29 22:26:29 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 29 Jan 2015 17:26:29 -0500 Subject: [Freeipa-users] AD/IPA login compatibility In-Reply-To: References: Message-ID: <54CAB395.6040704@redhat.com> On 01/29/2015 04:39 PM, Hugh wrote: > > All, > > I've been trying to get our new AD environment and our existing IPA > environment all happy, but am having little luck. To start, our info > and a few questions: > > IPA servers running CentOS 6.5 and ipa-server-3.0.0-42 > Windows DC servers running Windows Server 2012 > > Anonymized domain info: > IPA NetBIOS domain: IPA > IPA DNS domain: domain.com > WIN NetBIOS domain: AD > WIN DNS domain: win.domain.com > > AD environment using itself for DNS, IPA environment using external > DNS (Cobbler/Bind). The appropriate _tcp, _ldap, etc. DNS entries have > been created in the domain.com domain in Bind. I > have set up users in IPA and AD with the same username and added a > name mapping in AD to username at DOMAIN.COM . > > How are the domains connected? Do you use trust or sync? > 1) Is it possible to log into a workstation that's been joined to a > domain with IPA credentials? > You mean can I access a Windows workstation joined to AD domain by user from IPA domain? No it is not implemented. It will require Global Catalog support in IPA. > 2) If so, what are the minimum requirements for that? Do I need to run > FreeIPA 3.3 on CentOS 7? FreeIPA 4 on Fedora? Something else? > > 3) Is there any way to log into the domain workstation with the > NetBIOS domain and username and have it authenticate against the IPA > environment? As in AD\username instead of username at DOMAIN.COM > ? If only the latter will work, will users > be able to map drives and access other AD resources without being > prompted for username/pass? You seem to be looking for the full mutual trust capability. It is not there yet. Help is welcome! > > 4) For initial setup of users, do the passwords for the AD and IPA > accounts need to be the same? Will a password change in the Windows > environment change the IPA password? If you use sync then users and passwords are synced. If you use trust, users stay where they are created (in AD or in IPA) and client is redirected to the AD or IPA domain the user is created in. > > Any other hints, etc. for how to get this all working would be > appreciated. I've gone through the FreeIPA AD Trust page(s) and > various other sources, but am unclear on how things should work and > whether or not I'm doing something wrong. Our old Windows 2003 domain > is authenticating fine against MIT Kerberos, so I'm rather surprised > how difficult this is proving to be. If you just want to use IPA for windows you for now have to use the same Kerberos setup on Windows workstations as you have in the old domain. The main point if IPA is to server Linux clients not to replace AD. The AD can be replaced with Samba 4 and we are working on making it support trusts with IPA. > > Many thanks in advance, > > Hugh > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Jan 29 23:19:53 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Jan 2015 23:19:53 +0000 Subject: [Freeipa-users] 2012r2 AD and RHEL 7.1 IPA compatibility In-Reply-To: <54CAB395.6040704@redhat.com> References: , <54CAB395.6040704@redhat.com> Message-ID: <1422573475135.3911@vuw.ac.nz> Where is this at? ie is the above a supported configuration? So will passync and winsync work OK? Will trusts? Will they work together? So ideally I'd like to use winsync and passsync to provision users from AD to IPA. Then in specific low security situations use trusts to grant access. So for low security instances eg a user on a windows or linux desktop can login with one password. However for high level security I want to have permissions only granted/grantable in IPA. So an admin to say the HR database server cannot login with a trust from IPA they have to be in a user group setup in IPA only. regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jan 29 23:29:54 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 29 Jan 2015 18:29:54 -0500 Subject: [Freeipa-users] 2012r2 AD and RHEL 7.1 IPA compatibility In-Reply-To: <1422573475135.3911@vuw.ac.nz> References: , <54CAB395.6040704@redhat.com> <1422573475135.3911@vuw.ac.nz> Message-ID: <54CAC272.2090507@redhat.com> On 01/29/2015 06:19 PM, Steven Jones wrote: > > Where is this at? ie is the above a supported configuration? > Supported. > > So will passync and winsync work OK? > Yes > > Will trusts? > Yes > > Will they work together? > Only during migration. There is a migration strategy. http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust > So ideally I'd like to use winsync and passsync to provision users > from AD to IPA. Then in specific low security situations use trusts to > grant access. So for low security instances eg a user on a windows > or linux desktop can login with one password. > I am not sure I follow. With trust you have a single user entry in AD and even if a Linux system is connected to IPA the user logging into it will authenticate against AD but it will be IPA that will define whether this user can access this system. It will be defined via HBAC rules. So whether you use trust or sync the access control is orthogonal and depends on which system the host is joined to. I guess you need to take a look at how IPA can define HBAC rules for users from AD in trust case. You add an AD group as a member of the IPA group and then apply HBAC policy to that IPA group. > > However for high level security I want to have permissions only > granted/grantable in IPA. So an admin to say the HR database server > cannot login with a trust from IPA they have to be in a user group > setup in IPA only. > > > > regards > > Steven > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Less at imagine-sw.com Fri Jan 30 05:48:18 2015 From: Less at imagine-sw.com (Les Stott) Date: Fri, 30 Jan 2015 05:48:18 +0000 Subject: [Freeipa-users] CA Replication Installation Failing In-Reply-To: <4ED173A868981548967B4FCA270722262804A449@AACMBXP04.exchserver.com> References: <4ED173A868981548967B4FCA270722262803F3C5@AACMBXP04.exchserver.com> <4ED173A868981548967B4FCA2707222628048DF6@AACMBXP04.exchserver.com> , <54867F51.1030603@redhat.com> <4ED173A868981548967B4FCA2707222628049113@AACMBXP04.exchserver.com> <1418148291.27499.20.camel@aleeredhat.laptop> <4ED173A868981548967B4FCA270722262804A449@AACMBXP04.exchserver.com> Message-ID: <4ED173A868981548967B4FCA27072226280A6EA9@AACMBXP04.exchserver.com> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Les Stott > Sent: Wednesday, 10 December 2014 6:22 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > -----Original Message----- > > From: Ade Lee [mailto:alee at redhat.com] > > Sent: Wednesday, 10 December 2014 5:05 AM > > To: Les Stott > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > On Tue, 2014-12-09 at 07:48 +0000, Les Stott wrote: > > > > > > > > > > > > __________________________________________________________ > > ____________ > > > From: freeipa-users-bounces at redhat.com > > > [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal > > > [dpal at redhat.com] > > > Sent: Tuesday, December 09, 2014 3:49 PM > > > To: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing > > > > > > > > > > > > On 12/08/2014 11:04 PM, Les Stott wrote: > > > > > > > Does anyone have any ideas on the below errors when trying to add > > > > CA replication to an existing replica? > > > > > > > > > > > > > > > People who might be able to help are or PTO right now. > > > > > > > > Is your installation older than 2 years? > > > > > > No, December 2013 was when it was originally built. > > > > > > > Did you generate a new replica package or use the original one? > > > > > > I used the original replica file for serverb, based on instructions > > > i came across. I can try regenerating the replica file. > > > > > > Interestingly, now that you mention it, servera had to be restored a > > > couple of months back. Perhaps this is an issue and regenerating the > > > replica file for serverb will be required. > > > > > > I will try this. > > > > > > > I think that this is a safe bet to be the problem. > > > > The error in the log snippet you posted says: > > > > The pkcs12 file is not correct. > > > > This indicates that the clone CA was unable to decode the pkcs12 file > > in the replica. Perhaps the certs changed -- or the DM password changed? > > > > Ade > > I regenerated the replica file and retired the CA replica setup, but it failed at > the same point with the same error. > > I am thinking that the next step is to uninstall the ipa replica to cleanup, > remove all traces and re-add as a replica on serverb. > > I wonder if the cert that its having an issue with is the one on serverB under > /etc/ipa/ca.crt which is from Dec 2013. > > I will try that in a couple of days as I have to schedule this work in as its in > production. > > Regards, > > Les > > > > > > May be the problem is that the cert that is in that package > > > > already > > > expired? > > > > > > original replica file was created on Dec 16 2013. Cert is not set to > > > expire until 2015-12-17. > > > > > > > Just a thought... > > > > > > > > The simplest workaround IMO would be to prepare Server C, install > > > > it > > > with CA and then decommission replica B. > > > > Do not forget to clean replication agreements on master. > > > > > > > > But that would be work around, would not solve this specific > > > problem, it will kill it. > > > > > > I actually do have serverc and serverd. I planned to have CA > > > replication on at least 2 other servers, but held off on trying on > > > serverc due to issues with serverb. > > > > > > I'll report back what i find after regenerating the replica file and > > > re-trying to setup CA replication. > > > After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xxxxxx -w xxxxxx -U /var/lib/ipa/replica-info-myhost.mydomain.com.gpg It fails showing.... "CRITICAL failed to configure ca instance" Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. It doesn't matter if I run it interactively or unattended. I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0-37 without any issue. The /var/log/ipareplica-ca-install.log shows the following error about White Spaces: ############################################# Attempting to connect to: mymaster.mydomain.com:9445 Connected. Posting Query = https:// mymaster.mydomain.com:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Fmymaster.mydomain.com%3A443&sdomainName=&choice=existingdomain&p=3&op=next&xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 30 Jan 2015 05:05:04 GMT RESPONSE HEADER: Connection: close admin/console/config/securitydomainpanel.vm 443 mymaster.mydomain.com CA /sbin/service pki-cad <security_domain_instance_name> https:// myhost.mydomain.com:9445 80 org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. The /var/log/pki-ca/debug also shows.... [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase pingCS: started [30/Jan/2015:00:05:04][http-9445-1]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [30/Jan/2015:00:05:04][http-9445-1]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase getCertChainUsingSecureAdminPort start [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [30/Jan/2015:00:05:05][http-9445-1]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. When I compare those logs to the logs from the server I installed a ca-replica on successfully, the above is the point where the logs differ and it must be the source of the error. In the log of the server that was successful it shows what should have happened... [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: started [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: got XML parsed [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase pingCS: state=1 [25/Nov/2014:00:09:54][http-9445-2]: SecurityDomainPanel: pingAdminCS returns: 1 [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: status=0 [25/Nov/2014:00:09:54][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort: certchain= I have tried rolling back pki rpms to 9.0.3-32 but this hasn't helped. Note, also, I am trying this on new servers, not the same ones used in December. I have searched high and low on google to try and find a resolution for the White Space issue but haven't found anything that worked. This seems like a bug to me. Can anyone help with this please? Thanks in advance, Regards, Les From genadipost at gmail.com Sat Jan 31 18:37:38 2015 From: genadipost at gmail.com (Genadi Postrilko) Date: Sat, 31 Jan 2015 20:37:38 +0200 Subject: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases. Message-ID: Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new features (at least most of them), i know that clients have to be sssd version > 1.9. And if i want IPA to be auto configured as sudo provider it has to be sssd > 1.11. When reading the mailing list i noticed that sssd 1.11 is mentioned as feature of rhel 6.6. What i would like and understand is what could go wrong if i will install sssd 1.11 on rhel 6.2 servers.And what is is your general recommendations for older RHEL 6 (minor) releases? Thanks in advance, Genadi. -------------- next part -------------- An HTML attachment was scrubbed... URL: