From prashant at apigee.com Wed Jul 1 01:12:03 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 1 Jul 2015 06:42:03 +0530 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: <1435659270.7621.37.camel@willson.usersys.redhat.com> References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> <20150630070919.GN6442@hendrix.redhat.com> <20150630072213.GB31810@p.redhat.com> <20150630073155.GQ6442@hendrix.redhat.com> <20150630080639.GC31810@p.redhat.com> <1435659270.7621.37.camel@willson.usersys.redhat.com> Message-ID: HI Simo, Thanks for the reply. Could you please elaborate or point me to some documentation on how to set this up. What I want to be able to achieve is that a user should login with a 2FA once a day and all subsequent logins are allowed thru public key only. Regards. --Prashant On 30 June 2015 at 15:44, Simo Sorce wrote: > On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote: > > On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: > > > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: > > > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > > > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > > > > > Hi, > > > > > > > > > > > > I was able to set this up in a Fedora instance with SSSD and it > works as > > > > > > expected. SSHD first uses the public key and then prompts for > password > > > > > > which is ofcourse password+OTP. > > > > > > > > > > > > However, having a user enter the password+OTP every time he logs > in during > > > > > > the day is kind of inconvenient. Is it possible to make sure the > user has > > > > > > to login once and the credentials are cached for say 12/24 > hours. I know > > > > > > this is possible just using the password. Question is, is this > possible > > > > > > using password+OTP? > > > > > > > > > > We have an SSSD feature under review now that would help you: > > > > > https://fedorahosted.org/sssd/ticket/1807 > > > > > > > > > > But to be honest, I'm not sure if we tested the patches with 2FA > yet. We > > > > > should! > > > > > > > > hm, I agree we should, but I guess we should test that cached > > > > authentication does _not_ work with 2FA/OTP. Because it is expected > that > > > > the OTP token only works once, so that e.g. it can be used in an > > > > insecure environment to set up a secure tunnel. > > > > > > Sure, the second factor must not be reused :-) but couldn't we use the > > > cached auth to support cases like this where the second factor is to be > > > used only once per some time and use only the first factor in the > > > meantime? > > > > I'm a bit reluctant here. If the two factors are intercepted in an > > insecure environment the attacker will still have a valid password which > > can be used for some time. Additionally, iirc cached authentication is > > not aware of the service used. If e.g. OTP was used to just get a > > response from some unprotected and unprivileged service the intercepted > > password can be used to log in with ssh as well. So I guess we need a > > careful discussion here. > > The solution for this environments already exists and it is called > GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or > more hours. There is no need to invent broken ways to skip two factor > auth when we already have a way to make this easy *and* secure. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jul 1 03:51:13 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 1 Jul 2015 03:51:13 +0000 Subject: [Freeipa-users] Unfamiliar message and crashes In-Reply-To: <5592C271.7000304@redhat.com> References: <5592C271.7000304@redhat.com> Message-ID: <423acceae1e046c4877da020d992e4bc@sib-ums03.Megafon.ru> Thank you for reply. # rpm -q 389-ds-base ipa-server slapi-nis 389-ds-base-1.3.3.1-16.el7_1.x86_64 ipa-server-4.1.0-18.el7_1.3.x86_64 slapi-nis-0.54-3.el7_1.x86_64 Okay, we will try to get it if it will happens again WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Tuesday, June 30, 2015 10:23 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unfamiliar message and crashes On 06/29/2015 10:08 PM, Alexander Frolushkin wrote: Hello. What does message NSMMReplicationPlugin - agmt="cn=cloneAgreement1-host1.domain.com-pki-tomcat" (host2:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later. mean? A lot of these message appeared in error dirsrv log yesterday, and several crashes ns-slapd[31026]: segfault at 25 ip 00007f7aa499c800 sp 00007f7a4b7e14f0 error 4 in libslapd.so.0.0.0[7f7aa4948000+11c000] also noticed? Any thoughts, what to do? Please provide the versions you are using: # rpm -q 389-ds-base ipa-server slapi-nis Debugging crashes: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes in addition: # debuginfo-install ipa-server slapi-nis We need to see some stack traces WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Markus.Moj at mc.ingenico.com Wed Jul 1 05:54:31 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Wed, 1 Jul 2015 05:54:31 +0000 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From christopher.lamb at ch.ibm.com Wed Jul 1 07:30:38 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 1 Jul 2015 09:30:38 +0200 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Wed Jul 1 08:12:54 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 1 Jul 2015 10:12:54 +0200 Subject: [Freeipa-users] username case sensitivity In-Reply-To: <8e31355c8387479e87d0f3db5bb4fe8a@TCCCORPEXCH02.TCC.local> References: <9cfa2752940f4897b3cad87232ab8952@TCCCORPEXCH02.TCC.local> <20150515194431.GA1242@mail.corp.redhat.com> <20150517212321.GA15861@hendrix.redhat.com> <002b3de875284413aef030b385c9c0c0@TCCCORPEXCH02.TCC.local> <20150518080708.GE15861@hendrix.redhat.com> <277c549fbecf47fcac21b35bc146506f@TCCCORPEXCH02.TCC.local> <558DF895.5010807@redhat.com> <20150629081733.GA6442@hendrix.redhat.com> <8e31355c8387479e87d0f3db5bb4fe8a@TCCCORPEXCH02.TCC.local> Message-ID: <20150701081254.GG6442@hendrix.redhat.com> On Tue, Jun 30, 2015 at 08:16:05PM +0000, Andy Thompson wrote: > > > >>>> > > > >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > >>>>>On (15/05/15 17:27), Andy Thompson wrote: > > > >>>>>>Is there a way to enforce case sensitivity for trusted AD users? > > > >>>>>>I am > > > >>>>>trying to use username for ssh chroots and I can authenticated > > > >>>>>with any case combination of but if ssh is set to > > > >>>>>match on then the chroot is not enforced and the user > > > >>>>>is dropped to their usual home directory. I found a > > > >>>>>case_sensitive option for sssd but it > > > >>>>does not > > > >>>>>seem to have any affect. Running RHEL6.6 clients. > > > >>>>>IPA domain is by default case sensitive. > > > >>>>>So You will not change anything if you put "case_sensitive = true" > > > >>>>>into domain section of sssd.conf. > > > >>>>> > > > >>>>>But SSSD will create subdomains for each AD domain. It is > > > >>>>>different id_provider therefore different default values are used > > > >>>>>for subdomains and for AD provider it is case *insensitive* by > > default. > > > >>>>> > > > >>>>>Currently there's no way how to change it for subdomains (AD > > > >>>>>trusted > > > >>>>>domains) > > > >>>>> > > > >>>>What are you using for the SSH matching? The way the case > > > >>>>insensitiveness is implemented in SSSD is that all usernames are > > > >>>>forcibly lowercased on output, so as long as SSH uses the standard > > > >>>>NSS calls, you should be good with using the lowecase usernames.. > > > >>>> > > > >>>They were initially all in lower case and working when I tested > > > >>>and finalized > > > >>the setup. I passed the credentials off and they used mixed case > > > >>and the match stopped working. > > > >> > > > >>What is "they" ? I guess not SSSD but grabbing the data directly from > > LDAP? > > > >The match clauses in the sshd config were set to use lower case names. It > > is using sssd, just a regular ipa client installation. If I logged in using > > USERName insetad of username, the match clause did not work. > > > > > > > >-andy > > > > > > > Do we have any follow up on this thread? Have we closed the loop and > > > filed a ticket. > > > I had couple complains of the similar matter during Red Hat Summit. > > > I seems that this is one of the emerging issues for the trust environments. > > > > I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit wrote. > > Do we have a way to track these requests? > > > > Andy, if you have some test machines, could you give 6.7 a try? > > > > The usernames from AD are still not case sensitive on 6.7 so a > > Match User Testuser > > Stanza in the ssh config is not matched if they login as > > testuser > > but does match if they login with > > Testuser Thanks for the reply. Then I guess sshd doesn't canonicalize the username with getpwnam(). But I admit I don't know exactly what sshd does, so I hope other developers would chime in here.. From sbose at redhat.com Wed Jul 1 11:15:55 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 1 Jul 2015 13:15:55 +0200 Subject: [Freeipa-users] username case sensitivity In-Reply-To: <20150701081254.GG6442@hendrix.redhat.com> References: <9cfa2752940f4897b3cad87232ab8952@TCCCORPEXCH02.TCC.local> <20150515194431.GA1242@mail.corp.redhat.com> <20150517212321.GA15861@hendrix.redhat.com> <002b3de875284413aef030b385c9c0c0@TCCCORPEXCH02.TCC.local> <20150518080708.GE15861@hendrix.redhat.com> <277c549fbecf47fcac21b35bc146506f@TCCCORPEXCH02.TCC.local> <558DF895.5010807@redhat.com> <20150629081733.GA6442@hendrix.redhat.com> <8e31355c8387479e87d0f3db5bb4fe8a@TCCCORPEXCH02.TCC.local> <20150701081254.GG6442@hendrix.redhat.com> Message-ID: <20150701111555.GD9417@p.redhat.com> On Wed, Jul 01, 2015 at 10:12:54AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 08:16:05PM +0000, Andy Thompson wrote: > > > > >>>> > > > > >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > > >>>>>On (15/05/15 17:27), Andy Thompson wrote: > > > > >>>>>>Is there a way to enforce case sensitivity for trusted AD users? > > > > >>>>>>I am > > > > >>>>>trying to use username for ssh chroots and I can authenticated > > > > >>>>>with any case combination of but if ssh is set to > > > > >>>>>match on then the chroot is not enforced and the user > > > > >>>>>is dropped to their usual home directory. I found a > > > > >>>>>case_sensitive option for sssd but it > > > > >>>>does not > > > > >>>>>seem to have any affect. Running RHEL6.6 clients. > > > > >>>>>IPA domain is by default case sensitive. > > > > >>>>>So You will not change anything if you put "case_sensitive = true" > > > > >>>>>into domain section of sssd.conf. > > > > >>>>> > > > > >>>>>But SSSD will create subdomains for each AD domain. It is > > > > >>>>>different id_provider therefore different default values are used > > > > >>>>>for subdomains and for AD provider it is case *insensitive* by > > > default. > > > > >>>>> > > > > >>>>>Currently there's no way how to change it for subdomains (AD > > > > >>>>>trusted > > > > >>>>>domains) > > > > >>>>> > > > > >>>>What are you using for the SSH matching? The way the case > > > > >>>>insensitiveness is implemented in SSSD is that all usernames are > > > > >>>>forcibly lowercased on output, so as long as SSH uses the standard > > > > >>>>NSS calls, you should be good with using the lowecase usernames.. > > > > >>>> > > > > >>>They were initially all in lower case and working when I tested > > > > >>>and finalized > > > > >>the setup. I passed the credentials off and they used mixed case > > > > >>and the match stopped working. > > > > >> > > > > >>What is "they" ? I guess not SSSD but grabbing the data directly from > > > LDAP? > > > > >The match clauses in the sshd config were set to use lower case names. It > > > is using sssd, just a regular ipa client installation. If I logged in using > > > USERName insetad of username, the match clause did not work. > > > > > > > > > >-andy > > > > > > > > > Do we have any follow up on this thread? Have we closed the loop and > > > > filed a ticket. > > > > I had couple complains of the similar matter during Red Hat Summit. > > > > I seems that this is one of the emerging issues for the trust environments. > > > > > > I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit wrote. > > > Do we have a way to track these requests? > > > > > > Andy, if you have some test machines, could you give 6.7 a try? > > > > > > > The usernames from AD are still not case sensitive on 6.7 so a > > > > Match User Testuser > > > > Stanza in the ssh config is not matched if they login as > > > > testuser > > > > but does match if they login with > > > > Testuser > > Thanks for the reply. Then I guess sshd doesn't canonicalize the > username with getpwnam(). But I admit I don't know exactly what sshd > does, so I hope other developers would chime in here.. iirc sshd does call getpwnam() with the name given at the login prompt to determine if the user exists at all and its home-directory, shell, UID and GID which is needed later on. But it does not expect that the name gets canonicalized and continues to use the name given at the login prompt. I wonder if it would be possible to use group names in the Match clause in your setup? Since sshd must call getgroups() and getgrgid() to get this information here the lower-case group name returned by SSSD should work. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Andy.Thompson at e-tcc.com Wed Jul 1 13:19:43 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 1 Jul 2015 13:19:43 +0000 Subject: [Freeipa-users] username case sensitivity In-Reply-To: <20150701111555.GD9417@p.redhat.com> References: <9cfa2752940f4897b3cad87232ab8952@TCCCORPEXCH02.TCC.local> <20150515194431.GA1242@mail.corp.redhat.com> <20150517212321.GA15861@hendrix.redhat.com> <002b3de875284413aef030b385c9c0c0@TCCCORPEXCH02.TCC.local> <20150518080708.GE15861@hendrix.redhat.com> <277c549fbecf47fcac21b35bc146506f@TCCCORPEXCH02.TCC.local> <558DF895.5010807@redhat.com> <20150629081733.GA6442@hendrix.redhat.com> <8e31355c8387479e87d0f3db5bb4fe8a@TCCCORPEXCH02.TCC.local> <20150701081254.GG6442@hendrix.redhat.com> <20150701111555.GD9417@p.redhat.com> Message-ID: > On Wed, Jul 01, 2015 at 10:12:54AM +0200, Jakub Hrozek wrote: > > On Tue, Jun 30, 2015 at 08:16:05PM +0000, Andy Thompson wrote: > > > > > >>>> > > > > > >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik > wrote: > > > > > >>>>>On (15/05/15 17:27), Andy Thompson wrote: > > > > > >>>>>>Is there a way to enforce case sensitivity for trusted AD > users? > > > > > >>>>>>I am > > > > > >>>>>trying to use username for ssh chroots and I can > > > > > >>>>>authenticated with any case combination of but > > > > > >>>>>if ssh is set to match on then the chroot is not > > > > > >>>>>enforced and the user is dropped to their usual home > > > > > >>>>>directory. I found a case_sensitive option for sssd but it > > > > > >>>>does not > > > > > >>>>>seem to have any affect. Running RHEL6.6 clients. > > > > > >>>>>IPA domain is by default case sensitive. > > > > > >>>>>So You will not change anything if you put "case_sensitive = > true" > > > > > >>>>>into domain section of sssd.conf. > > > > > >>>>> > > > > > >>>>>But SSSD will create subdomains for each AD domain. It is > > > > > >>>>>different id_provider therefore different default values > > > > > >>>>>are used for subdomains and for AD provider it is case > > > > > >>>>>*insensitive* by > > > > default. > > > > > >>>>> > > > > > >>>>>Currently there's no way how to change it for subdomains > > > > > >>>>>(AD trusted > > > > > >>>>>domains) > > > > > >>>>> > > > > > >>>>What are you using for the SSH matching? The way the case > > > > > >>>>insensitiveness is implemented in SSSD is that all usernames > > > > > >>>>are forcibly lowercased on output, so as long as SSH uses > > > > > >>>>the standard NSS calls, you should be good with using the > lowecase usernames.. > > > > > >>>> > > > > > >>>They were initially all in lower case and working when I > > > > > >>>tested and finalized > > > > > >>the setup. I passed the credentials off and they used mixed > > > > > >>case and the match stopped working. > > > > > >> > > > > > >>What is "they" ? I guess not SSSD but grabbing the data > > > > > >>directly from > > > > LDAP? > > > > > >The match clauses in the sshd config were set to use lower case > > > > > >names. It > > > > is using sssd, just a regular ipa client installation. If I > > > > logged in using USERName insetad of username, the match clause did > not work. > > > > > > > > > > > >-andy > > > > > > > > > > > Do we have any follow up on this thread? Have we closed the loop > > > > > and filed a ticket. > > > > > I had couple complains of the similar matter during Red Hat Summit. > > > > > I seems that this is one of the emerging issues for the trust > environments. > > > > > > > > I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit > wrote. > > > > Do we have a way to track these requests? > > > > > > > > Andy, if you have some test machines, could you give 6.7 a try? > > > > > > > > > > The usernames from AD are still not case sensitive on 6.7 so a > > > > > > Match User Testuser > > > > > > Stanza in the ssh config is not matched if they login as > > > > > > testuser > > > > > > but does match if they login with > > > > > > Testuser > > > > Thanks for the reply. Then I guess sshd doesn't canonicalize the > > username with getpwnam(). But I admit I don't know exactly what sshd > > does, so I hope other developers would chime in here.. > > iirc sshd does call getpwnam() with the name given at the login prompt to > determine if the user exists at all and its home-directory, shell, UID and GID > which is needed later on. But it does not expect that the name gets > canonicalized and continues to use the name given at the login prompt. > > I wonder if it would be possible to use group names in the Match clause in > your setup? Since sshd must call getgroups() and getgrgid() to get this > information here the lower-case group name returned by SSSD should work. > Yes since the groups are retrievable with the new sssd without requiring the user to login any longer, that will work in my use case now. The only reason I ran into the case issue what that I can't use groups on 1.11.x since groups aren't available until a first login. -andy From paw at 4gotten.me Wed Jul 1 13:37:44 2015 From: paw at 4gotten.me (David Fox) Date: Wed, 01 Jul 2015 14:37:44 +0100 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error Message-ID: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> I am encountering issues trying to integrate FreeIPA with AD, on *nix promp I get "internal server rror" and within I receive the following message in httpd_errorlog. [Tue Jun 30 13:16:57.623833 2015] [:error] [pid 1062] ipa: INFO: [jsonserver_session] admin at IPA.*redacted*: ping(): SUCCESS INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:ipaserver01.ipa.*redacted*[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7fdde035d720 s4_tevent: Added timed event "composite_trigger": 0x7fdde023db30 s4_tevent: Added timed event "composite_trigger": 0x7fdde0360510 s4_tevent: Running timer event 0x7fdde023db30 "composite_trigger" s4_tevent: Destroying timer event 0x7fdde0360510 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 s4_tevent: Ending timer event 0x7fdde023db30 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7fdde037f530 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde023e850 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde023e850 s4_tevent: Destroying timer event 0x7fdde037f530 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663750 SO_RCVBUF = 262006 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde023db30 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde023db30 "tevent_req_timedout" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for admin at IPA.*redacted* will expire in 86364 secs s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde024c910 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde024c910 "tevent_req_timedout" gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0403a90 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde0403a90 "tevent_req_timedout" s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde040b200 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde040b200 "tevent_req_timedout" num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0414e30 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde0271b80 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde0414e30 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde02712f0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde02712f0 s4_tevent: Destroying timer event 0x7fdde0271b80 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0270250 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0270250 s4_tevent: Destroying timer event 0x7fdde035d720 "dcerpc_connect_timeout_handler" lsa_OpenPolicy2: struct lsa_OpenPolicy2 in: struct lsa_OpenPolicy2 system_name : * system_name : '' attr : * attr: struct lsa_ObjectAttribute len : 0x00000000 (0) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x00000000 (0) impersonation_level : 0x0000 (0) context_mode : 0x00 (0) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION rpc request data: [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 02 ........ s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde02715a0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde035bb90 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde041fcc0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde041fcc0 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0272060 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0272060 s4_tevent: Destroying timer event 0x7fdde02715a0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde02712f0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde02712f0 lsa_OpenPolicy2: struct lsa_OpenPolicy2 out: struct lsa_OpenPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000d-0000-0000-9255-bd882a050000 result : NT_STATUS_OK rpc reply data: [0000] 00 00 00 00 0D 00 00 00 00 00 00 00 92 55 BD 88 ........ .....U.. [0010] 2A 05 00 00 00 00 00 00 *....... lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000d-0000-0000-9255-bd882a050000 level : LSA_POLICY_INFO_DNS (12) rpc request data: [0000] 00 00 00 00 0D 00 00 00 00 00 00 00 92 55 BD 88 ........ .....U.. [0010] 2A 05 00 00 0C 00 *..... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde02715a0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde035bb90 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde042e270 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde042e270 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0272060 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0272060 s4_tevent: Destroying timer event 0x7fdde02715a0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde02712f0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde02712f0 lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'IPA' dns_domain: struct lsa_StringLarge length : 0x001a (26) size : 0x001c (28) string : * string : 'ipa.*redacted*' dns_forest: struct lsa_StringLarge length : 0x001a (26) size : 0x001c (28) string : * string : 'ipa.*redacted*' domain_guid : 00000015-373c-115e-f650-6d06416af799 sid : * sid : S-1-5-21-291387196-107827446-2583128641 result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 0C 00 00 00 06 00 08 00 04 00 02 00 ........ ........ [0010] 1A 00 1C 00 08 00 02 00 1A 00 1C 00 0C 00 02 00 ........ ........ [0020] 15 00 00 00 3C 37 5E 11 F6 50 6D 06 41 6A F7 99 ....<7^. .Pm.Aj.. [0030] 10 00 02 00 04 00 00 00 00 00 00 00 03 00 00 00 ........ ........ [0040] 49 00 50 00 41 00 00 00 0E 00 00 00 00 00 00 00 I.P.A... ........ [0050] 0D 00 00 00 69 00 70 00 61 00 2E 00 68 00 73 00 ....i.p. a...h [0060] 61 00 2E 00 63 00 6F 00 2E 00 75 00 6B 00 00 00 a...c.o. ..u.k... [0070] 0E 00 00 00 00 00 00 00 0D 00 00 00 69 00 70 00 ....... ....i.p. [0080] 61 00 2E 00 68 00 73 00 61 00 2E 00 63 00 6F 00 . [0090] 2E 00 75 00 6B 00 00 00 04 00 00 00 01 04 00 00 ..u.k... ........ [00A0] 00 00 00 05 15 00 00 00 3C 37 5E 11 F6 50 6D 06 ........ <7^..Pm. [00B0] 41 6A F7 99 00 00 00 00 Aj...... lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000d-0000-0000-9255-bd882a050000 level : LSA_POLICY_INFO_ROLE (6) rpc request data: [0000] 00 00 00 00 0D 00 00 00 00 00 00 00 92 55 BD 88 ........ .....U.. [0010] 2A 05 00 00 06 00 *..... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde02718d0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde035bb90 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde044add0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde035bb90 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde0383eb0 s4_tevent: Destroying timer event 0x7fdde044add0 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0272390 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0272390 s4_tevent: Destroying timer event 0x7fdde02718d0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0271620 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0271620 lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 6) role: struct lsa_ServerRole role : LSA_ROLE_PRIMARY (3) result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........ lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty" Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain *redacted* finddcs: looking for SRV records for _ldap._tcp.*redacted* ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed achdcs002.*redacted* [0, 100, 389] ads_dns_parse_rr_srv: Parsed achdcs03.*redacted* [0, 100, 389] Addrs = 192.168.35.10 at 389/achdcs002,192.168.35.19 at 389/achdcs03 finddcs: DNS SRV response 0 at '192.168.35.10' finddcs: DNS SRV response 1 at '192.168.35.19' finddcs: performing CLDAP query on 192.168.35.10 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0275670 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde02779a0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde02779a0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde04ea460 s4_tevent: Destroying timer event 0x7fdde0275670 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fdde04ea460 "tevent_req_timedout" &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000033fd (13309) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : ac57e335-f22b-483b-9504-d6ebfbee1d94 forest : '*redacted*' dns_domain : '*redacted' pdc_dns_name : 'achdcs002.*redacted*' domain_name : '*redacted*' pdc_name : 'ACHDCS002' user_name : '' server_site : 'ACH' client_site : 'ACH' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.35.10 with server_type=0x000033fd lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty" Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes Using binding ncacn_np:achdcs002.*redacted*.co.uk[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7fdde00e0fa0 s4_tevent: Added timed event "composite_trigger": 0x7fdde0277490 s4_tevent: Added timed event "composite_trigger": 0x7fdde00e2b30 s4_tevent: Running timer event 0x7fdde0277490 "composite_trigger" s4_tevent: Destroying timer event 0x7fdde00e2b30 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 added interface ens160 ip=192.168.35.27 bcast=192.168.35.255 netmask=255.255.255.0 s4_tevent: Ending timer event 0x7fdde0277490 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7fdde04cc0a0 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0275b70 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0275b70 s4_tevent: Destroying timer event 0x7fdde04cc0a0 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 23400 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0277490 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Destroying timer event 0x7fdde0277490 "tevent_req_timedout" Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x60088215 (1611170325) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 0: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0003 (3) DomainNameMaxLen : 0x0003 (3) DomainName : * DomainName : 'IPA' WorkstationLen : 0x0003 (3) WorkstationMaxLen : 0x0003 (3) Workstation : * Workstation : 'IPA' s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0319b00 smb_signing_sign_pdu: sent SMB signature of [0000] 42 53 52 53 50 59 4C 20 BSRSPYL s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Destroying timer event 0x7fdde0319b00 "tevent_req_timedout" Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde035fbe0 smb_signing_sign_pdu: sent SMB signature of [0000] 42 53 52 53 50 59 4C 20 BSRSPYL s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Destroying timer event 0x7fdde035fbe0 "tevent_req_timedout" smb_signing_activate: user_session_key [0000] 91 3E 7A 6D 06 F3 13 71 8C EB 89 6F 4B 51 E1 8E .>zm...q ...oKQ.. smb_signing_activate: NULL response_data smb_signing_md5: sequence number 1 smb_signing_check_pdu: seq 1: got good SMB signature of [0000] DA 34 34 6B 6A 64 16 04 .44kjd.. s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde037d9a0 smb_signing_md5: sequence number 2 smb_signing_sign_pdu: sent SMB signature of [0000] 42 7D BB 3D C6 F4 DF 05 B}.=.... s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 3 smb_signing_check_pdu: seq 3: got good SMB signature of [0000] 14 92 54 DC ED A6 81 DA ..T..... s4_tevent: Destroying timer event 0x7fdde037d9a0 "tevent_req_timedout" s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0377dc0 smb_signing_md5: sequence number 4 smb_signing_sign_pdu: sent SMB signature of [0000] AE 02 E6 A9 31 9D E5 30 ....1..0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 5 smb_signing_check_pdu: seq 5: got good SMB signature of [0000] 87 8F 05 02 A0 F0 54 F1 ......T. s4_tevent: Destroying timer event 0x7fdde0377dc0 "tevent_req_timedout" num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde03e1c80 smb_signing_md5: sequence number 6 smb_signing_sign_pdu: sent SMB signature of [0000] DA 7B C9 36 72 95 50 B2 .{.6r.P. s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde03d2da0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 7 smb_signing_check_pdu: seq 7: got good SMB signature of [0000] EB 01 CC 74 62 CE DB C2 ...tb... s4_tevent: Destroying timer event 0x7fdde03e1c80 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde04fb990 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde04fb990 s4_tevent: Destroying timer event 0x7fdde03d2da0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde04fabe0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde04fabe0 s4_tevent: Destroying timer event 0x7fdde00e0fa0 "dcerpc_connect_timeout_handler" lsa_OpenPolicy2: struct lsa_OpenPolicy2 in: struct lsa_OpenPolicy2 system_name : * system_name : '' attr : * attr: struct lsa_ObjectAttribute len : 0x00000000 (0) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x00000000 (0) impersonation_level : 0x0000 (0) context_mode : 0x00 (0) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION rpc request data: [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 02 ........ s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde03f1490 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde03f6740 smb_signing_md5: sequence number 8 smb_signing_sign_pdu: sent SMB signature of [0000] 0E 0D 12 02 06 74 B7 D5 .....t.. s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 9 smb_signing_check_pdu: seq 9: got good SMB signature of [0000] DD 05 A9 E5 80 34 B6 8D .....4.. s4_tevent: Destroying timer event 0x7fdde03f6740 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde04fbe00 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde04fbe00 s4_tevent: Destroying timer event 0x7fdde03f1490 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0275e20 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0275e20 lsa_OpenPolicy2: struct lsa_OpenPolicy2 out: struct lsa_OpenPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 result : NT_STATUS_OK rpc reply data: [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... [0010] DA 1E A0 E6 00 00 00 00 ........ lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 level : LSA_POLICY_INFO_DNS (12) rpc request data: [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... [0010] DA 1E A0 E6 0C 00 ...... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde040bb30 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0416090 smb_signing_md5: sequence number 10 smb_signing_sign_pdu: sent SMB signature of [0000] 9E DF 1C E9 AA 22 79 E4 ....."y. s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 11 smb_signing_check_pdu: seq 11: got good SMB signature of [0000] 41 6F A0 71 3B 0F C9 36 Ao.q;..6 s4_tevent: Destroying timer event 0x7fdde0416090 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde04fbe00 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde04fbe00 s4_tevent: Destroying timer event 0x7fdde040bb30 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde0275e20 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde0275e20 lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0010 (16) size : 0x0012 (18) string : * string : '*redacted*' dns_domain: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : '*redacted*k' dns_forest: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : '*redacted*' domain_guid : ac57e335-f22b-483b-9504-d6ebfbee1d94 sid : * sid : S-1-5-21-2821962302-3963220949-2539344233 result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 0C 00 00 00 10 00 12 00 04 00 02 00 ........ ........ [0010] 12 00 14 00 08 00 02 00 12 00 14 00 0C 00 02 00 ........ ........ [0020] 35 E3 57 AC 2B F2 3B 48 95 04 D6 EB FB EE 1D 94 5.W.+.;H ........ [0030] 10 00 02 00 09 00 00 00 00 00 00 00 08 00 00 00 ........ ........ [0040] 48 00 53 00 41 00 47 00 52 00 4F 00 55 00 50 00 . [0050] 0A 00 00 00 00 00 00 00 09 00 00 00 68 00 73 00 ........ ....h... [0060] 61 00 2E 00 63 00 6F 00 2E 00 75 00 6B 00 00 00 a...c.o. ..u.k... [0070] 0A 00 00 00 00 00 00 00 09 00 00 00 68 00 73 00 ........ ....h... [0080] 61 00 2E 00 63 00 6F 00 2E 00 75 00 6B 00 00 00 a...c.o. ..u.k... [0090] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [00A0] 3E BA 33 A8 D5 F3 39 EC 69 51 5B 97 00 00 00 00 >.3...9. iQ[..... lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 level : LSA_POLICY_INFO_ROLE (6) rpc request data: [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... [0010] DA 1E A0 E6 06 00 ...... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde043f610 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde0445b20 smb_signing_md5: sequence number 12 smb_signing_sign_pdu: sent SMB signature of [0000] 76 0D 68 E2 C8 D4 98 19 v.h..... s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 13 smb_signing_check_pdu: seq 13: got good SMB signature of [0000] 17 FD 16 79 CC 2E F2 C6 ...y.... s4_tevent: Destroying timer event 0x7fdde0445b20 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde04fc140 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde04fc140 s4_tevent: Destroying timer event 0x7fdde043f610 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde04fb500 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde04fb500 lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 6) role: struct lsa_ServerRole role : LSA_ROLE_PRIMARY (3) result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........ lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName in: struct lsa_QueryTrustedDomainInfoByName handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 trusted_domain : * trusted_domain: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'ipa.*redacted*' level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) rpc request data: [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... [0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ ........ [0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... [0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u. [0040] 6B 00 08 00 k... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=92, this_data=92, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0 smb_signing_md5: sequence number 14 smb_signing_sign_pdu: sent SMB signature of [0000] B0 93 27 43 EE 4A 37 94 ..'C.J7. s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fdde00f5a60 smb_signing_md5: sequence number 15 smb_signing_check_pdu: seq 15: got good SMB signature of [0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440 s4_tevent: Destroying timer event 0x7fdde00ef550 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0 lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName out: struct lsa_QueryTrustedDomainInfoByName info : * info : * info : union lsa_TrustedDomainInfo(case 8) full_info: struct lsa_TrustDomainInfoFullInfo info_ex: struct lsa_TrustDomainInfoInfoEx domain_name: struct lsa_StringLarge length : 0x001a (26) size : 0x001c (28) string : * string : 'ipa.*redacted*' netbios_name: struct lsa_StringLarge length : 0x001a (26) size : 0x001c (28) string : * string : 'ipa.*redacted*' sid : NULL trust_direction : 0x00000003 (3) 1: LSA_TRUST_DIRECTION_INBOUND 1: LSA_TRUST_DIRECTION_OUTBOUND trust_type : LSA_TRUST_TYPE_MIT (3) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION posix_offset: struct lsa_TrustDomainInfoPosixOffset posix_offset : 0x00000000 (0) auth_info: struct lsa_TrustDomainInfoAuthInfo incoming_count : 0x00000000 (0) incoming_current_auth_info: NULL incoming_previous_auth_info: NULL outgoing_count : 0x00000000 (0) outgoing_current_auth_info: NULL outgoing_previous_auth_info: NULL result : NT_STATUS_OK rpc reply data: [0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ ........ [0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ ........ [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ ........ [0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h... [0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. k....... [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u. [0090] 6B 00 00 00 00 00 00 00 k....... [Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most recent call last): [Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in wsgi_execute [Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = self.Command[name](*args, **options) [Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = self.run(*args, **options) [Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return self.execute(*args, **options) [Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in execute [Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = self.execute_ad(full_join, *keys, **options) [Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in execute_ad [Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] self.realm_passwd [Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in join_ad_full_credentials [Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] self.remote_domain.establish_trust(self.local_domain, trustdom_pass) [Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in establish_trust [Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) [Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: [jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*', trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', all=False, raw=False, version=u'2.112'): TypeError These are whole logs with "log level = 100" set in smb.conf.empty. Log files were emptied before the above command was ran. If there is any other information required please let me know. Software versions: Fedora 22: 4.1.4 Fedora 22: 4.2 Alpha 1 Oracle Linux 7.1 64bit: without DNS ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 CentOS 7.1 64bit: With DNS ipa-server.x86_64 - 4.1.0-18-el7.centos.3 ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 Regards, David From abokovoy at redhat.com Wed Jul 1 18:34:48 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Jul 2015 21:34:48 +0300 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error In-Reply-To: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> References: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> Message-ID: <20150701183448.GA11876@redhat.com> On Wed, 01 Jul 2015, David Fox wrote: >I am encountering issues trying to integrate FreeIPA with AD, on *nix >promp I get "internal server rror" and within I receive the following >message in httpd_errorlog. >[0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ >i.p.a... >[0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u. >[0090] 6B 00 00 00 00 00 00 00 k....... >[Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: >non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected >type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' >[Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most >recent call last): >[Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, >in wsgi_execute >[Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = >self.Command[name](*args, **options) >[Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in >__call__ >[Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = >self.run(*args, **options) >[Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in >run >[Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return >self.execute(*args, **options) >[Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, >in execute >[Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = >self.execute_ad(full_join, *keys, **options) >[Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, >in execute_ad >[Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] >self.realm_passwd >[Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in >join_ad_full_credentials >[Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] >self.remote_domain.establish_trust(self.local_domain, trustdom_pass) >[Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File >"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in >establish_trust >[Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] >self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) >[Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: >default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' >for 'py_dom_sid' of type 'NoneType' >[Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: >[jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*', >trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', >all=False, raw=False, version=u'2.112'): TypeError > > >These are whole logs with "log level = 100" set in smb.conf.empty. Log >files were emptied before the above command was ran. If there is any >other information required please let me know. > >Software versions: >Fedora 22: 4.1.4 >Fedora 22: 4.2 Alpha 1 > >Oracle Linux 7.1 64bit: without DNS >ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 >ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 > >CentOS 7.1 64bit: With DNS >ipa-server.x86_64 - 4.1.0-18-el7.centos.3 >ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 It is unclear from your report what exact distro causing this issue for you. Is this with Fedora 22 (e.g. Samba 4.2)? -- / Alexander Bokovoy From aebruno2 at buffalo.edu Wed Jul 1 21:34:24 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 1 Jul 2015 17:34:24 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <20150625214023.GC2764@dead.ccr.buffalo.edu> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> <55846B1A.90605@redhat.com> <20150619195738.GB8858@dead.ccr.buffalo.edu> <55881593.7070601@redhat.com> <20150622164527.GD18728@dead.ccr.buffalo.edu> <55883C7D.7070605@redhat.com> <20150625214023.GC2764@dead.ccr.buffalo.edu> Message-ID: <20150701213424.GD29793@dead.ccr.buffalo.edu> On Thu, Jun 25, 2015 at 05:40:23PM -0400, Andrew E. Bruno wrote: > On Mon, Jun 22, 2015 at 12:49:01PM -0400, Rob Crittenden wrote: > > >> > > >>You aren't seeing a replication agreement. You're seeing the Replication > > >>Update Vector (RUV). > > >> > > >>See http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html > > >> > > >>You need to do something like: > > >> > > >># ldapmodify -D "cn=directory manager" -W -a > > >>dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config > > >>objectclass: extensibleObject > > >>replica-base-dn: o=ipaca > > >>replica-id: 97 > > >>cn: clean 97 > > >> > > > > > >Great, thanks for the clarification. > > > > > >Curious what's the difference between running the ldapmodify above and > > >ipa-replica-manage clean-ruv? > > > > > > > Nothing, for the IPA data. This is a remanant from a CA replication > > agreement and it was an oversight not to add similar RUV management options > > to the ipa-careplica-manage tool. > > > > I'm still seeing some inconsistencies. Forgive me if I'm mis-interpreting any > of this output (still learning the ropes with FreeIPA here).. > > Just trying to wrap my head around the RUVs. Trying to follow the docs here: > http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html > > And after running the ldapsearch command to check for "obsolete masters" > I'm not seeing the replica ID for the old replica we deleted (rep2): > > > $ ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica > Enter LDAP Password: > dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > objectClass: nsds5replica > objectClass: top > objectClass: extensibleobject > nsDS5ReplicaType: 3 > nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu > nsds5ReplicaLegacyConsumer: off > nsDS5ReplicaId: 4 > nsDS5ReplicaBindDN: cn=replication manager,cn=config > nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA > LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu > nsDS5ReplicaBindDN: krbprincipalname=ldap/rep3 at CCR.BUFFA > LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu > nsState:: BAAAAAAAAABIa4xVAAAAAAAAAAAAAAAAJAAAAAAAAAABAAAAAAAAAA== > nsDS5ReplicaName: a0957886-df9c11e4-a351aa45-2e06257b > nsds5ReplicaChangeCount: 1687559 > nsds5replicareapactive: 0 > > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > objectClass: top > objectClass: nsDS5Replica > objectClass: extensibleobject > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaType: 3 > nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-rep2 > falo.edu-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-rep3 > falo.edu-pki-tomcat,ou=csusers,cn=config > cn: replica > nsDS5ReplicaId: 96 > nsDS5Flags: 1 > nsState:: YAAAAAAAAAAPa4xVAAAAAAkAAAAAAAAACgAAAAAAAAABAAAAAAAAAA== > nsDS5ReplicaName: c458be8e-df9c11e4-a351aa45-2e06257b > nsds5ReplicaChangeCount: 9480 > nsds5replicareapactive: 0 > > > I see: > > dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config) > nsds5replicaid: 4 > > and > > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > nsDS5ReplicaId: 96 > > > In the above output I only see the old replica showing up under: > > nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA... > > According to the docs I need the nsds5replicaid for use in the CLEANALLRUV > task? > > I also checked the RUV tombstone entry as per the docs: > > # ldapsearch -xLLL -D "cn=directory manager" -W -b dc=ccr,dc=buffalo,dc=edu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > Enter LDAP Password: > dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > objectClass: nsds5replica > objectClass: top > objectClass: extensibleobject > nsDS5ReplicaType: 3 > nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu > nsds5ReplicaLegacyConsumer: off > nsDS5ReplicaId: 4 > nsDS5ReplicaBindDN: cn=replication manager,cn=config > nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA > LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu > nsDS5ReplicaBindDN: krbprincipalname=ldap/rep3 at CCR.BUFFA > LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu > nsState:: BAAAAAAAAADycYxVAAAAAAAAAAAAAAAAJAAAAAAAAAABAAAAAAAAAA== > nsDS5ReplicaName: a0957886-df9c11e4-a351aa45-2e06257b > nsds50ruv: {replicageneration} 5527f711000000040000 > nsds50ruv: {replica 4 ldap://rep1:389} 5527f771000000040 > 000 558c7228000200040000 > nsds50ruv: {replica 5 ldap://rep3:389} 5537c773000000050 > 000 5582c7f6000600050000 > nsds5agmtmaxcsn: dc=ccr,dc=buffalo,dc=edu;meTorep3;rep3;389;5;558c572b000a00040000 > nsruvReplicaLastModified: {replica 4 ldap://rep1:389} 55 > 8c7204 > nsruvReplicaLastModified: {replica 5 ldap://rep3:389} 00 > 000000 > nsds5ReplicaChangeCount: 1689129 > nsds5replicareapactive: 0 > > And only see nsds50ruv attributes for rep1, and rep3. However, still seeing > rep2 in the nsDS5ReplicaBindDN. > > If I'm parsing this output correct, it appears RUVs for rep2 is already > cleaned? If so, how come the nsDS5ReplicaBindDN still exist? > > Also, why is there a nsds50ruv attribute for rep2 listed when I run this query > (but not the others above): > > > $ ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement > > dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=o\ > 3Dipaca,cn=mapping tree,cn=config > > nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 > 0000 556f462b000400610000 > > > > I'm likely missing something here..any help is greatly appreciated. > Just wanted to follow up .. I was able to successfully remove the RUV for rep2. I had the wrong base dn in my ldapsearch. I verified the nsds50ruv ID by running this command: $ ldapsearch -xLLL -D "cn=directory manager" -W -b o=ipaca '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Then ran the cleanallruv command (thanks Rob): # ldapmodify -D "cn=directory manager" -W -a dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config objectclass: extensibleObject replica-base-dn: o=ipaca replica-id: 97 cn: clean 97 That worked and cleaned the RUV. All seems well now. Thanks again for all the help. --Andrew From rcritten at redhat.com Thu Jul 2 01:33:34 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Jul 2015 21:33:34 -0400 Subject: [Freeipa-users] 3rd party certificate for WebUI only In-Reply-To: References: Message-ID: <559494EE.20609@redhat.com> Stephen Ingram wrote: > I setup IPA using the internal CA. I'd like to continue using this CA, > however, I'd also like to allow authorized external browser users (who > haven't imported our CA) to access the WebUI without receiving a > warning. Is it possible to add a 3rd party certificate and CA such that > it is only used for the WebUI using the instructions at > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? > > Steve > > In a word: yes. I'd recommend making a backup of /etc/httpd/alias and /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if necessary, easier. rob From prashant at apigee.com Thu Jul 2 04:16:50 2015 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 2 Jul 2015 09:46:50 +0530 Subject: [Freeipa-users] 3rd party certificate for WebUI only In-Reply-To: <559494EE.20609@redhat.com> References: <559494EE.20609@redhat.com> Message-ID: I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web UI. The communication between ELB and the IPA server is using the IPA CA cert. On 2 July 2015 at 07:03, Rob Crittenden wrote: > Stephen Ingram wrote: > >> I setup IPA using the internal CA. I'd like to continue using this CA, >> however, I'd also like to allow authorized external browser users (who >> haven't imported our CA) to access the WebUI without receiving a >> warning. Is it possible to add a 3rd party certificate and CA such that >> it is only used for the WebUI using the instructions at >> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? >> >> Steve >> >> >> > In a word: yes. > > I'd recommend making a backup of /etc/httpd/alias and > /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if > necessary, easier. > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Thu Jul 2 06:20:29 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 1 Jul 2015 23:20:29 -0700 Subject: [Freeipa-users] 3rd party certificate for WebUI only In-Reply-To: References: <559494EE.20609@redhat.com> Message-ID: How smooth is the renewal process ? if the webui cert expires, does it affect the core ipa functionality in any way ? Also, when ipa does it's own auto-renewal, does it leave the webui alone if set up this way ? On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat wrote: > I had the exact same requirement. Since we're on AWS, I ended up putting a > ELB in front of each of my IPA servers with a commercial cert for web UI. > The communication between ELB and the IPA server is using the IPA CA cert. > > On 2 July 2015 at 07:03, Rob Crittenden wrote: > >> Stephen Ingram wrote: >> >>> I setup IPA using the internal CA. I'd like to continue using this CA, >>> however, I'd also like to allow authorized external browser users (who >>> haven't imported our CA) to access the WebUI without receiving a >>> warning. Is it possible to add a 3rd party certificate and CA such that >>> it is only used for the WebUI using the instructions at >>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? >>> >>> Steve >>> >>> >>> >> In a word: yes. >> >> I'd recommend making a backup of /etc/httpd/alias and >> /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if >> necessary, easier. >> >> rob >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Jul 2 06:27:00 2015 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 2 Jul 2015 11:57:00 +0530 Subject: [Freeipa-users] 3rd party certificate for WebUI only In-Reply-To: References: <559494EE.20609@redhat.com> Message-ID: Since the commercial cert is outside IPA renewing that cert would not impact IPA at all. On 2 July 2015 at 11:50, Prasun Gera wrote: > How smooth is the renewal process ? if the webui cert expires, does it > affect the core ipa functionality in any way ? Also, when ipa does it's own > auto-renewal, does it leave the webui alone if set up this way ? > > On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat > wrote: > >> I had the exact same requirement. Since we're on AWS, I ended up putting >> a ELB in front of each of my IPA servers with a commercial cert for web UI. >> The communication between ELB and the IPA server is using the IPA CA cert. >> >> On 2 July 2015 at 07:03, Rob Crittenden wrote: >> >>> Stephen Ingram wrote: >>> >>>> I setup IPA using the internal CA. I'd like to continue using this CA, >>>> however, I'd also like to allow authorized external browser users (who >>>> haven't imported our CA) to access the WebUI without receiving a >>>> warning. Is it possible to add a 3rd party certificate and CA such that >>>> it is only used for the WebUI using the instructions at >>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? >>>> >>>> Steve >>>> >>>> >>>> >>> In a word: yes. >>> >>> I'd recommend making a backup of /etc/httpd/alias and >>> /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if >>> necessary, easier. >>> >>> rob >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Thu Jul 2 09:04:00 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 02 Jul 2015 11:04:00 +0200 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id In-Reply-To: <20150629163425.GA827@dead.ccr.buffalo.edu> References: <20150629161355.GA28575@dead.ccr.buffalo.edu> <55917264.8020902@redhat.com> <20150629163425.GA827@dead.ccr.buffalo.edu> Message-ID: <5594FE80.1020608@redhat.com> On 06/29/2015 06:34 PM, Andrew E. Bruno wrote: > On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: >> On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: >>> Our dirsrv access logs on our freeipa master server are getting flooded >>> with this: >>> >>> [29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH >>> base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 >>> filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword >>> gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" >>> >>> [29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 >>> tag=101 nentries=0 etime=0 notes=P >>> >>> All from the same conn=215758. Logs get rotated every minute. >>> >>> logconv.pl is showing >>> >>> Searches: 265803 (3322.54/sec) (199352.25/min) >>> >>> >>> How can I figure out which ip address this query is coming from? Is >>> there a way to fetch the ip using the connection id? conn=215758? >> grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access* >> >> Unfortunately, if it has been rotated away, you won't be able to get the >> information from the access log. >> > No luck .. looks like it has been rotated away. Any other thoughts? > > Is it correct to assume this is all coming from a single host? My > thinking is that if I can kill the query coming from the host that it > would solve the problem. > Hi, This is looking like bug https://fedorahosted.org/389/ticket/48192. Because a ldap client (likely SSSD ?) keeps sending page results requests although 0 entries are returned. A condition for this is that the search has been abandonned but it is difficult to very this as the log file has rotated. This is fixed in 6.7 and 7.1.z thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From paw at 4gotten.me Thu Jul 2 09:30:18 2015 From: paw at 4gotten.me (David Fox) Date: Thu, 02 Jul 2015 10:30:18 +0100 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error In-Reply-To: <20150701183448.GA11876@redhat.com> References: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> <20150701183448.GA11876@redhat.com> Message-ID: <22443cd4c4bcfb7fa7dc97b45e8bb075@4gotten.me> On 2015-07-01 19:34, Alexander Bokovoy wrote: > On Wed, 01 Jul 2015, David Fox wrote: >> I am encountering issues trying to integrate FreeIPA with AD, on *nix >> promp I get "internal server rror" and within I receive the following >> message in httpd_errorlog. >> [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ >> i.p.a... >> [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... >> c.o...u. >> [0090] 6B 00 00 00 00 00 00 00 k....... >> [Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: >> non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected >> type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' >> [Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most >> recent call last): >> [Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, >> in wsgi_execute >> [Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = >> self.Command[name](*args, **options) >> [Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in >> __call__ >> [Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = >> self.run(*args, **options) >> [Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in >> run >> [Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return >> self.execute(*args, **options) >> [Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, >> in execute >> [Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = >> self.execute_ad(full_join, *keys, **options) >> [Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, >> in execute_ad >> [Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] >> self.realm_passwd >> [Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in >> join_ad_full_credentials >> [Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] >> self.remote_domain.establish_trust(self.local_domain, trustdom_pass) >> [Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in >> establish_trust >> [Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] >> self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) >> [Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: >> default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' >> for 'py_dom_sid' of type 'NoneType' >> [Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: >> [jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*', >> trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', >> all=False, raw=False, version=u'2.112'): TypeError >> >> >> These are whole logs with "log level = 100" set in smb.conf.empty. Log >> files were emptied before the above command was ran. If there is any >> other information required please let me know. >> >> Software versions: >> Fedora 22: 4.1.4 >> Fedora 22: 4.2 Alpha 1 >> >> Oracle Linux 7.1 64bit: without DNS >> ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 >> ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 >> >> CentOS 7.1 64bit: With DNS >> ipa-server.x86_64 - 4.1.0-18-el7.centos.3 >> ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 > It is unclear from your report what exact distro causing this issue for > you. Is this with Fedora 22 (e.g. Samba 4.2)? This error isn't limited to just one distro. I've tried three different distros which all throw the same error as above. CentOS 7.1 Samba - 4.1.12 Python 2.7.5 FreeIPA - 4.1.0 Oracle Linux 7.1 Samba - 4.1.12 Python 2.7.5 FreeIPA - 4.1.0 Fedora 22 Samba - 4.2.2 Python - 2.7.10 FreeIPA - 4.2.0 Regards, David From abokovoy at redhat.com Thu Jul 2 09:51:36 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Jul 2015 12:51:36 +0300 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error In-Reply-To: <22443cd4c4bcfb7fa7dc97b45e8bb075@4gotten.me> References: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> <20150701183448.GA11876@redhat.com> <22443cd4c4bcfb7fa7dc97b45e8bb075@4gotten.me> Message-ID: <20150702095136.GJ11876@redhat.com> On Thu, 02 Jul 2015, David Fox wrote: >>>self._pipe.DeleteTrustedDomain(self._policy_handle, >>>res.info_ex.sid) >>>[Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: >>>default/librpc/gen_ndr/py_lsa.c:9436: Expected type >>>'security.dom_sid' for 'py_dom_sid' of type 'NoneType' >>>[Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: >>>[jsonserver_session] admin at IPA.*redacted*: >>>trust_add(u'*redacted*', trust_type=u'ad', >>>realm_admin=u'*redacted*', realm_passwd=u'********', all=False, >>>raw=False, version=u'2.112'): TypeError >>> >>> >>>These are whole logs with "log level = 100" set in smb.conf.empty. >>>Log files were emptied before the above command was ran. If there >>>is any other information required please let me know. >>> >>>Software versions: >>>Fedora 22: 4.1.4 >>>Fedora 22: 4.2 Alpha 1 >>> >>>Oracle Linux 7.1 64bit: without DNS >>>ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 >>>ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 >>> >>>CentOS 7.1 64bit: With DNS >>>ipa-server.x86_64 - 4.1.0-18-el7.centos.3 >>>ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 >>It is unclear from your report what exact distro causing this issue for >>you. Is this with Fedora 22 (e.g. Samba 4.2)? > >This error isn't limited to just one distro. I've tried three >different distros which all throw the same error as above. Then it means Samba - Windows interoperability issue. I need: - network trace between IPA server and your AD DC for all relevant ports - unredacted error_log like above - Samba logs with log level 100 (net conf setparm global 'log level' 100) Sent them to me privately. -- / Alexander Bokovoy From sbose at redhat.com Thu Jul 2 11:47:49 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 2 Jul 2015 13:47:49 +0200 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error In-Reply-To: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> References: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> Message-ID: <20150702114749.GF9417@p.redhat.com> On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: > I am encountering issues trying to integrate FreeIPA with AD, on *nix promp > I get "internal server rror" and within I receive the following message in > httpd_errorlog. > It looks like we as AD if it already has a trust to a domain called 'ipa.*redacted*' and .... > rpc reply data: > [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........ > lsa_QueryTrustedDomainInfoByName: struct > lsa_QueryTrustedDomainInfoByName > in: struct lsa_QueryTrustedDomainInfoByName > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 > trusted_domain : * > trusted_domain: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'ipa.*redacted*' > level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) > rpc request data: > [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ ...K.... > [0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ ........ > [0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... > [0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u. > [0040] 6B 00 08 00 k... > s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550 > s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, > data_total=92, this_data=92, max_data=4280, param_offset=84, param_pad=2, > param_disp=0, data_offset=84, data_pad=0, data_disp=0 > s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0 > smb_signing_md5: sequence number 14 > smb_signing_sign_pdu: sent SMB signature of > [0000] B0 93 27 43 EE 4A 37 94 ..'C.J7. > s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": > 0x7fdde00f5a60 > s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > s4_tevent: Run immediate event "tevent_queue_immediate_trigger": > 0x7fdde00f5a60 > smb_signing_md5: sequence number 15 > smb_signing_check_pdu: seq 15: got good SMB signature of > [0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB > s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout" > s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440 > s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440 > s4_tevent: Destroying timer event 0x7fdde00ef550 "dcerpc_timeout_handler" > s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0 > s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0 > lsa_QueryTrustedDomainInfoByName: struct > lsa_QueryTrustedDomainInfoByName > out: struct lsa_QueryTrustedDomainInfoByName > info : * > info : * > info : union > lsa_TrustedDomainInfo(case 8) > full_info: struct lsa_TrustDomainInfoFullInfo > info_ex: struct lsa_TrustDomainInfoInfoEx > domain_name: struct lsa_StringLarge > length : 0x001a (26) > size : 0x001c (28) > string : * > string : > 'ipa.*redacted*' > netbios_name: struct lsa_StringLarge > length : 0x001a (26) > size : 0x001c (28) > string : * > string : > 'ipa.*redacted*' > sid : NULL > trust_direction : 0x00000003 (3) > 1: LSA_TRUST_DIRECTION_INBOUND > 1: LSA_TRUST_DIRECTION_OUTBOUND > trust_type : LSA_TRUST_TYPE_MIT and knows this domain already because a trust to the Kerberos realm was already created. If possible please remove the Kerberos trust from the AD side and try again. Please note that you cannot have trust to two realms which share the same realm name. HTH bye, Sumit > (3) > trust_attributes : 0x00000000 (0) > 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE > 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY > 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN > 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE > 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION > 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST > 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL > 0: > LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION > posix_offset: struct lsa_TrustDomainInfoPosixOffset > posix_offset : 0x00000000 (0) > auth_info: struct lsa_TrustDomainInfoAuthInfo > incoming_count : 0x00000000 (0) > incoming_current_auth_info: NULL > incoming_previous_auth_info: NULL > outgoing_count : 0x00000000 (0) > outgoing_current_auth_info: NULL > outgoing_previous_auth_info: NULL > result : NT_STATUS_OK > rpc reply data: > [0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ ........ > [0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ ........ > [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ ........ > [0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h... > [0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. k....... > [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ i.p.a... > [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u. > [0090] 6B 00 00 00 00 00 00 00 k....... > [Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: > non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type > 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' > [Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most recent > call last): > [Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in > wsgi_execute > [Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = > self.Command[name](*args, **options) > [Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ > [Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = > self.run(*args, **options) > [Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run > [Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return > self.execute(*args, **options) > [Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in > execute > [Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = > self.execute_ad(full_join, *keys, **options) > [Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in > execute_ad > [Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] self.realm_passwd > [Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in > join_ad_full_credentials > [Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] > self.remote_domain.establish_trust(self.local_domain, trustdom_pass) > [Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File > "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in > establish_trust > [Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] > self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) > [Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: > default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for > 'py_dom_sid' of type 'NoneType' > [Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: > [jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*', > trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', > all=False, raw=False, version=u'2.112'): TypeError > > > These are whole logs with "log level = 100" set in smb.conf.empty. Log files > were emptied before the above command was ran. If there is any other > information required please let me know. > > Software versions: > Fedora 22: 4.1.4 > Fedora 22: 4.2 Alpha 1 > > Oracle Linux 7.1 64bit: without DNS > ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 > ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 > > CentOS 7.1 64bit: With DNS > ipa-server.x86_64 - 4.1.0-18-el7.centos.3 > ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 > > > Regards, > David > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From aebruno2 at buffalo.edu Thu Jul 2 14:14:14 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Thu, 2 Jul 2015 10:14:14 -0400 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id In-Reply-To: <5594FE80.1020608@redhat.com> References: <20150629161355.GA28575@dead.ccr.buffalo.edu> <55917264.8020902@redhat.com> <20150629163425.GA827@dead.ccr.buffalo.edu> <5594FE80.1020608@redhat.com> Message-ID: <20150702141414.GA15968@dead.ccr.buffalo.edu> On Thu, Jul 02, 2015 at 11:04:00AM +0200, thierry bordaz wrote: > On 06/29/2015 06:34 PM, Andrew E. Bruno wrote: > >On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: > >>On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: > >>>Our dirsrv access logs on our freeipa master server are getting flooded > >>>with this: > >>> > >>>[29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH > >>>base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 > >>>filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword > >>>gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" > >>> > >>>[29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 > >>>tag=101 nentries=0 etime=0 notes=P > >>> > >>>All from the same conn=215758. Logs get rotated every minute. > >>> > >>>logconv.pl is showing > >>> > >>>Searches: 265803 (3322.54/sec) (199352.25/min) > >>> > >>> > >>>How can I figure out which ip address this query is coming from? Is > >>>there a way to fetch the ip using the connection id? conn=215758? > >>grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access* > >> > >>Unfortunately, if it has been rotated away, you won't be able to get the > >>information from the access log. > >> > >No luck .. looks like it has been rotated away. Any other thoughts? > > > >Is it correct to assume this is all coming from a single host? My > >thinking is that if I can kill the query coming from the host that it > >would solve the problem. > > > Hi, > > This is looking like bug https://fedorahosted.org/389/ticket/48192. > Because a ldap client (likely SSSD ?) keeps sending page results requests > although 0 entries are returned. > A condition for this is that the search has been abandonned but it is > difficult to very this as the log file has rotated. > > This is fixed in 6.7 and 7.1.z > Thanks Thierry. We get bit by this sporadically every few days. Load/network traffic from ns-slapd spikes up on one of our FreeIPA servers. Access logs getting hammered from a single host. We then login to the host in question and see the "sssd_be" process consuming higher than avg cpu load (20%). netstat shows two connections to the FreeIPA server: tcp 0 456 sssd_be tcp 0 0 sssd_be Simply restarting sssd on the host always fixes the problem. We tried backtracing the sssd_be process when it's in this state but didn't see any obvious clues: (gdb) bt #0 0x00000036b5ee8ed3 in __epoll_wait_nocancel () at ../sysdeps/unix/syscall-template.S:82 #1 0x00000036bae08d9c in epoll_event_loop (ev=, location=) at ../tevent_epoll.c:650 #2 epoll_event_loop_once (ev=, location=) at ../tevent_epoll.c:931 #3 0x00000036bae072e6 in std_event_loop_once (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent_standard.c:112 #4 0x00000036bae0349d in _tevent_loop_once (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent.c:530 #5 0x00000036bae0351b in tevent_common_loop_wait (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent.c:634 #6 0x00000036bae07256 in std_event_loop_wait (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent_standard.c:138 #7 0x00000036be22b963 in server_loop (main_ctx=0xd87900) at src/util/server.c:602 #8 0x000000000040a286 in main (argc=4, argv=) at src/providers/data_provider_be.c:2856 Could this also be an issue with sssd? Is it normal for the sssd process to keep sending page results requests like this? So far this behavior has only happened on centos 6.6 clients running sssd-1.11.6-30. Would setting a low connection timeout on the dirsrv help to alleviate this problem until the patches from #48192 make it into mainstream centos 7.1 updates? Many thanks! --Andrew From tbordaz at redhat.com Thu Jul 2 14:37:34 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 02 Jul 2015 16:37:34 +0200 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id In-Reply-To: <20150702141414.GA15968@dead.ccr.buffalo.edu> References: <20150629161355.GA28575@dead.ccr.buffalo.edu> <55917264.8020902@redhat.com> <20150629163425.GA827@dead.ccr.buffalo.edu> <5594FE80.1020608@redhat.com> <20150702141414.GA15968@dead.ccr.buffalo.edu> Message-ID: <55954CAE.6020808@redhat.com> On 07/02/2015 04:14 PM, Andrew E. Bruno wrote: > On Thu, Jul 02, 2015 at 11:04:00AM +0200, thierry bordaz wrote: >> On 06/29/2015 06:34 PM, Andrew E. Bruno wrote: >>> On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: >>>> On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: >>>>> Our dirsrv access logs on our freeipa master server are getting flooded >>>>> with this: >>>>> >>>>> [29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH >>>>> base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 >>>>> filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword >>>>> gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" >>>>> >>>>> [29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 >>>>> tag=101 nentries=0 etime=0 notes=P >>>>> >>>>> All from the same conn=215758. Logs get rotated every minute. >>>>> >>>>> logconv.pl is showing >>>>> >>>>> Searches: 265803 (3322.54/sec) (199352.25/min) >>>>> >>>>> >>>>> How can I figure out which ip address this query is coming from? Is >>>>> there a way to fetch the ip using the connection id? conn=215758? >>>> grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access* >>>> >>>> Unfortunately, if it has been rotated away, you won't be able to get the >>>> information from the access log. >>>> >>> No luck .. looks like it has been rotated away. Any other thoughts? >>> >>> Is it correct to assume this is all coming from a single host? My >>> thinking is that if I can kill the query coming from the host that it >>> would solve the problem. >>> >> Hi, >> >> This is looking like bug https://fedorahosted.org/389/ticket/48192. >> Because a ldap client (likely SSSD ?) keeps sending page results requests >> although 0 entries are returned. >> A condition for this is that the search has been abandonned but it is >> difficult to very this as the log file has rotated. >> >> This is fixed in 6.7 and 7.1.z >> > Thanks Thierry. We get bit by this sporadically every few days. > Load/network traffic from ns-slapd spikes up on one of our FreeIPA > servers. Access logs getting hammered from a single host. We then login > to the host in question and see the "sssd_be" process consuming higher > than avg cpu load (20%). netstat shows two connections to the FreeIPA > server: > > tcp 0 456 sssd_be > tcp 0 0 sssd_be > > > Simply restarting sssd on the host always fixes the problem. That is a good way tor recover, as it closes the connection SSSD->DS and then SSSD will send new requests. The problem occurs because DS can sometime be too slow to respond and then SSSD issue an ABANDON triggered by an exception. DS was expecting that after the ABANDON the current page result search was dropped by SSSD and SSSD will stop by itself using the cookie. Unfortunately SSSD keep using the cookie and then starts this infinite loop. WIth the patch, DS is sending on ABANDON a end of result cookie. > We tried > backtracing the sssd_be process when it's in this state but didn't see > any obvious clues: > > (gdb) bt > #0 0x00000036b5ee8ed3 in __epoll_wait_nocancel () at ../sysdeps/unix/syscall-template.S:82 > #1 0x00000036bae08d9c in epoll_event_loop (ev=, location=) at ../tevent_epoll.c:650 > #2 epoll_event_loop_once (ev=, location=) at ../tevent_epoll.c:931 > #3 0x00000036bae072e6 in std_event_loop_once (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent_standard.c:112 > #4 0x00000036bae0349d in _tevent_loop_once (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent.c:530 > #5 0x00000036bae0351b in tevent_common_loop_wait (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent.c:634 > #6 0x00000036bae07256 in std_event_loop_wait (ev=0xd86590, location=0x36be23d4f5 "src/util/server.c:602") at ../tevent_standard.c:138 > #7 0x00000036be22b963 in server_loop (main_ctx=0xd87900) at src/util/server.c:602 > #8 0x000000000040a286 in main (argc=4, argv=) at src/providers/data_provider_be.c:2856 > > > Could this also be an issue with sssd? Is it normal for the sssd process > to keep sending page results requests like this? So far this behavior > has only happened on centos 6.6 clients running sssd-1.11.6-30. > > Would setting a low connection timeout on the dirsrv help to alleviate > this problem until the patches from #48192 make it into mainstream > centos 7.1 updates? I do not see a workaround on DS side. The connection timeout will not help as the connection is very active. On SSSD side, I do not know exactly. I believe it can be configure to not use page result (ldap_disable_paging ?) or could it be tune to avoid ABANDON (with higher timeout). > > Many thanks! > > --Andrew From janellenicole80 at gmail.com Thu Jul 2 16:41:10 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 02 Jul 2015 09:41:10 -0700 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <558EA682.5020708@redhat.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> <5588189D.5040300@gmail.com> <5588370B.2030209@redhat.com> <55883A48.2070104@gmail.com> <558841B5.3020605@redhat.com> <558EA682.5020708@redhat.com> Message-ID: <559569A6.4040006@gmail.com> On 6/27/15 6:34 AM, Dmitri Pal wrote: > On 06/22/2015 01:11 PM, Petr Vobornik wrote: >> On 06/22/2015 06:39 PM, Janelle wrote: >>> On 6/22/15 9:25 AM, Petr Vobornik wrote: >>>> On 06/22/2015 04:15 PM, Janelle wrote: >>>>> On 6/22/15 5:15 AM, Petr Vobornik wrote: >>>>>> On 06/21/2015 08:35 AM, Janelle wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Sure. Just login as a normal user to the WEB UI. screen is blank: >>>>>>> >>>>>>> Of course, if you click on Actions - you will see those and you can >>>>>>> click on >>>>>>> them, but you can't do anything else. This is a vanilla server >>>>>>> install, nothing >>>>>>> fancy. Oh and there is no error message at all. Any browser = same >>>>>>> results. >>>>>>> >>>>>>> Tried clearing cache, history, web data.. Everything. Many of my >>>>>>> users report >>>>>>> the same thing. This is 7.1 with IPA 4.1.7 >>>>>>> >>>>>>> Now the funny part - login as "admin" and everything works fine. >>>>>>> But >>>>>>> I certainly >>>>>>> can't have everyone logging in as admin. :-) >>>>>>> >>>>>>> ~Janelle >>>>>> >>>>>> Do you see any error in browser console? >>>>>> >>>>>> Does this happen also to a user which doesn't have any RBAC role >>>>>> assigned(either directly or indrectly)? >>>>> AHA -- perhaps a clue: >>>>> >>>>> [Error] Failed to load resource: the server responded with a >>>>> status of >>>>> 401 (Unauthorized) (json, line 0) >>>>> [Error] Failed to load resource: the server responded with a >>>>> status of >>>>> 401 (Unauthorized) (login_kerberos, line 0) >>>>> [Error] Failed to load resource: the server responded with a >>>>> status of >>>>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>>>> >>>>> ~J >>>> >>>> These errors are expected. First two happens when user is not yet >>>> authenticated. Third line is just about file for jquery debugging >>>> which is not shipped with ipa. >>>> >>>> Could you inspect other json request? Mainly the 3 which are executed >>>> on navigating to user details page (or after clicking on "refresh" >>>> button on the page). Does the first result of first request (of the >>>> three) contain user data as in >>>> >>>> >>>> I'm unable to reproduce the issue with >>>> ipa-server-4.1.0-18.el7_1.3.x86_64. >>>> >>>> Do these users have some special permissions/roles/rights? >>> The user I did the same from is a User Administrator, however, all the >>> other users are NOT. And if you watch closely, all the details do >>> flash >>> the screen, but then disappear. Refresh does nothing. The one thing - >>> it works flawlessly for "admin" account. >>> >>> versions (I believe in the newest -- perhaps a bad idea) >>> >>> freeipa-client-4.1.4-1.el7.centos.x86_64 >>> freeipa-server-4.1.4-1.el7.centos.x86_64 >>> freeipa-python-4.1.4-1.el7.centos.x86_64 >>> >>> >>> on a user screen after login - : >>> >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (json, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (login_kerberos, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (json, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (login_kerberos, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> >>> ~Janelle >> >> If I understand it correctly, you get bunch of 401 Unauthorized >> errors after successful auth? This should not happen. I have seen >> something similar when clients were couple minutes in a future than >> the ipa server (assuming forms based auth is used, otherwise it would >> fail on obtaining TGT) because session expires immediately if clients >> are more than 20 mins ahead. Or when krb ticket TTL was less than 5 >> minutes. >> >> Are there any "200 Success" requests to "ipa/session/json" or >> ipa/session/login_password in the network tab as shown on image: >> https://pvoborni.fedorapeople.org/images/user_response_data.png after >> successful login? > > > Was this resolved or we need to file a ticket to track some bug? > Just checking back in if anyone was ever able to replicate this or find anything else for me to look for? The Web UI is still useless for my users. :-( ~J From sbingram at gmail.com Fri Jul 3 06:10:46 2015 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 2 Jul 2015 23:10:46 -0700 Subject: [Freeipa-users] 3rd party certificate for WebUI only In-Reply-To: References: <559494EE.20609@redhat.com> Message-ID: On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat wrote: > I had the exact same requirement. Since we're on AWS, I ended up putting a > ELB in front of each of my IPA servers with a commercial cert for web UI. > The communication between ELB and the IPA server is using the IPA CA cert. > > On 2 July 2015 at 07:03, Rob Crittenden wrote: > >> Stephen Ingram wrote: >> >>> I setup IPA using the internal CA. I'd like to continue using this CA, >>> however, I'd also like to allow authorized external browser users (who >>> haven't imported our CA) to access the WebUI without receiving a >>> warning. Is it possible to add a 3rd party certificate and CA such that >>> it is only used for the WebUI using the instructions at >>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? >>> >>> Steve >>> >>> >>> >> In a word: yes. >> >> I'd recommend making a backup of /etc/httpd/alias and >> /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if >> necessary, easier. >> > Just a follow-up to this. I did end up adding the cert to the WebUI only. However, I was too scared to use the ipa-server-certinstall command, especially since I'm on 3.0 still, and really wasn't too sure what it was going to do. Instead, like Rob suggested (and this certainly was necessary) I backed up /etc/httpd/alias before I started. I then proceeded to do a cert request from the same NSS db that contains the IPA certs. I then inserted the signed cert using the certutil tool. I also inserted the CA cert from the 3rd party that actually signed the cert. Then a quick edit to nss.conf to change the governing certificate, a restart and I was good to go. No problems so far. I think the tools like sssd and ipa-client use the directory server and the kerberos db more than they would use the web service, so hopefully no problems down the line. Hope this is of some help to others who might want to do this. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Fri Jul 3 09:45:02 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 03 Jul 2015 11:45:02 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <55929F86.6010907@redhat.com> References: <55929F86.6010907@redhat.com> Message-ID: <5596599E.90606@redhat.com> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: > Hi, > > 389-ds allows to configure the max size of the replication changelog > either by setting a maximum record number or a maximum age of changes. > freeIPA does not use this setting. In the context of ticket > https://fedorahosted.org/freeipa/ticket/5086 we are discussing to > change the default to > enable changelog trimming. > > Does anyone already use changlog trimming or is there a scenario > where you rely on all changes being available ? > > Thanks for your feedback, > Ludwig > Hello, I think it is reasonable to set nsds5ReplicaPurgeDelay and nsslapd-changelogmaxage to similar value. When a replica (master or consumer) is down for some time and is restarted, both attribute express the ability to get the replica in sync with the rest of the topology. It can work (and likely will) if nsds5ReplicaPurgeDelay From christoph.kaminski at biotronik.com Fri Jul 3 10:24:31 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 3 Jul 2015 12:24:31 +0200 Subject: [Freeipa-users] samba vs ipa without kerberos Message-ID: Hi it is possible (without extra patch/schema extension) to use samba shares without kerberos? Possibly is there something like a auth proxy for it? I mean the user authenticates with a password and the proxy checks it securly against ipa... any howtos/docs/ideas? (have ipa 4.1 and samba 4.1.12 here) Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Fri Jul 3 11:30:15 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 3 Jul 2015 13:30:15 +0200 Subject: [Freeipa-users] samba vs ipa without kerberos In-Reply-To: References: Message-ID: Hi Christoph have you seen this earlier thread? https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html I guess as that solution adds some custom fields it would break your requirement "no schema extensions"., but meet the requirement "user authenticates with password". mfg Chris From: Christoph Kaminski To: FreeIPA Date: 03.07.2015 12:26 Subject: [Freeipa-users] samba vs ipa without kerberos Sent by: freeipa-users-bounces at redhat.com Hi it is possible (without extra patch/schema extension) to use samba shares without kerberos? Possibly is there something like a auth proxy for it? I mean the user authenticates with a password and the proxy checks it securly against ipa... any howtos/docs/ideas? (have ipa 4.1 and samba 4.1.12 here) Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From pspacek at redhat.com Fri Jul 3 12:03:22 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 03 Jul 2015 14:03:22 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <5596599E.90606@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> Message-ID: <55967A0A.5070605@redhat.com> On 3.7.2015 11:45, thierry bordaz wrote: > On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >> Hi, >> >> 389-ds allows to configure the max size of the replication changelog either >> by setting a maximum record number or a maximum age of changes. >> freeIPA does not use this setting. In the context of ticket >> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the >> default to >> enable changelog trimming. >> >> Does anyone already use changlog trimming or is there a scenario where you >> rely on all changes being available ? >> >> Thanks for your feedback, >> Ludwig >> > Hello, > > I think it is reasonable to set nsds5ReplicaPurgeDelay and > nsslapd-changelogmaxage to similar value. > > When a replica (master or consumer) is down for some time and is > restarted, both attribute express the ability to get the replica in > sync with the rest of the topology. > It can work (and likely will) if > nsds5ReplicaPurgeDelay corner cases that can lead to problem (like entries that diverge). > > Currently purgedelay=7days (default) and changelogmaxage is infinite > and changing purgedelay=infinite impacts the size of the entries. I wonder if these values could/should be controlled by topology plugin. Does it make sense to have different values on different replicas? -- Petr^2 Spacek From lkrispen at redhat.com Fri Jul 3 12:16:28 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 03 Jul 2015 14:16:28 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <55967A0A.5070605@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> Message-ID: <55967D1C.7020309@redhat.com> On 07/03/2015 02:03 PM, Petr Spacek wrote: > On 3.7.2015 11:45, thierry bordaz wrote: >> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>> Hi, >>> >>> 389-ds allows to configure the max size of the replication changelog either >>> by setting a maximum record number or a maximum age of changes. >>> freeIPA does not use this setting. In the context of ticket >>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the >>> default to >>> enable changelog trimming. >>> >>> Does anyone already use changlog trimming or is there a scenario where you >>> rely on all changes being available ? >>> >>> Thanks for your feedback, >>> Ludwig >>> >> Hello, >> >> I think it is reasonable to set nsds5ReplicaPurgeDelay and >> nsslapd-changelogmaxage to similar value. >> >> When a replica (master or consumer) is down for some time and is >> restarted, both attribute express the ability to get the replica in >> sync with the rest of the topology. >> It can work (and likely will) if >> nsds5ReplicaPurgeDelay> corner cases that can lead to problem (like entries that diverge). >> >> Currently purgedelay=7days (default) and changelogmaxage is infinite >> and changing purgedelay=infinite impacts the size of the entries. > I wonder if these values could/should be controlled by topology plugin. Does > it make sense to have different values on different replicas? no, and it would be possible, but would be an extension of the scope of the topo plugin, so far we only manage agreements between replicas and not replicas themselves. > From tbordaz at redhat.com Fri Jul 3 12:21:30 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 03 Jul 2015 14:21:30 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <55967A0A.5070605@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> Message-ID: <55967E4A.60507@redhat.com> On 07/03/2015 02:03 PM, Petr Spacek wrote: > On 3.7.2015 11:45, thierry bordaz wrote: >> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>> Hi, >>> >>> 389-ds allows to configure the max size of the replication changelog either >>> by setting a maximum record number or a maximum age of changes. >>> freeIPA does not use this setting. In the context of ticket >>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the >>> default to >>> enable changelog trimming. >>> >>> Does anyone already use changlog trimming or is there a scenario where you >>> rely on all changes being available ? >>> >>> Thanks for your feedback, >>> Ludwig >>> >> Hello, >> >> I think it is reasonable to set nsds5ReplicaPurgeDelay and >> nsslapd-changelogmaxage to similar value. >> >> When a replica (master or consumer) is down for some time and is >> restarted, both attribute express the ability to get the replica in >> sync with the rest of the topology. >> It can work (and likely will) if >> nsds5ReplicaPurgeDelay> corner cases that can lead to problem (like entries that diverge). >> >> Currently purgedelay=7days (default) and changelogmaxage is infinite >> and changing purgedelay=infinite impacts the size of the entries. > I wonder if these values could/should be controlled by topology plugin. Does > it make sense to have different values on different replicas? > Purgedelay can be different on each replica but it makes sense that the value is the same on all replicas. It is used to remove too old csn and so how far in the past the replication can decide which value is more recent than an other one. With different values of purge delay, a replica can decide to keep one value and an other replica can decide the opposite. Currently purgedelay is identical on all replicas (default value). -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jul 3 12:28:41 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 03 Jul 2015 14:28:41 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <55967E4A.60507@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> <55967E4A.60507@redhat.com> Message-ID: <55967FF9.5030309@redhat.com> On 3.7.2015 14:21, thierry bordaz wrote: > On 07/03/2015 02:03 PM, Petr Spacek wrote: >> On 3.7.2015 11:45, thierry bordaz wrote: >>> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>>> Hi, >>>> >>>> 389-ds allows to configure the max size of the replication changelog either >>>> by setting a maximum record number or a maximum age of changes. >>>> freeIPA does not use this setting. In the context of ticket >>>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the >>>> default to >>>> enable changelog trimming. >>>> >>>> Does anyone already use changlog trimming or is there a scenario where you >>>> rely on all changes being available ? >>>> >>>> Thanks for your feedback, >>>> Ludwig >>>> >>> Hello, >>> >>> I think it is reasonable to set nsds5ReplicaPurgeDelay and >>> nsslapd-changelogmaxage to similar value. >>> >>> When a replica (master or consumer) is down for some time and is >>> restarted, both attribute express the ability to get the replica in >>> sync with the rest of the topology. >>> It can work (and likely will) if >>> nsds5ReplicaPurgeDelay>> corner cases that can lead to problem (like entries that diverge). >>> >>> Currently purgedelay=7days (default) and changelogmaxage is infinite >>> and changing purgedelay=infinite impacts the size of the entries. >> I wonder if these values could/should be controlled by topology plugin. Does >> it make sense to have different values on different replicas? >> > Purgedelay can be different on each replica but it makes sense that the value > is the same on all replicas. It is used to remove too old csn and so how far > in the past the replication can decide which value is more recent than an > other one. With different values of purge delay, a replica can decide to keep > one value and an other replica can decide the opposite. > Currently purgedelay is identical on all replicas (default value). I understand that technically it is possible so the question is more like 'does it even make sense'? Do we want to support it? -- Petr^2 Spacek From christoph.kaminski at biotronik.com Fri Jul 3 12:32:17 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 3 Jul 2015 14:32:17 +0200 Subject: [Freeipa-users] samba vs ipa without kerberos In-Reply-To: Message-ID: I know this howto already, thats the reason why I've written without schema extensions Greetz Christoph Kaminski > Am 03.07.2015 um 13:30 schrieb Christopher Lamb : > > Hi Christoph > > have you seen this earlier thread? > https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html > > I guess as that solution adds some custom fields it would break your > requirement "no schema extensions"., but meet the requirement "user > authenticates with password". > > mfg > > Chris > > > > > > From: Christoph Kaminski > To: FreeIPA > Date: 03.07.2015 12:26 > Subject: [Freeipa-users] samba vs ipa without kerberos > Sent by: freeipa-users-bounces at redhat.com > > > > Hi > > it is possible (without extra patch/schema extension) to use samba shares > without kerberos? Possibly is there something like a auth proxy for it? I > mean the user authenticates with a password and the proxy checks it securly > against ipa... > any howtos/docs/ideas? > > (have ipa 4.1 and samba 4.1.12 here) > > Greetz > Christoph Kaminski > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Fri Jul 3 12:41:04 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 03 Jul 2015 14:41:04 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <55967FF9.5030309@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> <55967E4A.60507@redhat.com> <55967FF9.5030309@redhat.com> Message-ID: <559682E0.3030404@redhat.com> On 07/03/2015 02:28 PM, Petr Spacek wrote: > On 3.7.2015 14:21, thierry bordaz wrote: >> On 07/03/2015 02:03 PM, Petr Spacek wrote: >>> On 3.7.2015 11:45, thierry bordaz wrote: >>>> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>>>> Hi, >>>>> >>>>> 389-ds allows to configure the max size of the replication changelog either >>>>> by setting a maximum record number or a maximum age of changes. >>>>> freeIPA does not use this setting. In the context of ticket >>>>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the >>>>> default to >>>>> enable changelog trimming. >>>>> >>>>> Does anyone already use changlog trimming or is there a scenario where you >>>>> rely on all changes being available ? >>>>> >>>>> Thanks for your feedback, >>>>> Ludwig >>>>> >>>> Hello, >>>> >>>> I think it is reasonable to set nsds5ReplicaPurgeDelay and >>>> nsslapd-changelogmaxage to similar value. >>>> >>>> When a replica (master or consumer) is down for some time and is >>>> restarted, both attribute express the ability to get the replica in >>>> sync with the rest of the topology. >>>> It can work (and likely will) if >>>> nsds5ReplicaPurgeDelay>>> corner cases that can lead to problem (like entries that diverge). >>>> >>>> Currently purgedelay=7days (default) and changelogmaxage is infinite >>>> and changing purgedelay=infinite impacts the size of the entries. >>> I wonder if these values could/should be controlled by topology plugin. Does >>> it make sense to have different values on different replicas? >>> >> Purgedelay can be different on each replica but it makes sense that the value >> is the same on all replicas. It is used to remove too old csn and so how far >> in the past the replication can decide which value is more recent than an >> other one. With different values of purge delay, a replica can decide to keep >> one value and an other replica can decide the opposite. >> Currently purgedelay is identical on all replicas (default value). > I understand that technically it is possible so the question is more like > 'does it even make sense'? Do we want to support it? > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaPurgeDelay.html ... When setting this attribute, ensure that the purge delay is longer than the longest replication cycle in the replication policy to preserve enough information to resolve replication conflicts and to prevent the copies of data stored in different servers from diverging. The longest replication cycle is identical for all replicas, so it is a recommendation to use the same value. I admit it could be more clearly stated. If one decides to go with different values and complains about entries that diverge, support will likely lead him to this page. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jul 3 12:43:52 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 03 Jul 2015 14:43:52 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <559682E0.3030404@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> <55967E4A.60507@redhat.com> <55967FF9.5030309@redhat.com> <559682E0.3030404@redhat.com> Message-ID: <55968388.9080004@redhat.com> On 3.7.2015 14:41, thierry bordaz wrote: > On 07/03/2015 02:28 PM, Petr Spacek wrote: >> On 3.7.2015 14:21, thierry bordaz wrote: >>> On 07/03/2015 02:03 PM, Petr Spacek wrote: >>>> On 3.7.2015 11:45, thierry bordaz wrote: >>>>> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>>>>> Hi, >>>>>> >>>>>> 389-ds allows to configure the max size of the replication changelog either >>>>>> by setting a maximum record number or a maximum age of changes. >>>>>> freeIPA does not use this setting. In the context of ticket >>>>>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change >>>>>> the >>>>>> default to >>>>>> enable changelog trimming. >>>>>> >>>>>> Does anyone already use changlog trimming or is there a scenario where you >>>>>> rely on all changes being available ? >>>>>> >>>>>> Thanks for your feedback, >>>>>> Ludwig >>>>>> >>>>> Hello, >>>>> >>>>> I think it is reasonable to set nsds5ReplicaPurgeDelay and >>>>> nsslapd-changelogmaxage to similar value. >>>>> >>>>> When a replica (master or consumer) is down for some time and is >>>>> restarted, both attribute express the ability to get the replica in >>>>> sync with the rest of the topology. >>>>> It can work (and likely will) if >>>>> nsds5ReplicaPurgeDelay>>>> corner cases that can lead to problem (like entries that diverge). >>>>> >>>>> Currently purgedelay=7days (default) and changelogmaxage is infinite >>>>> and changing purgedelay=infinite impacts the size of the entries. >>>> I wonder if these values could/should be controlled by topology plugin. Does >>>> it make sense to have different values on different replicas? >>>> >>> Purgedelay can be different on each replica but it makes sense that the value >>> is the same on all replicas. It is used to remove too old csn and so how far >>> in the past the replication can decide which value is more recent than an >>> other one. With different values of purge delay, a replica can decide to keep >>> one value and an other replica can decide the opposite. >>> Currently purgedelay is identical on all replicas (default value). >> I understand that technically it is possible so the question is more like >> 'does it even make sense'? Do we want to support it? >> > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaPurgeDelay.html > > > ... > > When setting this attribute, ensure that the purge delay is longer > than the longest replication cycle in the replication policy to > preserve enough information to resolve replication conflicts and to > prevent the copies of data stored in different servers from diverging. > > The longest replication cycle is identical for all replicas, so it is a > recommendation to use the same value. > I admit it could be more clearly stated. > > If one decides to go with different values and complains about entries that > diverge, support will likely lead him to this page. So .... moving forward, should we enforce one topology-wide value in topology plugin? Is there a legitimate use-case for using different values? -- Petr^2 Spacek From lkrispen at redhat.com Fri Jul 3 12:45:12 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 03 Jul 2015 14:45:12 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <55967FF9.5030309@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> <55967E4A.60507@redhat.com> <55967FF9.5030309@redhat.com> Message-ID: <559683D8.5040607@redhat.com> On 07/03/2015 02:28 PM, Petr Spacek wrote: > On 3.7.2015 14:21, thierry bordaz wrote: >> On 07/03/2015 02:03 PM, Petr Spacek wrote: >>> On 3.7.2015 11:45, thierry bordaz wrote: >>>> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>>>> Hi, >>>>> >>>>> 389-ds allows to configure the max size of the replication changelog either >>>>> by setting a maximum record number or a maximum age of changes. >>>>> freeIPA does not use this setting. In the context of ticket >>>>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the >>>>> default to >>>>> enable changelog trimming. >>>>> >>>>> Does anyone already use changlog trimming or is there a scenario where you >>>>> rely on all changes being available ? >>>>> >>>>> Thanks for your feedback, >>>>> Ludwig >>>>> >>>> Hello, >>>> >>>> I think it is reasonable to set nsds5ReplicaPurgeDelay and >>>> nsslapd-changelogmaxage to similar value. >>>> >>>> When a replica (master or consumer) is down for some time and is >>>> restarted, both attribute express the ability to get the replica in >>>> sync with the rest of the topology. >>>> It can work (and likely will) if >>>> nsds5ReplicaPurgeDelay>>> corner cases that can lead to problem (like entries that diverge). >>>> >>>> Currently purgedelay=7days (default) and changelogmaxage is infinite >>>> and changing purgedelay=infinite impacts the size of the entries. >>> I wonder if these values could/should be controlled by topology plugin. Does >>> it make sense to have different values on different replicas? >>> >> Purgedelay can be different on each replica but it makes sense that the value >> is the same on all replicas. It is used to remove too old csn and so how far >> in the past the replication can decide which value is more recent than an >> other one. With different values of purge delay, a replica can decide to keep >> one value and an other replica can decide the opposite. >> Currently purgedelay is identical on all replicas (default value). > I understand that technically it is possible so the question is more like > 'does it even make sense'? no, it doesn't make sense. At least I can't imagine a scenario, where it does > Do we want to support it? what exactly do you mean by this, you always can as a last method edit the dse.ldif, even if you can catch all online mods by a plugin like the topo plugin. do we offer an easy way to configure and modify it, I think: no does one loose support if changing the default, no > From pspacek at redhat.com Fri Jul 3 13:00:13 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 03 Jul 2015 15:00:13 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg In-Reply-To: <559683D8.5040607@redhat.com> References: <55929F86.6010907@redhat.com> <5596599E.90606@redhat.com> <55967A0A.5070605@redhat.com> <55967E4A.60507@redhat.com> <55967FF9.5030309@redhat.com> <559683D8.5040607@redhat.com> Message-ID: <5596875D.4080306@redhat.com> On 3.7.2015 14:45, Ludwig Krispenz wrote: > > On 07/03/2015 02:28 PM, Petr Spacek wrote: >> On 3.7.2015 14:21, thierry bordaz wrote: >>> On 07/03/2015 02:03 PM, Petr Spacek wrote: >>>> On 3.7.2015 11:45, thierry bordaz wrote: >>>>> On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: >>>>>> Hi, >>>>>> >>>>>> 389-ds allows to configure the max size of the replication changelog either >>>>>> by setting a maximum record number or a maximum age of changes. >>>>>> freeIPA does not use this setting. In the context of ticket >>>>>> https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change >>>>>> the >>>>>> default to >>>>>> enable changelog trimming. >>>>>> >>>>>> Does anyone already use changlog trimming or is there a scenario where you >>>>>> rely on all changes being available ? >>>>>> >>>>>> Thanks for your feedback, >>>>>> Ludwig >>>>>> >>>>> Hello, >>>>> >>>>> I think it is reasonable to set nsds5ReplicaPurgeDelay and >>>>> nsslapd-changelogmaxage to similar value. >>>>> >>>>> When a replica (master or consumer) is down for some time and is >>>>> restarted, both attribute express the ability to get the replica in >>>>> sync with the rest of the topology. >>>>> It can work (and likely will) if >>>>> nsds5ReplicaPurgeDelay>>>> corner cases that can lead to problem (like entries that diverge). >>>>> >>>>> Currently purgedelay=7days (default) and changelogmaxage is infinite >>>>> and changing purgedelay=infinite impacts the size of the entries. >>>> I wonder if these values could/should be controlled by topology plugin. Does >>>> it make sense to have different values on different replicas? >>>> >>> Purgedelay can be different on each replica but it makes sense that the value >>> is the same on all replicas. It is used to remove too old csn and so how far >>> in the past the replication can decide which value is more recent than an >>> other one. With different values of purge delay, a replica can decide to keep >>> one value and an other replica can decide the opposite. >>> Currently purgedelay is identical on all replicas (default value). >> I understand that technically it is possible so the question is more like >> 'does it even make sense'? > no, it doesn't make sense. At least I can't imagine a scenario, where it does >> Do we want to support it? > what exactly do you mean by this, you always can as a last method edit the > dse.ldif, even if you can catch all online mods by a plugin like the topo plugin. > do we offer an easy way to configure and modify it, I think: no > does one loose support if changing the default, no I'm asking if we as FreeIPA project are willing to support such configuration or not. It is our decision - and we can make statements about supportability and add technical measures to prevent *accidental* changes. -- Petr^2 Spacek From paw at 4gotten.me Fri Jul 3 14:30:38 2015 From: paw at 4gotten.me (David Fox) Date: Fri, 03 Jul 2015 15:30:38 +0100 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error In-Reply-To: <20150702114749.GF9417@p.redhat.com> References: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> <20150702114749.GF9417@p.redhat.com> Message-ID: On 2015-07-02 12:47, Sumit Bose wrote: > On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: >> I am encountering issues trying to integrate FreeIPA with AD, on *nix >> promp >> I get "internal server rror" and within I receive the following >> message in >> httpd_errorlog. >> > > It looks like we as AD if it already has a trust to a domain called > 'ipa.*redacted*' and .... > >> rpc reply data: >> [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ >> ........ >> lsa_QueryTrustedDomainInfoByName: struct >> lsa_QueryTrustedDomainInfoByName >> in: struct lsa_QueryTrustedDomainInfoByName >> handle : * >> handle: struct policy_handle >> handle_type : 0x00000000 (0) >> uuid : >> 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 >> trusted_domain : * >> trusted_domain: struct lsa_String >> length : 0x001a (26) >> size : 0x001a (26) >> string : * >> string : 'ipa.*redacted*' >> level : >> LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) >> rpc request data: >> [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ >> ...K.... >> [0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ >> ........ >> [0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ >> i.p.a... >> [0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... >> c.o...u. >> [0040] 6B 00 08 00 k... >> s4_tevent: Schedule immediate event "dcerpc_io_trigger": >> 0x7fdde0230710 >> s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550 >> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 >> s4_tevent: Schedule immediate event "dcerpc_io_trigger": >> 0x7fdde0230710 >> num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, >> data_total=92, this_data=92, max_data=4280, param_offset=84, >> param_pad=2, >> param_disp=0, data_offset=84, data_pad=0, data_disp=0 >> s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0 >> smb_signing_md5: sequence number 14 >> smb_signing_sign_pdu: sent SMB signature of >> [0000] B0 93 27 43 EE 4A 37 94 ..'C.J7. >> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": >> 0x7fdde00f5a60 >> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 >> s4_tevent: Run immediate event "tevent_queue_immediate_trigger": >> 0x7fdde00f5a60 >> smb_signing_md5: sequence number 15 >> smb_signing_check_pdu: seq 15: got good SMB signature of >> [0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB >> s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout" >> s4_tevent: Schedule immediate event "tevent_req_trigger": >> 0x7fdde050c440 >> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440 >> s4_tevent: Destroying timer event 0x7fdde00ef550 >> "dcerpc_timeout_handler" >> s4_tevent: Schedule immediate event "tevent_req_trigger": >> 0x7fdde05110e0 >> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0 >> lsa_QueryTrustedDomainInfoByName: struct >> lsa_QueryTrustedDomainInfoByName >> out: struct lsa_QueryTrustedDomainInfoByName >> info : * >> info : * >> info : union >> lsa_TrustedDomainInfo(case 8) >> full_info: struct lsa_TrustDomainInfoFullInfo >> info_ex: struct lsa_TrustDomainInfoInfoEx >> domain_name: struct lsa_StringLarge >> length : 0x001a (26) >> size : 0x001c (28) >> string : * >> string : >> 'ipa.*redacted*' >> netbios_name: struct lsa_StringLarge >> length : 0x001a (26) >> size : 0x001c (28) >> string : * >> string : >> 'ipa.*redacted*' >> sid : NULL >> trust_direction : 0x00000003 (3) >> 1: LSA_TRUST_DIRECTION_INBOUND >> 1: LSA_TRUST_DIRECTION_OUTBOUND >> trust_type : >> LSA_TRUST_TYPE_MIT > > > and knows this domain already because a trust to the Kerberos realm was > already created. > > If possible please remove the Kerberos trust from the AD side and try > again. > > Please note that you cannot have trust to two realms which share the > same realm name. > > HTH > > bye, > Sumit > >> (3) >> trust_attributes : 0x00000000 (0) >> 0: >> LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE >> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY >> 0: >> LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN >> 0: >> LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE >> 0: >> LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION >> 0: >> LSA_TRUST_ATTRIBUTE_WITHIN_FOREST >> 0: >> LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL >> 0: >> LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION >> posix_offset: struct >> lsa_TrustDomainInfoPosixOffset >> posix_offset : 0x00000000 (0) >> auth_info: struct lsa_TrustDomainInfoAuthInfo >> incoming_count : 0x00000000 (0) >> incoming_current_auth_info: NULL >> incoming_previous_auth_info: NULL >> outgoing_count : 0x00000000 (0) >> outgoing_current_auth_info: NULL >> outgoing_previous_auth_info: NULL >> result : NT_STATUS_OK >> rpc reply data: >> [0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ >> ........ >> [0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ >> ........ >> [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ >> ........ >> [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ >> ........ >> [0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ >> ........ >> [0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... >> h... >> [0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. >> k....... >> [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ >> i.p.a... >> [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... >> c.o...u. >> [0090] 6B 00 00 00 00 00 00 00 k....... >> [Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: >> non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected >> type >> 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' >> [Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most >> recent >> call last): >> [Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, >> in >> wsgi_execute >> [Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = >> self.Command[name](*args, **options) >> [Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in >> __call__ >> [Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = >> self.run(*args, **options) >> [Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in >> run >> [Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return >> self.execute(*args, **options) >> [Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, >> in >> execute >> [Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = >> self.execute_ad(full_join, *keys, **options) >> [Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, >> in >> execute_ad >> [Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] >> self.realm_passwd >> [Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in >> join_ad_full_credentials >> [Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] >> self.remote_domain.establish_trust(self.local_domain, trustdom_pass) >> [Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File >> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in >> establish_trust >> [Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] >> self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) >> [Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: >> default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' >> for >> 'py_dom_sid' of type 'NoneType' >> [Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: >> [jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*', >> trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', >> all=False, raw=False, version=u'2.112'): TypeError >> >> >> These are whole logs with "log level = 100" set in smb.conf.empty. Log >> files >> were emptied before the above command was ran. If there is any other >> information required please let me know. >> >> Software versions: >> Fedora 22: 4.1.4 >> Fedora 22: 4.2 Alpha 1 >> >> Oracle Linux 7.1 64bit: without DNS >> ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 >> ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 >> >> CentOS 7.1 64bit: With DNS >> ipa-server.x86_64 - 4.1.0-18-el7.centos.3 >> ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 >> >> >> Regards, >> David >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project Thank you, removed this from AD and tried the command again and this time validated. Cheers, David From sbose at redhat.com Fri Jul 3 15:14:08 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 3 Jul 2015 17:14:08 +0200 Subject: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error In-Reply-To: References: <702098cf7c6ae6f3a17c41267b8ec684@4gotten.me> <20150702114749.GF9417@p.redhat.com> Message-ID: <20150703151408.GB16655@p.redhat.com> On Fri, Jul 03, 2015 at 03:30:38PM +0100, David Fox wrote: > On 2015-07-02 12:47, Sumit Bose wrote: > >On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: > >>I am encountering issues trying to integrate FreeIPA with AD, on *nix > >>promp > >>I get "internal server rror" and within I receive the following message > >>in > >>httpd_errorlog. > >> > > > >It looks like we as AD if it already has a trust to a domain called > >'ipa.*redacted*' and .... > > > >>rpc reply data: > >>[0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ > >>........ > >> lsa_QueryTrustedDomainInfoByName: struct > >>lsa_QueryTrustedDomainInfoByName > >> in: struct lsa_QueryTrustedDomainInfoByName > >> handle : * > >> handle: struct policy_handle > >> handle_type : 0x00000000 (0) > >> uuid : > >>0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6 > >> trusted_domain : * > >> trusted_domain: struct lsa_String > >> length : 0x001a (26) > >> size : 0x001a (26) > >> string : * > >> string : 'ipa.*redacted*' > >> level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO > >>(8) > >>rpc request data: > >>[0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........ > >>...K.... > >>[0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........ > >>........ > >>[0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ > >>i.p.a... > >>[0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u. > >>[0040] 6B 00 08 00 k... > >>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550 > >>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, > >>data_total=92, this_data=92, max_data=4280, param_offset=84, > >>param_pad=2, > >>param_disp=0, data_offset=84, data_pad=0, data_disp=0 > >>s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0 > >>smb_signing_md5: sequence number 14 > >>smb_signing_sign_pdu: sent SMB signature of > >>[0000] B0 93 27 43 EE 4A 37 94 ..'C.J7. > >>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": > >>0x7fdde00f5a60 > >>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710 > >>s4_tevent: Run immediate event "tevent_queue_immediate_trigger": > >>0x7fdde00f5a60 > >>smb_signing_md5: sequence number 15 > >>smb_signing_check_pdu: seq 15: got good SMB signature of > >>[0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB > >>s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout" > >>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440 > >>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440 > >>s4_tevent: Destroying timer event 0x7fdde00ef550 > >>"dcerpc_timeout_handler" > >>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0 > >>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0 > >> lsa_QueryTrustedDomainInfoByName: struct > >>lsa_QueryTrustedDomainInfoByName > >> out: struct lsa_QueryTrustedDomainInfoByName > >> info : * > >> info : * > >> info : union > >>lsa_TrustedDomainInfo(case 8) > >> full_info: struct lsa_TrustDomainInfoFullInfo > >> info_ex: struct lsa_TrustDomainInfoInfoEx > >> domain_name: struct lsa_StringLarge > >> length : 0x001a (26) > >> size : 0x001c (28) > >> string : * > >> string : > >>'ipa.*redacted*' > >> netbios_name: struct lsa_StringLarge > >> length : 0x001a (26) > >> size : 0x001c (28) > >> string : * > >> string : > >>'ipa.*redacted*' > >> sid : NULL > >> trust_direction : 0x00000003 (3) > >> 1: LSA_TRUST_DIRECTION_INBOUND > >> 1: LSA_TRUST_DIRECTION_OUTBOUND > >> trust_type : > >>LSA_TRUST_TYPE_MIT > > > > > >and knows this domain already because a trust to the Kerberos realm was > >already created. > > > >If possible please remove the Kerberos trust from the AD side and try > >again. > > > >Please note that you cannot have trust to two realms which share the > >same realm name. > > > >HTH > > > >bye, > >Sumit > > > >>(3) > >> trust_attributes : 0x00000000 (0) > >> 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE > >> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY > >> 0: > >>LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN > >> 0: > >>LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE > >> 0: > >>LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION > >> 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST > >> 0: > >>LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL > >> 0: > >>LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION > >> posix_offset: struct > >>lsa_TrustDomainInfoPosixOffset > >> posix_offset : 0x00000000 (0) > >> auth_info: struct lsa_TrustDomainInfoAuthInfo > >> incoming_count : 0x00000000 (0) > >> incoming_current_auth_info: NULL > >> incoming_previous_auth_info: NULL > >> outgoing_count : 0x00000000 (0) > >> outgoing_current_auth_info: NULL > >> outgoing_previous_auth_info: NULL > >> result : NT_STATUS_OK > >>rpc reply data: > >>[0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........ > >>........ > >>[0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........ > >>........ > >>[0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ > >>........ > >>[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ > >>........ > >>[0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........ > >>........ > >>[0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h... > >>[0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u. > >>k....... > >>[0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........ > >>i.p.a... > >>[0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u. > >>[0090] 6B 00 00 00 00 00 00 00 k....... > >>[Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR: > >>non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected > >>type > >>'security.dom_sid' for 'py_dom_sid' of type 'NoneType' > >>[Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most > >>recent > >>call last): > >>[Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in > >>wsgi_execute > >>[Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result = > >>self.Command[name](*args, **options) > >>[Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in > >>__call__ > >>[Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret = > >>self.run(*args, **options) > >>[Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run > >>[Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return > >>self.execute(*args, **options) > >>[Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in > >>execute > >>[Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result = > >>self.execute_ad(full_join, *keys, **options) > >>[Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in > >>execute_ad > >>[Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063] > >>self.realm_passwd > >>[Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in > >>join_ad_full_credentials > >>[Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063] > >>self.remote_domain.establish_trust(self.local_domain, trustdom_pass) > >>[Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File > >>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in > >>establish_trust > >>[Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063] > >>self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) > >>[Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError: > >>default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' > >>for > >>'py_dom_sid' of type 'NoneType' > >>[Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO: > >>[jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*', > >>trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********', > >>all=False, raw=False, version=u'2.112'): TypeError > >> > >> > >>These are whole logs with "log level = 100" set in smb.conf.empty. Log > >>files > >>were emptied before the above command was ran. If there is any other > >>information required please let me know. > >> > >>Software versions: > >>Fedora 22: 4.1.4 > >>Fedora 22: 4.2 Alpha 1 > >> > >>Oracle Linux 7.1 64bit: without DNS > >>ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3 > >>ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3 > >> > >>CentOS 7.1 64bit: With DNS > >>ipa-server.x86_64 - 4.1.0-18-el7.centos.3 > >>ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3 > >> > >> > >>Regards, > >>David > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > Thank you, removed this from AD and tried the command again and this time > validated. Thank you for the feedback, glad I could help. Thanks for finding and reopening https://fedorahosted.org/freeipa/ticket/4999. I've added a comment about the reason of this issue. bye, Sumit > > Cheers, > David From l at avc.su Fri Jul 3 15:29:02 2015 From: l at avc.su (l at avc.su) Date: Fri, 03 Jul 2015 18:29:02 +0300 Subject: [Freeipa-users] sssd and ipa+ad trust, ssh login errors Message-ID: Hello. I've encountered an issue with ssh login to freeipa clients in trusted environment. getent/id commands working as expected, but password/publickey auth for user from ipa or AD domain does not work (gssapi works, by the way) Seems like sss_ssh_authorizedkeys not working properly in this case. $ getent passwd admin admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash $ getent passwd admin at cloud admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash $ getent passwd Administrator at zone.local administrator at zone.local:*:1742600500:1742600500:Administrator:/home/zone.local/administrator:/bin/bash Establishing connection: $ ssh -l admin at CLOUD 192.168.13.103 -i key.openssh Received disconnect from 192.168.13.103: 2: Too many authentication failures for admin at CLOUD Here's the log of connection: /var/log/secure error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 Disconnecting: Too many authentication failures for admin at CLOUD [preauth] Trying to get the public key manually: $ /usr/bin/sss_ssh_authorizedkeys admin at CLOUD ssh-rsa AAAAB3NzaC~~ $ /usr/bin/sss_ssh_authorizedkeys admin Error looking up public keys Trying to connect with password auth: $ ssh -l admin at CLOUD 192.168.13.103 admin at CLOUD@192.168.13.103's password: X11 forwarding request failed on channel 0 Connection to 192.168.13.103 closed by remote host. Connection to 192.168.13.103 closed. /var/log/secure error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.13.106 user=admin at CLOUD pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.13.106 user=admin at CLOUD Accepted password for admin at CLOUD from 192.168.13.106 port 63054 ssh2 pam_unix(sshd:session): session opened for user admin at CLOUD by (uid=0) fatal: login_init_entry: Cannot find user "admin" pam_unix(sshd:session): session closed for user admin at CLOUD fatal: login_init_entry: Cannot find user "admin" fatal: mm_request_send: write: Broken pipe Connection closed by 192.168.13.106 [preauth] Auth succeeded, but login failed. Versions: Centos 7.1.1503 sssd 1.12.2 freeipa 4.1.0 From nathan at nathanpeters.com Fri Jul 3 15:45:47 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 3 Jul 2015 08:45:47 -0700 Subject: [Freeipa-users] What is the recommended way to create an Administrator account through the web ui? Message-ID: <454d916d1ea0b41221963e400c882316.squirrel@webmail.nathanpeters.com> I have been trying to create accounts in FreeIPA that have the same level of permission as the built-in administrator account. Basically, I want to do the equivalent of what you can do in Active Directory by adding someone to the Domain Administrators group. We need this because it is not an acceptable security model in our enterprise to share the built-in admin password between many administrators. What is the proper way to do this? I notice that the built-in roles are DNS Administrator, IT Security Specialist, IT Specialist, Security Architect, User Administrator, and helpdesk. If I give a user all 6 of these roles will they have the equivalent level of permissions as the admin user or are there things they still won't be able to do ? From simo at redhat.com Fri Jul 3 16:14:33 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 03 Jul 2015 12:14:33 -0400 Subject: [Freeipa-users] samba vs ipa without kerberos In-Reply-To: References: Message-ID: <1435940073.7030.8.camel@willson.usersys.redhat.com> On Fri, 2015-07-03 at 12:24 +0200, Christoph Kaminski wrote: > Hi > > it is possible (without extra patch/schema extension) to use samba shares > without kerberos? Possibly is there something like a auth proxy for it? I > mean the user authenticates with a password and the proxy checks it > securly against ipa... > any howtos/docs/ideas? You misunderstand how SMB authentication works. You have only 2 options: NTLM or Kerberos, neither sends the password in the clear to samba, so there is no proxy you can build, they are both MITM resistant protocols. Simo. > (have ipa 4.1 and samba 4.1.12 here) > > Greetz > Christoph Kaminski > -- Simo Sorce * Red Hat, Inc * New York From l at avc.su Fri Jul 3 16:52:12 2015 From: l at avc.su (l at avc.su) Date: Fri, 03 Jul 2015 19:52:12 +0300 Subject: [Freeipa-users] sssd and ipa+ad trust, ssh login errors In-Reply-To: References: Message-ID: OK, seems like I've found the cause. /etc/sssd/sssd.conf default_domain_suffix = zone.local If I comment this out, I can login using password or publickey with ipa user and using password with AD user, but I need to specify the domain component. Found this thread: https://www.redhat.com/archives/freeipa-users/2015-February/msg00371.html And this bug: https://fedorahosted.org/sssd/ticket/2569 Since it's fixed, it should appear in sssd 1.13 release? l at avc.su ????? 2015-07-03 18:29: > Hello. > I've encountered an issue with ssh login to freeipa clients in trusted > environment. > getent/id commands working as expected, but password/publickey auth > for user from ipa or AD domain does not work (gssapi works, by the > way) > Seems like sss_ssh_authorizedkeys not working properly in this case. From esdras.laroque at gmail.com Fri Jul 3 17:54:29 2015 From: esdras.laroque at gmail.com (Esdras La-Roque) Date: Fri, 3 Jul 2015 14:54:29 -0300 Subject: [Freeipa-users] FreeIPA and Rsyslog Message-ID: Hi guys, is it possible utilize freeipa certificate, issued for a machine, integrated in Rsyslog for redirection remotely logs? If yes. Anybody has a documentation about it? I try this, but rsyslog's service was crashed. Curiosly, with another certificate, issued out of freeipa, works perfectly. -- *Esdras La-Roque* LPI-1 | Linux Professional Institute - N?vel 1 MCITP | Microsoft Virtualization Administrator NCLA | Novell Certified Linux Administrator DCTS | Data Center Technical Specialist -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Jul 3 18:00:51 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 3 Jul 2015 20:00:51 +0200 Subject: [Freeipa-users] sssd and ipa+ad trust, ssh login errors In-Reply-To: References: Message-ID: <20150703180051.GC16655@p.redhat.com> On Fri, Jul 03, 2015 at 07:52:12PM +0300, l at avc.su wrote: > OK, seems like I've found the cause. > > /etc/sssd/sssd.conf > default_domain_suffix = zone.local > > If I comment this out, I can login using password or publickey with ipa user > and using password with AD user, but I need to specify the domain component. > Found this thread: > https://www.redhat.com/archives/freeipa-users/2015-February/msg00371.html > And this bug: https://fedorahosted.org/sssd/ticket/2569 > > Since it's fixed, it should appear in sssd 1.13 release? yes, it is already in the alpha https://fedorahosted.org/released/sssd/sssd-1.13.0alpha.tar.gz . bye, Sumit > > l at avc.su ????? 2015-07-03 18:29: > >Hello. > >I've encountered an issue with ssh login to freeipa clients in trusted > >environment. > >getent/id commands working as expected, but password/publickey auth > >for user from ipa or AD domain does not work (gssapi works, by the > >way) > >Seems like sss_ssh_authorizedkeys not working properly in this case. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From natxo.asenjo at gmail.com Fri Jul 3 20:02:46 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 3 Jul 2015 22:02:46 +0200 Subject: [Freeipa-users] FreeIPA and Rsyslog In-Reply-To: References: Message-ID: On Fri, Jul 3, 2015 at 7:54 PM, Esdras La-Roque wrote: > Hi guys, > > is it possible utilize freeipa certificate, issued for a machine, > integrated in Rsyslog for redirection remotely logs? > not with rsyslog, but with logstash and the logstash forwarder. I tried with rsyslog and it worked following the rsyslog documentation on tls/ssl. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Sat Jul 4 23:08:38 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 5 Jul 2015 01:08:38 +0200 Subject: [Freeipa-users] Userpassword randomly not working anymore. Message-ID: Hi Guys, I created a bug where no response is on yet for a week, so I thought to ask the mailinglist if someone has seen this behaviour. https://bugzilla.redhat.com/show_bug.cgi?id=1236322 Description of problem: The password of a user is randomly "not working" anymore and needs a reset of the password. The user is added as passSyncManagersDNs entry and when this user sets a password for another user the expire is set to 2035, it does the same for itself. Version-Release number of selected component (if applicable): 4.1 How reproducible: Add a user to passSyncManagersDNs like described here: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html Steps to Reproduce: 1. Add user to passSyncManagersDNs 2. Reset this user his password, login and set the same password again so ti stays the same until 2035 3. Wait for some days and try to login as this user the password is expired or damaged but still says in the GUI it expires in 2035 Actual results: The password expires it get's currupted or so ? Expected results: It should not expire until 2035! I hope someone has a clue here as I can't get anything logged about it. Thanks, Matt From tde3000 at gmail.com Sun Jul 5 06:38:26 2015 From: tde3000 at gmail.com (John Stein) Date: Sun, 05 Jul 2015 06:38:26 +0000 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: <55914D1F.4050704@redhat.com> References: <55914D1F.4050704@redhat.com> Message-ID: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. >From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > On 29.6.2015 13:57, John Stein wrote: > > Hi, > > > > I have an AD and IdM server. > > AD domain - john.com > > IdM domain - linux.john.com > > > > each spans multiple netwrok segments, with some segments having both > linux > > and windows machines. > > > > the IdM is configured to forward DNS requests to AD (forward first), and > > the AD is configured to forward requests in the linux.john.com domain to > > the IdM. > > > > However, I'm having a problem regarding reverse lookup zones. Where > should > > they be so they can be accessed from both linux and windows machines? > > >From DNS's point of view it does not matter, pick one side (AD or IPA) to > host > the reverse zone and configure delegation or forwarding on the other side. > That is all you need if you are willing to update records manually. > > > If I put them in IdM, how will the AD know which requests to forward to > the > > IdM? > > Either properly configure delegation (if you have control over the parent > zone) or add forwarder (only if you do not have control over parent zone - > usual caveats for forwarding apply). > > > It seems to me that I need to somehow register them at the AD, so the A > > record is in the IdM server and the PTR is in the AD. Is it possible to > do > > it automatically, > > "host/" principals from IPA Kerberos realm are generally not allowed to get > tickets for AD realm so automatic update from IPA to AD is not possible. > > It might work the other way around (I did not test this): > - Configure reverse zone in IPA > - Configure delegation/forwarding in AD so all clients can properly resolve > the reverse zone > - Allow all clients to update their PTR records. Update policy like this > might > work: > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE > krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > I would like to hear from you if this works in your environment or not. > > Thank you! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Markus.Moj at mc.ingenico.com Mon Jul 6 06:00:18 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Mon, 6 Jul 2015 06:00:18 +0000 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi Chris, thanks for your help. Now we are able to login and have our mails delivered. Do you maybe know which configuration objects needs to be used in Jira to be able to use the FreeIPA groups? We have configured all necessary Jira Groups in FreeIPA but it doesn?t work as it should. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Mittwoch, 1. Juli 2015 09:31 An: Moj, Markus; abokovoy at redhat.com; mkosek at redhat.com Cc: freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From christopher.lamb at ch.ibm.com Mon Jul 6 08:50:32 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 6 Jul 2015 10:50:32 +0200 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi Markus The short answer is no. The longer answer is: We replicated only users, and manage groups within JIRA. The delegated LDAP approach ("Connecting to an Internal Directory with LDAP Authentication") allows you to either synchronise groups and group membership from FreeIPA to Jira, or to automatically add FreeIPA users to Jira groups. We chose the second approach: All users are automatically added to the jira-users and jira-developers groups on first log in. This suits our purposes, as basically all our JIra users should have the same rights, other than admins. Note also that the delegated LDAP approach does not allow you to configure the LDAP properties JIRA accesses groups and membership, but the full synchronised approach does. On our first attempt to integrate FreeIPA and JIRA we tried to replicate both users and group, but only succeeded in replicating users, not the groups (or to be precise, group-membership). A bit of googling showed that others had problems with the groups bit. My initial guess is that, just like the mail attribute, very likely the compat tree is getting in the way of group membership. Using Apache Directory Studio to see how group membership is modelled in the compat and accounts trees I see the following. cn=compat, cn=groups, cn=admins, memberUid --> set of users belonging to the group admins cn=compat, cn=users, uid=bilbo No attibute showing which groups this user belongs to. cn=accounts, cn=groups, cn=ipausers, member --> set of users belonging to the group ipausers cn=accounts, cn=users, uid=bilbo, memberOf --> list of groups user bilbo is a member of Here are some ldapsearch queries to simulate what JIRA might be doing to retrieve group membership ?reply from accounts tree only ldapserach -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=groupofnames)(cn=admins))" member ?reply from both compat tree and accounts tree. (reply from compat tree is empty, reply from accounts tree has values) ldapserach -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(cn=admins)" member ?reply from compat tree only ldapserach -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(cn=admins)" memberUid Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 06.07.2015 08:00 Subject: AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Chris, thanks for your help. Now we are able to login and have our mails delivered. Do you maybe know which configuration objects needs to be used in Jira to be able to use the FreeIPA groups? We have configured all necessary Jira Groups in FreeIPA but it doesn?t work as it should. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Mittwoch, 1. Juli 2015 09:31 An: Moj, Markus; abokovoy at redhat.com; mkosek at redhat.com Cc: freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Mon Jul 6 09:18:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jul 2015 12:18:05 +0300 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: <20150706091805.GO11876@redhat.com> On Mon, 06 Jul 2015, Christopher Lamb wrote: >Hi Markus > >The short answer is no. > >The longer answer is: > >We replicated only users, and manage groups within JIRA. The delegated LDAP >approach ("Connecting to an Internal Directory with LDAP Authentication") >allows you to either synchronise groups and group membership from FreeIPA >to Jira, or to automatically add FreeIPA users to Jira groups. > >We chose the second approach: All users are automatically added to the >jira-users and jira-developers groups on first log in. This suits our >purposes, as basically all our JIra users should have the same rights, >other than admins. > >Note also that the delegated LDAP approach does not allow you to configure >the LDAP properties JIRA accesses groups and membership, but the full >synchronised approach does. > >On our first attempt to integrate FreeIPA and JIRA we tried to replicate >both users and group, but only succeeded in replicating users, not the >groups (or to be precise, group-membership). A bit of googling showed that >others had problems with the groups bit. > >My initial guess is that, just like the mail attribute, very likely the >compat tree is getting in the way of group membership. compat tree presents group membership information using RFC 2307, this is, after all, a *compatibility* tree and RFC 2307 what legacy clients use. >Using Apache Directory Studio to see how group membership is modelled in >the compat and accounts trees I see the following. > >cn=compat, cn=groups, cn=admins, memberUid --> set of users belonging to >the group admins > >cn=compat, cn=users, uid=bilbo No attibute showing which groups this user >belongs to. memberUid is what RFC 2307 wants. >cn=accounts, cn=groups, cn=ipausers, member --> set of users belonging to >the group ipausers > >cn=accounts, cn=users, uid=bilbo, memberOf --> list of groups user bilbo is >a member of member and memberOf are what RFC 4519 wants. >Here are some ldapsearch queries to simulate what JIRA might be doing to >retrieve group membership > >?reply from accounts tree only >ldapserach -x -D >"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h >localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" >"(&(objectClass=groupofnames)(cn=admins))" member > >?reply from both compat tree and accounts tree. (reply from compat tree is >empty, reply from accounts tree has values) >ldapserach -x -D >"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h >localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(cn=admins)" member > >?reply from compat tree only >ldapserach -x -D >"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h >localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(cn=admins)" >memberUid You configure JIRA to always ask for memberUid, but then you wouldn't get mail attribute from the compat tree as it is not part of RFC 2307 payload. You can try setting up a separate compat tree which provides member/memberOf (e.g. RFC 4519) based output for both IPA and AD users but currently there is internal assumption to expect memberUid when parsing requests for group memberships of AD users -- after all the plugin was expected to handle RFC 2307 only. It would probably make sense to add ability to return RFC 4519 compatible output over some subtree with slapi-nis plugin and then hook together AD-related details there as well, querying them from SSSD over infopipe interface -- at least I've seen enough requests for such specialized tree to consider a combined 'modern' RFC 4519 subtree. If this sounds useful for you, feel free to file a ticket for that. If you have subscription with Red Hat, it would probably be good to file a request via normal support channel too so that demand is actually measurable. -- / Alexander Bokovoy From barrykfl at gmail.com Mon Jul 6 12:01:04 2015 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 6 Jul 2015 20:01:04 +0800 Subject: [Freeipa-users] error after change cert Message-ID: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Mon Jul 6 12:49:15 2015 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 6 Jul 2015 20:49:15 +0800 Subject: [Freeipa-users] error after change cert In-Reply-To: References: Message-ID: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CA CT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 20:01 GMT+08:00 : > hi: > > i changed cert lareadty but seemit still keep hisoty of godadday any > help.?? > > > www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security > Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for > family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8174 - security library: bad database.) > [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable > to retrieve private key for cert *.www.com - GoDaddy.com, Inc. of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - > security library: bad database.) > [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 6 13:39:06 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2015 09:39:06 -0400 Subject: [Freeipa-users] error after change cert In-Reply-To: References: Message-ID: <559A84FA.2020106@redhat.com> barrykfl at gmail.com wrote: > the cert already in httpd / ldap side. but it prompt error > > [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. > > *.wisers.com - COMODO CA > Limited u,u,u > COMODO RSA Domain Validation Secure Server CA CT,C,C > COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob > > > 2015-07-06 20:01 GMT+08:00 >: > > hi: > > i changed cert lareadty but seemit still keep hisoty of godadday any > help.?? > > > www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security > Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, > Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8174 - security library: bad database.) > [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: > Unable to retrieve private key for cert *.www.com - > GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8174 - security library: bad database.) > [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. > > > > From barrykfl at gmail.com Mon Jul 6 13:45:01 2015 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 6 Jul 2015 21:45:01 +0800 Subject: [Freeipa-users] error after change cert In-Reply-To: <559A84FA.2020106@redhat.com> References: <559A84FA.2020106@redhat.com> Message-ID: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CA CT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 21:39 GMT+08:00 Rob Crittenden : > barrykfl at gmail.com wrote: > >> the cert already in httpd / ldap side. but it prompt error >> >> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid >> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. >> >> *.wisers.com - COMODO CA >> Limited u,u,u >> COMODO RSA Domain Validation Secure Server CA CT,C,C >> COMODO RSA Certification Authority CT,C,C >> > > Taking a wild guess here due to limited information, but check the value > of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS > nickname of the server certificate to use. > > rob > > >> >> 2015-07-06 20:01 GMT+08:00 > >>: >> >> hi: >> >> i changed cert lareadty but seemit still keep hisoty of godadday any >> help.?? >> >> >> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security >> Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, >> Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable >> Runtime error -8174 - security library: bad database.) >> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: >> Unable to retrieve private key for cert *.www.com - >> GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape >> Portable Runtime error -8174 - security library: bad database.) >> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are >> valid >> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 >> Failed. >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 6 13:46:32 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jul 2015 16:46:32 +0300 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <5591184E.3000908@aixigo.de> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <5591184E.3000908@aixigo.de> Message-ID: <20150706134632.GQ11876@redhat.com> On Mon, 29 Jun 2015, Harald Dunkel wrote: >Hi Simo, > >On 06/25/15 17:47, Simo Sorce wrote: >> >> Harald, >> the reason I (and others) started this project many years ago is that >> trying to set up all components myself was boring and highly error >> prone, and you would always end up with a bag of parts that had a lot of >> mismatches, and some functionality was always missing or poor or >> incomplete, due to the imperfect integration. >> >> Yes, the whole project is complex, but not because we like complexity, >> it is complex because the problem space is complex and we are bound to >> use existing protocols, which sometimes add in complexity, and we want >> to offer useful features to admins, so they can think about managing >> stuff and not about the plumbing all the time. >> > >Sorry to say, but this part is not in yet. ipa-client-install is >included in RedHat/Fedora/Centos. On Debian it is improving (meaning >I have to backport it from Testing to Jessie and Wheezy and hope), but >for my other Unixes (Solaris, AIX, Suse, all designed more than 5 >years ago) I have to do the plumbing on my own. Its a lot of work, but >I can live with that. One way to improve support for other operating systems is by contributing. I'd certainly look forward to patches coming to support these other clients. >Missing client support is not the problem. The problem is that I do >have a working environment (using NIS). NIS is deeply integrated >everywhere for +20 years. I understand that NIS is not safe to use, >but it is rock solid and *extremely* easy to manage and repair. If >something goes wrong, then I can edit a file, run make -C /var/yp >and its done. > >If something goes wrong with freeipa, then in the best case I have to >find the bad component and fix it, as for NIS. Worst case is that >2 or more components "disagree somehow". There would be several >options to solve this: > >a) use low level component tools to manipulate their data, hoping to > not make incompatible changes breaking things in other components > of freeipa >b) ask for help on the mailing list, which might imply a downtime of > several hours and then option a) > >Both options don't appear very attractive to me. Do you have specific problems with slapi-nis support for NIS services? Do you mind filing bugs with details? https://fedorahosted.org/slapi-nis/ is where you should file those bugs. >> The best option is to study the individual components and how they are >> integrated, > >Thats the point: It is not sufficient to study the individual components. >You have to know how they work together. For example, you have to know >the constructs you should avoid in component A to make sure that you >don't break other components of Freeipa. This is not really different for other complex environments. What we are trying with FreeIPA is to get defaults right for majority of cases where people who don't know all details need to start quick and efficient, including security aspects. -- / Alexander Bokovoy From kliu at alumni.warwick.ac.uk Mon Jul 6 13:47:37 2015 From: kliu at alumni.warwick.ac.uk (Barry) Date: Mon, 6 Jul 2015 21:47:37 +0800 Subject: [Freeipa-users] error after change cert In-Reply-To: References: <559A84FA.2020106@redhat.com> Message-ID: any command make it refresh ? it seem still getiing old godaddy hisotry? 2015-07-06 21:45 GMT+08:00 : > Do u meant this : > > i already add the cert to nss and even \etc\ipa\ ca.cert repalced > > > [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > COMODO RSA Domain Validation Secure Server CA CT,C,C > IPA CA CT,C,C > COMODO RSA Certification Authority CT,C,C > > > 2015-07-06 21:39 GMT+08:00 Rob Crittenden : > >> barrykfl at gmail.com wrote: >> >>> the cert already in httpd / ldap side. but it prompt error >>> >>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid >>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. >>> >>> *.wisers.com - COMODO CA >>> Limited u,u,u >>> COMODO RSA Domain Validation Secure Server CA CT,C,C >>> COMODO RSA Certification Authority CT,C,C >>> >> >> Taking a wild guess here due to limited information, but check the value >> of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS >> nickname of the server certificate to use. >> >> rob >> >> >>> >>> 2015-07-06 20:01 GMT+08:00 >> barrykfl at gmail.com>>: >>> >>> hi: >>> >>> i changed cert lareadty but seemit still keep hisoty of godadday any >>> help.?? >>> >>> >>> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security >>> Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, >>> Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable >>> Runtime error -8174 - security library: bad database.) >>> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: >>> Unable to retrieve private key for cert *.www.com - >>> GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape >>> Portable Runtime error -8174 - security library: bad database.) >>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are >>> valid >>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 >>> Failed. >>> >>> >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 6 13:51:50 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jul 2015 16:51:50 +0300 Subject: [Freeipa-users] CentOS 7 with IPA 4.1 In-Reply-To: References: Message-ID: <20150706135150.GR11876@redhat.com> On Tue, 30 Jun 2015, Steve Justice wrote: >All, I am testing an IDM/IPA setup for out RHEL environment. > >My current setup. > >Windows > >sjlab.local - domain one >mylab.local - domain two > >sjlab and mylab are two separate AD Domain's sjlab is the primary domain >IDM will be integrated with. sjlab has a one way (outgoing) Forest type >transitive trust with mylab. > > >Linux >idm.sjlab.local - IDM domain > > > >I have the trust between IDM and sjlab working. > > >when I perform an ipa trust-show on sjlab.local I see that it is connected >with a trust direction of Two-way trust and type of Active Directory >domain. > >I can authenticate with users from sjlab.local to a server on the idm >domain. That all appears to be working ok. > >What I cannot do however is authenticate with users from the mylab.local >domain. You wouldn't be able to do so because there is no transitivity for forest trusts in Active Directory, see below for explanation. > >When I perform an ipa trust-fetch-domains for sjlab.local it states that no >new domains can be found. > >I know the documentation refers to this trust as a transitive trust within >the forest. I have a forest level trust between sjlab and mylab, however >I realize they are not in the same forest. Does that mean that this type >of setup will not work, or is there something I am missing? You are missing the fact that forest trusts in Active Directory are not transitive. If you have forests A, B, and C, and A trusts B, B trusts C, there is no way in Active Directory for A to trust C other than explicitly establishing forest trust with it. This is true for Active Directory to Active Directory forest trusts. What FreeIPA documentation tells you is that for domains belonging to an Active Directory forest, the forest trust between FreeIPA and Active Directory forest root domain allows to transitively trust those other domains in the same forest. E.g. if A is an AD forest, its forest root domain is A. If there are other domains in the same forest, they trust A and by extension FreeIPA domain will be able to trust all of them (barring cases where trust is one-way and doesn't allow to reach FreeIPA via forest root domain A). -- / Alexander Bokovoy From barrykfl at gmail.com Mon Jul 6 14:05:29 2015 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 6 Jul 2015 22:05:29 +0800 Subject: [Freeipa-users] error after change cert In-Reply-To: References: <559A84FA.2020106@redhat.com> Message-ID: any command make it refresh ? it seem still getiing old godaddy hisotry? 2015-07-06 21:45 GMT+08:00 : > Do u meant this : > > i already add the cert to nss and even \etc\ipa\ ca.cert repalced > > > [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > COMODO RSA Domain Validation Secure Server CA CT,C,C > IPA CA CT,C,C > COMODO RSA Certification Authority CT,C,C > > > 2015-07-06 21:39 GMT+08:00 Rob Crittenden : > >> barrykfl at gmail.com wrote: >> >>> the cert already in httpd / ldap side. but it prompt error >>> >>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid >>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. >>> >>> *.wisers.com - COMODO CA >>> Limited u,u,u >>> COMODO RSA Domain Validation Secure Server CA CT,C,C >>> COMODO RSA Certification Authority CT,C,C >>> >> >> Taking a wild guess here due to limited information, but check the value >> of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS >> nickname of the server certificate to use. >> >> rob >> >> >>> >>> 2015-07-06 20:01 GMT+08:00 >> barrykfl at gmail.com>>: >>> >>> hi: >>> >>> i changed cert lareadty but seemit still keep hisoty of godadday any >>> help.?? >>> >>> >>> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security >>> Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, >>> Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable >>> Runtime error -8174 - security library: bad database.) >>> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: >>> Unable to retrieve private key for cert *.www.com - >>> GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape >>> Portable Runtime error -8174 - security library: bad database.) >>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are >>> valid >>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 >>> Failed. >>> >>> >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Mon Jul 6 14:56:32 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 6 Jul 2015 16:56:32 +0200 Subject: [Freeipa-users] IPA replica without CA, how to become CA Message-ID: Hi All, I'm cleaning up and playing around with some old dev setups and reviewing these tests. This is a replica setup but the replica is no CA. Now I'm testing out how to manage cluster when I remove the ipa1 (CA) and create a new replica with CA from the ipa2. IPA2 should become CA and out of that I can setup a replica again. What is my best approach to test this ? Cheers, Matt From barrykfl at gmail.com Mon Jul 6 15:16:16 2015 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 6 Jul 2015 23:16:16 +0800 Subject: [Freeipa-users] what error log i should check Message-ID: server 1 ipa-replica-manage list Segmentation fault (core dumped) server 2 ipa-replica-manage list Can't contact LDAP server but it seem still syn as i add new ac then server 2 have i delete server2 's anme server 1 still delte. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 6 15:44:40 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2015 11:44:40 -0400 Subject: [Freeipa-users] error after change cert In-Reply-To: References: <559A84FA.2020106@redhat.com> Message-ID: <559AA268.7060709@redhat.com> barrykfl at gmail.com wrote: > Do u meant this : > > i already add the cert to nss and even \etc\ipa\ ca.cert repalced > > > [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > COMODO RSA Domain Validation Secure Server CA CT,C,C > IPA CA CT,C,C > COMODO RSA Certification Authority CT,C,C This has no relationship to the error you're seeing. This database is not used by either Apache or 389-ds. NSS uses nicknames to reference a given certificate. This nickname needs to exist in it's database. I'm guessing that you changed the database, and therefore the nickname in the database, without also updating the server configuration with this new nickname. rob > > > 2015-07-06 21:39 GMT+08:00 Rob Crittenden >: > > barrykfl at gmail.com wrote: > > the cert already in httpd / ldap side. but it prompt error > > [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher > are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 > Failed. > > *.wisers.com - COMODO CA > Limited u,u,u > COMODO RSA Domain Validation Secure Server CA CT,C,C > COMODO RSA Certification Authority CT,C,C > > > Taking a wild guess here due to limited information, but check the > value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This > is the NSS nickname of the server certificate to use. > > rob > > > > 2015-07-06 20:01 GMT+08:00 >>: > > hi: > > i changed cert lareadty but seemit still keep hisoty of > godadday any > help.?? > > > www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security > Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, > Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape > Portable > Runtime error -8174 - security library: bad database.) > [06/Jul/2015:19:59:15 +0800] - SSL alert: Security > Initialization: > Unable to retrieve private key for cert *.www.com > - > GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config > (Netscape > Portable Runtime error -8174 - security library: bad database.) > [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the > cipher are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization > phase 2 Failed. > > > > > > From rcritten at redhat.com Mon Jul 6 15:52:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2015 11:52:57 -0400 Subject: [Freeipa-users] error after change cert In-Reply-To: References: <559A84FA.2020106@redhat.com> <559AA268.7060709@redhat.com> Message-ID: <559AA459.8050200@redhat.com> barrykfl at gmail.com wrote: > Where can i check.the config of nss? > > I.modified the nssdb and imported.cert successfully. > > should i change any ldif? I already told you in my initial reply: Check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob > > Many thks > > 2015?7?6? ??11:44? "Rob Crittenden" >??? > > barrykfl at gmail.com wrote: > > Do u meant this : > > i already add the cert to nss and even \etc\ipa\ ca.cert repalced > > > [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > COMODO RSA Domain Validation Secure Server CA CT,C,C > IPA CA CT,C,C > COMODO RSA Certification Authority CT,C,C > > > This has no relationship to the error you're seeing. This database > is not used by either Apache or 389-ds. > > NSS uses nicknames to reference a given certificate. This nickname > needs to exist in it's database. I'm guessing that you changed the > database, and therefore the nickname in the database, without also > updating the server configuration with this new nickname. > > rob > > > > 2015-07-06 21:39 GMT+08:00 Rob Crittenden > >>: > > barrykfl at gmail.com > > wrote: > > the cert already in httpd / ldap side. but it prompt error > > [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the > cipher > are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL > Initialization phase 2 > Failed. > > *.wisers.com > - COMODO CA > Limited u,u,u > COMODO RSA Domain Validation Secure Server CA > CT,C,C > COMODO RSA Certification Authority > CT,C,C > > > Taking a wild guess here due to limited information, but > check the > value of nsSSLPersonalitySSL in > cn=RSA,cn=encryption,cn=config. This > is the NSS nickname of the server certificate to use. > > rob > > > > 2015-07-06 20:01 GMT+08:00 > > > > >>>: > > hi: > > i changed cert lareadty but seemit still keep > hisoty of > godadday any > help.?? > > > www-COM...[06/Jul/2015:19:59:15 +0800] - SSL > alert: Security > Initialization: Can't find certificate (*.wwwcom - > GoDaddy.com, > Inc.) for family cn=RSA,cn=encryption,cn=config > (Netscape > Portable > Runtime error -8174 - security library: bad database.) > [06/Jul/2015:19:59:15 +0800] - SSL alert: Security > Initialization: > Unable to retrieve private key for cert *.www.com > > - > GoDaddy.com, Inc. of family > cn=RSA,cn=encryption,cn=config > (Netscape > Portable Runtime error -8174 - security library: > bad database.) > [06/Jul/2015:19:59:16 +0800] - SSL failure: None > of the > cipher are valid > [06/Jul/2015:19:59:16 +0800] - ERROR: SSL > Initialization > phase 2 Failed. > > > > > > > From rcritten at redhat.com Mon Jul 6 15:54:00 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2015 11:54:00 -0400 Subject: [Freeipa-users] what error log i should check In-Reply-To: References: Message-ID: <559AA498.8030106@redhat.com> barrykfl at gmail.com wrote: > server 1 > > ipa-replica-manage list > Segmentation fault (core dumped) > > server 2 > ipa-replica-manage list > Can't contact LDAP server > > > but it seem still syn as i add new ac then server 2 have > > i delete server2 's anme server 1 still delte. I'd start with the seg fault. Check dmesg and/or /var/log/messages to see what is dropping core and debug from there. The can't contact LDAP server may be another representation of the same problem. rob From rcritten at redhat.com Mon Jul 6 15:54:59 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2015 11:54:59 -0400 Subject: [Freeipa-users] IPA replica without CA, how to become CA In-Reply-To: References: Message-ID: <559AA4D3.8000700@redhat.com> Matt . wrote: > Hi All, > > I'm cleaning up and playing around with some old dev setups and > reviewing these tests. > > This is a replica setup but the replica is no CA. Now I'm testing out > how to manage cluster when I remove the ipa1 (CA) and create a new > replica with CA from the ipa2. > > IPA2 should become CA and out of that I can setup a replica again. > What is my best approach to test this ? Hard to say given I have no insight into your topology, but to add a CA post-install use ipa-ca-install rob From Scott.Haiden at gd-ms.com Mon Jul 6 15:53:51 2015 From: Scott.Haiden at gd-ms.com (Haiden, Scott B.) Date: Mon, 6 Jul 2015 15:53:51 +0000 Subject: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server Message-ID: Hello, I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a FreeIPA server running on it. I am trying to get a TGT from it, from my Windows 7 Enterprise machine. I am able to easily interact with it from other Linux hosts, but I am not having any luck from the windows one. I have installed MIT Kerberos Tools for windows on the windows computer. I also copied over the /etc/krb5.conf file from a Linux host that is able to contact it. It contains the following: [libdefaults] default_realm = ABC dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] PCS = { kdc = ldap.abc:88 master_kdc = ldap.abc:88 admin_server = ldap.abc:749 default_domain = abc pkinit_anchors = FILE:H:\Kerberos\ca.crt } [domain_realm] .abc = ABC abc = ABC (Note that in the real file, I don't use "ABC" as the realm or domain but the real value is something else). I also copied over the ca.crt file and saved it to my windows machine, and pointed the config file to it. If I set the KRB5_CONFIG environment variable in a command prompt and run `kinit username at ABC` (replacing username and ABC with my real username and The real realm, obviously) I get only this inscrutable and undescriptive error: kinit: Invalid argument while getting initial credentials I am wondering if it's a resolution issue brought on by proxying or something related: To get to ldap.abc, I have to go through a proxy. Web browsers are able to successfully navigate to it at https://ldap.abc but nslookup ldap.abc fails. Is this something that's even possible to do? Any pointers on where I should go To look for documentation would be appreciated. Thanks, --Scott ------------------------- The views expressed are the author's and do not necessarily reflect the official position of General Dynamics or any of its subsidiaries or the organization providing Internet access. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 6 15:56:07 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 06 Jul 2015 09:56:07 -0600 Subject: [Freeipa-users] what error log i should check In-Reply-To: <559AA498.8030106@redhat.com> References: <559AA498.8030106@redhat.com> Message-ID: <559AA517.5080403@redhat.com> On 07/06/2015 09:54 AM, Rob Crittenden wrote: > barrykfl at gmail.com wrote: >> server 1 >> >> ipa-replica-manage list >> Segmentation fault (core dumped) >> >> server 2 >> ipa-replica-manage list >> Can't contact LDAP server >> >> >> but it seem still syn as i add new ac then server 2 have >> >> i delete server2 's anme server 1 still delte. > > I'd start with the seg fault. Check dmesg and/or /var/log/messages to > see what is dropping core and debug from there. If it is ns-slapd that is crashing, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes You will need to do # debuginfo-install ipa-server slapi-nis > > The can't contact LDAP server may be another representation of the > same problem. > > rob > From rcritten at redhat.com Mon Jul 6 15:57:47 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2015 11:57:47 -0400 Subject: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server In-Reply-To: References: Message-ID: <559AA57B.7030205@redhat.com> Haiden, Scott B. wrote: > Hello, > > I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a > > FreeIPA server running on it. I am trying to get a TGT from it, from my > > Windows 7 Enterprise machine. I am able to easily interact with it from > other > > Linux hosts, but I am not having any luck from the windows one. > > I have installed MIT Kerberos Tools for windows on the windows computer. I > > also copied over the /etc/krb5.conf file from a Linux host that is able to > > contact it. It contains the following: > > [libdefaults] > > default_realm = ABC > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > [realms] > > PCS = { > > kdc = ldap.abc:88 > > master_kdc = ldap.abc:88 > > admin_server = ldap.abc:749 > > default_domain = abc > > pkinit_anchors = FILE:H:\Kerberos\ca.crt > > } > > [domain_realm] > > .abc = ABC > > abc = ABC > > (Note that in the real file, I don't use "ABC" as the realm or domain > but the > > real value is something else). > > I also copied over the ca.crt file and saved it to my windows machine, and > > pointed the config file to it. > > If I set the KRB5_CONFIG environment variable in a command prompt and run > > `kinit username at ABC` (replacing username and ABC with my real username and > > The real realm, obviously) I get only this inscrutable and undescriptive > error: > > kinit: Invalid argument while getting initial credentials > > I am wondering if it's a resolution issue brought on by proxying or > something > > related: To get to ldap.abc, I have to go through a proxy. Web browsers are > > able to successfully navigate to it at https://ldap.abc but nslookup > ldap.abc > > fails. > > Is this something that?s even possible to do? Any pointers on where I > should go > > To look for documentation would be appreciated. It's been forever, probably 6 years, since I looked at MIT Kerberos on Windows, but I believe the client has some sort of auto-conifigure option where it will fetch the configuration from a server. The IPA server should be configured to provide this configuration (there were 3 files IIRC). You could try re-configuring using that. Alternatively I'd start with /var/log/krb5kdc.log to see if it is getting to the KDC at all. rob From yamakasi.014 at gmail.com Mon Jul 6 17:01:09 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 6 Jul 2015 19:01:09 +0200 Subject: [Freeipa-users] IPA replica without CA, how to become CA In-Reply-To: References: <559AA4D3.8000700@redhat.com> Message-ID: Rob, Isn't it impossible to install a CA on a replica when it's master "died" ? I know there is normally one CA, but this is kinda confusing me so I'm testing out scenarios. Thanks, Matt 2015-07-06 18:10 GMT+02:00 Matt . : > Hi Rob, > > OK, I had difficulties with that and try it. > > What I actually did is: > > Turned off IPA1 (to act it like a dead one) and removed it from ipa2. > > Now when I install a new replica with ipa2 as it's master/source I get > complains there is no CA. So my ipa2 needs to become ca in some way. > > I need to check but I thought I did what you said which didn't work... > I need to debug it an report you this evening. > > Thanks, > > Matt > > 2015-07-06 17:54 GMT+02:00 Rob Crittenden : >> Matt . wrote: >>> >>> Hi All, >>> >>> I'm cleaning up and playing around with some old dev setups and >>> reviewing these tests. >>> >>> This is a replica setup but the replica is no CA. Now I'm testing out >>> how to manage cluster when I remove the ipa1 (CA) and create a new >>> replica with CA from the ipa2. >>> >>> IPA2 should become CA and out of that I can setup a replica again. >>> What is my best approach to test this ? >> >> >> Hard to say given I have no insight into your topology, but to add a CA >> post-install use ipa-ca-install >> >> rob >> From janellenicole80 at gmail.com Mon Jul 6 17:11:38 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 06 Jul 2015 10:11:38 -0700 Subject: [Freeipa-users] strange password error.. Message-ID: <559AB6CA.1040309@gmail.com> Hello all, Is there any known bug that would cause: Password change failed. Server message: Current password's minimum life has not expired Here is the environment/process (7.1 with IPA 4.1.4) -- 1. reset a user's PW so they are forced to change it. 2. they login and get the "Your password has expired..." message 3. They are then asked to change it and enter a new PW (twice) 4. This error message pops up, BUT -- the password is still changed. ??? ~Janelle From simo at redhat.com Mon Jul 6 17:44:26 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 06 Jul 2015 13:44:26 -0400 Subject: [Freeipa-users] strange password error.. In-Reply-To: <559AB6CA.1040309@gmail.com> References: <559AB6CA.1040309@gmail.com> Message-ID: <1436204666.7030.52.camel@willson.usersys.redhat.com> On Mon, 2015-07-06 at 10:11 -0700, Janelle wrote: > Hello all, > > Is there any known bug that would cause: > > Password change failed. Server message: Current password's minimum life > has not expired > > Here is the environment/process (7.1 with IPA 4.1.4) -- > 1. reset a user's PW so they are forced to change it. > 2. they login and get the "Your password has expired..." message > 3. They are then asked to change it and enter a new PW (twice) > 4. This error message pops up, BUT -- the password is still changed. If they get this using kpasswd it may happen if a re-transmission occurs, as kpasswd uses UDP, so the second request ends up with that error, I think, not 100% sure. Simo. -- Simo Sorce * Red Hat, Inc * New York From Andy.Thompson at e-tcc.com Mon Jul 6 17:49:04 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 6 Jul 2015 17:49:04 +0000 Subject: [Freeipa-users] nsslapd-maxbersize and cachememsize Message-ID: I've got a couple warnings in different IPA installs that I'm not sure how to find what values I should increase each config setting to. In one install I'm seeing the following [03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. Second installation I'm seeing this on startup WARNING: changelog: entry cache size 858992B is less than db size 2293760B; We recommend to increase the entry cache size nsslapd-cachememsize. How can I determine what to increase each config setting to? Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From rmeggins at redhat.com Mon Jul 6 18:04:37 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 06 Jul 2015 12:04:37 -0600 Subject: [Freeipa-users] nsslapd-maxbersize and cachememsize In-Reply-To: References: Message-ID: <559AC335.3070801@redhat.com> On 07/06/2015 11:49 AM, Andy Thompson wrote: > I've got a couple warnings in different IPA installs that I'm not sure how to find what values I should increase each config setting to. > > In one install I'm seeing the following > > [03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > > > Second installation I'm seeing this on startup > > WARNING: changelog: entry cache size 858992B is less than db size 2293760B; We recommend to increase the entry cache size nsslapd-cachememsize. > > How can I determine what to increase each config setting to? What version of 389? rpm -q 389-ds-base > > Thanks > > -andy > > > *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** > > From yamakasi.014 at gmail.com Mon Jul 6 18:05:56 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 6 Jul 2015 20:05:56 +0200 Subject: [Freeipa-users] IPA replica without CA, how to become CA In-Reply-To: References: <559AA4D3.8000700@redhat.com> Message-ID: Small update on this. The replica without CA is not going to find any CA as the master is "dead" so we need a CA. The question is how to approach, you have a replica with only ldap information and no CA. Is it possible to create a split-brain like, install IPA1 as a normal ipa server, so it becomes CA, but than ? I wonder if you can create a (ipa1)replica from your replica2 with (ipa1)replica as your CA. The reason why I saw this in my tests is from older docs. The docs say to create a replica server but never mentioned the CA in it... so I'm quite sure that lots of people have a replica installation between 2 servers which only has one CA. Discussing this with Simo on IRC it seems to be some nice writing to have in the docs and now I found out... I'm trying to create this using my tests. But some unclear things have to be made clear first. Cheers, Matt 2015-07-06 19:01 GMT+02:00 Matt . : > Rob, > > Isn't it impossible to install a CA on a replica when it's master "died" ? > > I know there is normally one CA, but this is kinda confusing me so I'm > testing out scenarios. > > Thanks, > > Matt > > 2015-07-06 18:10 GMT+02:00 Matt . : >> Hi Rob, >> >> OK, I had difficulties with that and try it. >> >> What I actually did is: >> >> Turned off IPA1 (to act it like a dead one) and removed it from ipa2. >> >> Now when I install a new replica with ipa2 as it's master/source I get >> complains there is no CA. So my ipa2 needs to become ca in some way. >> >> I need to check but I thought I did what you said which didn't work... >> I need to debug it an report you this evening. >> >> Thanks, >> >> Matt >> >> 2015-07-06 17:54 GMT+02:00 Rob Crittenden : >>> Matt . wrote: >>>> >>>> Hi All, >>>> >>>> I'm cleaning up and playing around with some old dev setups and >>>> reviewing these tests. >>>> >>>> This is a replica setup but the replica is no CA. Now I'm testing out >>>> how to manage cluster when I remove the ipa1 (CA) and create a new >>>> replica with CA from the ipa2. >>>> >>>> IPA2 should become CA and out of that I can setup a replica again. >>>> What is my best approach to test this ? >>> >>> >>> Hard to say given I have no insight into your topology, but to add a CA >>> post-install use ipa-ca-install >>> >>> rob >>> From Andy.Thompson at e-tcc.com Mon Jul 6 18:28:15 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 6 Jul 2015 18:28:15 +0000 Subject: [Freeipa-users] nsslapd-maxbersize and cachememsize In-Reply-To: <559AC335.3070801@redhat.com> References: <559AC335.3070801@redhat.com> Message-ID: > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, July 6, 2015 2:05 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize > > On 07/06/2015 11:49 AM, Andy Thompson wrote: > > I've got a couple warnings in different IPA installs that I'm not sure how to > find what values I should increase each config setting to. > > > > In one install I'm seeing the following > > > > [03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming BER > Element was too long, max allowable is 209715200 bytes. Change the > nsslapd-maxbersize attribute in cn=config to increase. > > > > > > Second installation I'm seeing this on startup > > > > WARNING: changelog: entry cache size 858992B is less than db size > 2293760B; We recommend to increase the entry cache size nsslapd- > cachememsize. > > > > How can I determine what to increase each config setting to? > > What version of 389? rpm -q 389-ds-base > > > Both are running ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-16.el7_1.x86_64 -andy From Scott.Haiden at gd-ms.com Mon Jul 6 20:03:58 2015 From: Scott.Haiden at gd-ms.com (Haiden, Scott B.) Date: Mon, 6 Jul 2015 20:03:58 +0000 Subject: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server In-Reply-To: <559AA57B.7030205@redhat.com> References: <559AA57B.7030205@redhat.com> Message-ID: Thanks Rob. Looking at that log file, it confirmed that it wasn't connecting to host successfully. After I set up a tunnel to the kdc it works like a charm. Much appreciated, --Scott -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Monday, July 06, 2015 10:58 AM To: Haiden, Scott B.; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server Haiden, Scott B. wrote: > Hello, > > I have a KDC set up on a Linux virtual host, known as ldap.abc, which > has a > > FreeIPA server running on it. I am trying to get a TGT from it, from > my > > Windows 7 Enterprise machine. I am able to easily interact with it > from other > > Linux hosts, but I am not having any luck from the windows one. > > I have installed MIT Kerberos Tools for windows on the windows > computer. I > > also copied over the /etc/krb5.conf file from a Linux host that is > able to > > contact it. It contains the following: > > [libdefaults] > > default_realm = ABC > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > [realms] > > PCS = { > > kdc = ldap.abc:88 > > master_kdc = ldap.abc:88 > > admin_server = ldap.abc:749 > > default_domain = abc > > pkinit_anchors = FILE:H:\Kerberos\ca.crt > > } > > [domain_realm] > > .abc = ABC > > abc = ABC > > (Note that in the real file, I don't use "ABC" as the realm or domain > but the > > real value is something else). > > I also copied over the ca.crt file and saved it to my windows machine, > and > > pointed the config file to it. > > If I set the KRB5_CONFIG environment variable in a command prompt and > run > > `kinit username at ABC` (replacing username and ABC with my real username > and > > The real realm, obviously) I get only this inscrutable and > undescriptive > error: > > kinit: Invalid argument while getting initial credentials > > I am wondering if it's a resolution issue brought on by proxying or > something > > related: To get to ldap.abc, I have to go through a proxy. Web > browsers are > > able to successfully navigate to it at https://ldap.abc but nslookup > ldap.abc > > fails. > > Is this something that's even possible to do? Any pointers on where I > should go > > To look for documentation would be appreciated. It's been forever, probably 6 years, since I looked at MIT Kerberos on Windows, but I believe the client has some sort of auto-conifigure option where it will fetch the configuration from a server. The IPA server should be configured to provide this configuration (there were 3 files IIRC). You could try re-configuring using that. Alternatively I'd start with /var/log/krb5kdc.log to see if it is getting to the KDC at all. rob From jhrozek at redhat.com Mon Jul 6 20:57:15 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 6 Jul 2015 22:57:15 +0200 Subject: [Freeipa-users] Announcing SSSD 1.13.0 Alpha Message-ID: <20150706205715.GP24784@hendrix.redhat.com> === SSSD 1.13.0 === The SSSD team is proud to announce the release of version 1.13.0 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * Support for separate prompts when using two-factor authentication was added * Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that is not released at the moment. * The fast memory cache now also supports the initgroups operation. * The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the cached_auth_timeout option in the sssd.conf manual page. * The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type. * Group Policy objects defined in a different AD domain that the computer object is defined in are now supported. * Credential caching and Offline authentication are also available when using two-factor authentication * Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output * The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD. * The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task * The Python bindings are now built for both Python2 and Python3 * The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option == Packaging Changes == * A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service. * Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging * All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme * The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu? libssl-dev is now required to support certificate operations * A new internal library libsss_cert.so is present in this release. * The fast initgroups memcache is represented by a new file /var/lib/sss/mc/initgroups == Documentation Changes == * The ad_gpo_access_control option default has changed from permissive to enforcing * The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task. * A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details * The cached authentication is controlled by new option cached_auth_timeout. By default the cached authentication is disabled. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/897 sssd should pass -d to nsupdate when running with high log level https://fedorahosted.org/sssd/ticket/1501 Make the LDAP bind operation timeout configurable https://fedorahosted.org/sssd/ticket/2150 [RFE] Expose listing calls over D-BUS https://fedorahosted.org/sssd/ticket/2224 nsupdate stderr is not captured https://fedorahosted.org/sssd/ticket/2236 The cleanup task has no DEBUG statements https://fedorahosted.org/sssd/ticket/2326 SBUS: Flush the UID cache when we receive NameOwnerChanged https://fedorahosted.org/sssd/ticket/2338 [RFE] Implement object caching on the bus https://fedorahosted.org/sssd/ticket/2339 IFP: support multiple interfaces for object https://fedorahosted.org/sssd/ticket/2540 SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain https://fedorahosted.org/sssd/ticket/2569 In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set https://fedorahosted.org/sssd/ticket/2574 SSSD should be able to build python2 and python3 bindings in a one build https://fedorahosted.org/sssd/ticket/2583 [RFE] Homedir is always overwritten with subdomain_homedir value in server mode https://fedorahosted.org/sssd/ticket/2593 Does sssd-ad use the most suitable attribute for group name? https://fedorahosted.org/sssd/ticket/2603 Make SSSD's HBAC validation more permissive if deny rules are not used https://fedorahosted.org/sssd/ticket/2609 [bug] sssd always appends default_domain_suffix when checking for host keys https://fedorahosted.org/sssd/ticket/2618 Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all https://fedorahosted.org/sssd/ticket/2620 id_provider=proxy with auth_provider=ldap does not work reliably https://fedorahosted.org/sssd/ticket/2625 Sudo responder does not respect filter_users and filter_groups https://fedorahosted.org/sssd/ticket/2627 Disable the cleanup task by default https://fedorahosted.org/sssd/ticket/2636 RFE: Fetch keytabs for one-way trusts in IPA subdomain code https://fedorahosted.org/sssd/ticket/2638 RFE: Change ad_id_ctx instantiation in the IPA subdomain code to support one-way trusts https://fedorahosted.org/sssd/ticket/2645 [RFE] Support GPOs from different domain controllers https://fedorahosted.org/sssd/ticket/2661 RFE: Change AD GPO default to enforcing https://fedorahosted.org/sssd/ticket/2666 sssd with ldap backend throws error domain log https://fedorahosted.org/sssd/ticket/1807 [RFE] authenticate against cache in SSSD https://fedorahosted.org/sssd/ticket/2485 [RFE] The fast memory cache should cache initgroups https://fedorahosted.org/sssd/ticket/2590 SSSD doesn't re-read resolv.conf if the file doesn't exist during boot https://fedorahosted.org/sssd/ticket/2641 Add a IS_DEFAULT_VIEW macro https://fedorahosted.org/sssd/ticket/2701 Kerberos-based providers other than krb5 do not queue requests == Detailed Changelog == Jakub Hrozek (73): * MAN: Fix a typo * SYSDB: Reduce code duplication in sysdb_gpo.c * UTIL: Make two child_common.c functions static * TESTS: Cover child_common.c with unit tests * LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor * UTIL: Remove child_cleanup * UTIL: Unify the fd_nonblocking implementation * RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing * PAM: print the pam status as string, too * KRB5: More debugging for create_ccache() * SDAP: Make simple bind timeout configurable * SDAP: Make password change timeout configurable with ldap_opt_timeout * SDAP: Make StartTLS bind configurable with ldap_opt_timeout * SDAP: Decorate the sdap_op functions with DEBUG messages * IPA: Remove the ipa_hbac_treat_deny_as option * MAN: Clarify debug_level a bit * SSH: Ignore the default_domain_suffix * LDAP: Set sdap handle as explicitly connected in LDAP auth * tests: Revert strcmp condition * ncache: Fix sss_ncache_reset_permanent * ncache: Silence critical error from filter_users when default_domain_suffix is set * ncache: Add sss_ncache_reset_repopulate_permanent * responders: reset ncache after domains are discovered during startup * NSS: Reset negcache after checking domains * MAN: Clarify how are GPO mappings called in GPO editor * UTIL: Add a simple function to get the fd of debug_file * dyndns: Log nsupdate stderr with a high debug level * nsupdate: Append -d/-D to nsupdate with a high debug level * subdom: Remove unused function get_flat_name_from_subdomain_name * nss: Use negcache for getbysid requests * tests: Add NSS responder tests for bysid requests * LDAP: disable the cleanup task by default * TESTS: Use the right testcase * TESTS: Add test for get_next_domain * LDAP: Do not print verbose DEBUG messages from providers that don't set UUID * SYSDB: Store trust direction for subdomains * UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private * TESTS: Add a test for sysdb_subdomains.c * SYSDB: Add realm to sysdb_master_domain_add_info * SYSDB: Add a forest root attribute to sss_domain_info * IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers * IPA: Check master domain record before subdomain records * IPA: Fold ipa_subdom_enumerates into ipa_subdom_store * IPA: Also update master domain when initializing subdom handler * IPA: Move server-mode functions to a separate module * IPA: Split two functions to new module ipa_subdomains_utils.c * IPA: Include ipaNTTrustDirection in the attribute set for trusted domains * IPA: Read forest name for trusted forest roots as well * IPA: Make constructing an IPA server mode context async * TESTS: Split off keytab creation into a common module * TESTS: Add a common mock_be_ctx function * TESTS: Add a common function to set up sdap_id_ctx * TESTS: Move krb5_try_kdcip to nested group test * TESTS: Add unit test for the subdomain_server.c module * IPA: Fetch keytab for 1way trusts * AD: Rename ad_set_ad_id_options to ad_set_sdap_options * AD: Rename ad_create_default_options to ad_create_2way_trust_options * AD: Split off ad_create_default_options * IPA/AD: Set up AD domain in ad_create_2way_trust_options * IPA: Do not set AD_KRB5_REALM twice * AD: Add ad_create_1way_trust_options * IPA: Utility function for setting up one-way trust context * LDAP: Do not set keytab through environment variable * LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour * CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss * BUILD: Store keytabs in /var/lib/sss/keytabs * Updating the translations for the 1.13 Alpha release * Updating the version.m4 file for the 1.13 Beta release * tests: Reduce duplication with new function test_ev_done * KRB5: Add and use krb5_auth_queue_send to queue requests by default * PAM: Only cache first-factor * Updating the translations for the 1.13.0 release * Updating the version for the 1.13.0 release John Dickerson (1): * MAN: Amend the description of ignore_group_members Lukas Slebodnik (67): * MAN: Remove indentation in element programlistening * Fix warning: for loop has empty body * Bump version to track 1.13 development * SPEC: Use libnl3 for epel6 * MAKE: Don't include autoconf generated file to tarball * TESTS: Mock return value of sdap_get_generic_recv * test_nested_groups: Additional unit tests * Fix warning: equality comparison with extraneous parentheses * LDAP: Conditional jump depends on uninitialised value * BUILD: Remove unused libraries for pysss.so * BUILD: Remove unused variables * BUILD: Remove detection of type Py_ssize_t * UTIL: Remove python wrapper sss_python_set_new * UTIL: Remove python wrapper sss_python_set_add * UTIL: Remove python wrapper sss_python_set_check * UTIL: Remove compatibility macro PyModule_AddIntMacro * UTIL: Remove python wrapper sss_python_unicode_from_string * BUILD: Use python-config for detection *FLAGS * SPEC: Use new convention for python packages * SPEC: Move python bindings to separate packages * BUILD: Add possibility to build python{2,3} bindings * TESTS: Run python tests with all supported python versions * SPEC: Replace python_ macros with python2_ * SPEC: Build python3 bindings on available platforms * BUILD: Uninstall also symbolic links to python bindings * Remove unused argument from be_nsupdate_create_fwd_msg * IPA: Remove unused argument from ipa_id_get_group_uuids * Remove useless assignment to function parameter * PAC: Fix memory leak * responder_cache: Fix warning may be used uninitialized * debug-tests: Fix test with new line in debug message * BUILD: Add missing header file to tarball * pam_client: fix casting to const pointer * test_expire: Use right assertion macro for standard functions * test_ldap_auth: Use right assertion for integer comparison * test_resolv_fake: Fix alignment warning * PAC: Remove unused function * KRB5: Unify prototype and definition * util-tests: Initialize boolean variable to default value * SPEC: Drop workaround for old libtool * SPEC: Drop workarounds for old rpmbuild * SPEC: Remove unused option * SPEC: Few cosmetic changes * simple_access-tests: Simplify assertion * sysdb-tests: Add missing assertions * sysdb-tests: test return value before output arguments * ad_opts: Use different default attribute for group name * BUILD: Write hints about optional python bindings * sss_client: Fix mixed enums * LDAP: Remove dead assignment * sss_client: Fix warning "_" redefined * SSSDConfigTest: Use unique temporary directory * util-tests: Add validation of internal error messages * SDAP: Check return value before using output arguments * SDAP: Log failure from sysdb_handle_original_uuid * test_ipa_subdomains_server: Run clean-up after success * IFP: Fix warnings with enabled optimisation * SDAP: Remove user from cache for missing user in LDAP * test_ipa_subdom_server: Add missing assert * test_ipa_subdomains_server: Fix build with --coverage * nss: Store entries in responder to initgr mmap cache * mmap_cache: Invalidate entry in right memory cache * nss: Invalidate entry in initgr mmap cache * sss_client: Use initgr mmap cache in client code * sss_cache: Clear also initgroups fast cache * sss_client: Use unique lock for memory cache * sss_client: Re-check memcache after acquiring the lock Michal Zidek (5): * Use FQDN if default domain was set * MAN: default_domain_suffix with use_fully_qualified_names. * views: Add is_default_view helper function * MONITOR: Poll for resolv.conf if not available during boot * MONITOR: Do not report missing file as fatal in monitor_config_file Nikolai Kondrashov (3): * BUILD: Add AM_PYTHON2_MODULE macro * Add integration tests * BUILD: Fix variable substitution in cwrap.m4 Pavel B?ezina (53): * tests: refactor create_dom_test_ctx() * tests: add create_multidom_test_ctx() * tests: add test_multidom_suite_cleanup() * tests: remove code duplication in single domain cleanup * responders: new interface for cache request * responders: enable views in cache request * IFP: use new cache interface * server-tests: use strtouint32 instead strtol * sbus: add new iface via sbus_conn_register_iface() * sbus: move iface and object path code to separate file * sbus: use 'path/*' to represent a D-Bus fallback * sbus: support multiple interfaces on single path * sbus: add object path to sbus request * sbus: add sbus_opath_hash_lookup_supported() * sbus: support org.freedesktop.DBus.Introspectable * sbus: support org.freedesktop.DBus.Properties * sbus: unify naming of handler data variable * sbus: move common opath functions from ifp to sbus code * sbus: add sbus_opath_get_object_name() * ifp: fix potential memory leak in check_and_get_component_from_path() * sbus: use hard coded getters instead of generated * sbus: remove unused 'reply as' functions * IFP: move interface definitions from ifpsrv.c into separate file * IFP: unify generated interfaces names * sbus codegen: do not prefix getters with iface name * IFP: simplify object path constant names * sbus: add constant to represent subtree * be_refresh: get rid of callback pointers * sysdb: use sysdb_user/group_dn * cache_req tests: rename test_user to test_user_by_name * cache_req tests: define user name constant * cache_req: preparations for different input type * cache_req: add support for user by uid * cache_req: add support for group by name * cache_req: remove default branch from switches * cache_req: add support for group by id * cmocka: include mock_parse_inp in header file * cache_req: parse input name if needed * cache_req: return ERR_INTERNAL if more than one entry is found * sbus: provide custom error names * sbus: add sbus_opath_decompose[_exact] * sbus: add a{sas} get invoker * IFP: add org.freedesktop.sssd.infopipe.Users * IFP: add org.freedesktop.sssd.infopipe.Users.User * IFP: add org.freedesktop.sssd.infopipe.Groups * IFP: add org.freedesktop.sssd.infopipe.Groups.Group * IFP: deprecate GetUserAttr? * IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] * SBUS: Use default GetAll? invoker if none is set * SBUS: Add support for in introspection * IFP: Export nodes * sbus: add support for incoming signals * sbus: listen to NameOwnerChanged? Pavel Reichl (20): * add missing '\n' in debug messages * PROXY: add missing space in debug message * BUILD: fix chmake not to generate warning * SDAP: log expired accounts at lower severity level * KRB5: add debug hint * TESTS: test expiration * ldap: refactor check_pwexpire_kerberos to use util func * ldap: refactor nds_check_expired to use util func * Fix a few typos in comments * sbus: sbus_opath_hash_add_iface free tmp talloc ctx * krb5: remove field run_as_user * localauth plugin: fix coverity warning * dyndns: remove dupl declaration of ipa_dyndns_update * dyndns: don't pass zone directive to nsupdate * dyndns: ipa_dyndns.h missed declaration of used data * krb: remove duplicit decl. of write_krb5info_file * IPA: Don't override homedir with subdomain_homedir * sysdb: new attribute lastOnlineAuthWithCurrentToken * PAM: authenticate agains cache * Minor code improvements Stephen Gallagher (5): * LDAP: Support returning referral information * AD GPO: Support processing referrals * AD GPO: Change default to "enforcing" * Add Vagrant configuration for SSSD * GPO: Fix incorrect strerror on GPO access denial Sumit Bose (22): * Add leak check and command line option to test_authtok * utils: add sss_authtok_[gs]et_2fa * pam: handle 2FA authentication token in the responder * Add pre-auth request * krb5-child: add preauth and split 2fa token support * IPA: create preauth indicator file at startup * pam_sss: add pre-auth and 2fa support * Add cache_credentials_minimal_first_factor_length config option * sysdb: add sysdb_cache_password_ex() * krb5: save hash of the first authentication factor to the cache * krb5: try delayed online authentication only for single factor auth * 2FA offline auth * pam_sss: move message encoding into separate file * PAM: add PAM responder unit test * adding ldap_user_auth_type where missing * LDAP: add ldap_user_certificate option * certs: add PEM/DER conversion utilities * sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() * LDAP/IPA: add user lookup by certificate * ncache: add calls for certificate based searches * utils: add get_last_x_chars() * IFP: add FindByCertificate? method for User objects From jhrozek at redhat.com Mon Jul 6 21:03:38 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 6 Jul 2015 23:03:38 +0200 Subject: [Freeipa-users] [SSSD] Announcing SSSD 1.13.0 In-Reply-To: <20150706205715.GP24784@hendrix.redhat.com> References: <20150706205715.GP24784@hendrix.redhat.com> Message-ID: <20150706210338.GQ24784@hendrix.redhat.com> On Mon, Jul 06, 2015 at 10:57:15PM +0200, Jakub Hrozek wrote: > === SSSD 1.13.0 === > > The SSSD team is proud to announce the release of version 1.13.0 of > the System Security Services Daemon. Sorry about the copy-n-paste bug in Subject. Of course it should have read "Announcing SSSD 1.13.0" without the "Alpha". From janellenicole80 at gmail.com Mon Jul 6 21:25:56 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 06 Jul 2015 14:25:56 -0700 Subject: [Freeipa-users] strange password error.. In-Reply-To: <1436204666.7030.52.camel@willson.usersys.redhat.com> References: <559AB6CA.1040309@gmail.com> <1436204666.7030.52.camel@willson.usersys.redhat.com> Message-ID: <559AF264.1010403@gmail.com> On 7/6/15 10:44 AM, Simo Sorce wrote: > On Mon, 2015-07-06 at 10:11 -0700, Janelle wrote: >> Hello all, >> >> Is there any known bug that would cause: >> >> Password change failed. Server message: Current password's minimum life >> has not expired >> >> Here is the environment/process (7.1 with IPA 4.1.4) -- >> 1. reset a user's PW so they are forced to change it. >> 2. they login and get the "Your password has expired..." message >> 3. They are then asked to change it and enter a new PW (twice) >> 4. This error message pops up, BUT -- the password is still changed. > If they get this using kpasswd it may happen if a re-transmission > occurs, as kpasswd uses UDP, so the second request ends up with that > error, I think, not 100% sure. > > Simo. > This is very consistent - happening to all my users, and yet the IPA server load is nothing. And since it does reset the PW successfully, why would it still send this message? Still confused, ~Janelle From tde3000 at gmail.com Tue Jul 7 05:56:34 2015 From: tde3000 at gmail.com (John Stein) Date: Tue, 07 Jul 2015 05:56:34 +0000 Subject: [Freeipa-users] IPA Replication Questions Message-ID: Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. >From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 <-> s2 s1 <-> s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue Jul 7 07:51:46 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 7 Jul 2015 09:51:46 +0200 Subject: [Freeipa-users] strange password error.. In-Reply-To: <559AF264.1010403@gmail.com> References: <559AB6CA.1040309@gmail.com> <1436204666.7030.52.camel@willson.usersys.redhat.com> <559AF264.1010403@gmail.com> Message-ID: <20150707075146.GC22480@p.redhat.com> On Mon, Jul 06, 2015 at 02:25:56PM -0700, Janelle wrote: > On 7/6/15 10:44 AM, Simo Sorce wrote: > >On Mon, 2015-07-06 at 10:11 -0700, Janelle wrote: > >>Hello all, > >> > >>Is there any known bug that would cause: > >> > >>Password change failed. Server message: Current password's minimum life > >>has not expired > >> > >>Here is the environment/process (7.1 with IPA 4.1.4) -- > >>1. reset a user's PW so they are forced to change it. > >>2. they login and get the "Your password has expired..." message > >>3. They are then asked to change it and enter a new PW (twice) > >>4. This error message pops up, BUT -- the password is still changed. > >If they get this using kpasswd it may happen if a re-transmission > >occurs, as kpasswd uses UDP, so the second request ends up with that > >error, I think, not 100% sure. > > > >Simo. > > > This is very consistent - happening to all my users, and yet the IPA server > load is nothing. And since it does reset the PW successfully, why would it > still send this message? Can you provide the SSSD domain and pam responder log files? If you prefer feel free to send them to me by pm. Besides updating the password on the server side SSSD does other things like e.g. updating the cached password hash. Maybe the server side update works as expected but some other operation fail causing this error message. bye, Sumit > > Still confused, > ~Janelle > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From ender at kofeina.net Tue Jul 7 08:02:52 2015 From: ender at kofeina.net (=?iso-8859-2?Q?=A3ukasz_Jaworski?=) Date: Tue, 7 Jul 2015 10:02:52 +0200 Subject: [Freeipa-users] IPA Replication Questions In-Reply-To: References: Message-ID: <594201C9-5250-47E3-8B97-0D056DF3FB89@kofeina.net> Yes. ipa-replica-manage connect s2 s3 and for CA replication: ipa-csreplica-manage connect s2 s3 Best regards, Ender Wiadomo?? napisana przez John Stein w dniu 7 lip 2015, o godz. 07:56: > Hi, > > Looking at the documentation, I've found no examples of creating replication agreement with only one server. > > What I assume needs to be done is this: > For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. > From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. > > For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. > So my replication agreements are > s1 <-> s2 > s1 <-> s3 > After that I use ipa-replica-manage to create trust between server2 and server3. > > Am I right? > > Thank you, > John > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mkosek at redhat.com Tue Jul 7 11:33:17 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Jul 2015 13:33:17 +0200 Subject: [Freeipa-users] What is the recommended way to create an Administrator account through the web ui? In-Reply-To: <454d916d1ea0b41221963e400c882316.squirrel@webmail.nathanpeters.com> References: <454d916d1ea0b41221963e400c882316.squirrel@webmail.nathanpeters.com> Message-ID: <559BB8FD.5000308@redhat.com> On 07/03/2015 05:45 PM, nathan at nathanpeters.com wrote: > I have been trying to create accounts in FreeIPA that have the same level > of permission as the built-in administrator account. Basically, I want to > do the equivalent of what you can do in Active Directory by adding someone > to the Domain Administrators group. > > We need this because it is not an acceptable security model in our > enterprise to share the built-in admin password between many > administrators. Very much understandable. > What is the proper way to do this? > > I notice that the built-in roles are DNS Administrator, IT Security > Specialist, IT Specialist, Security Architect, User Administrator, and > helpdesk. If I give a user all 6 of these roles will they have the > equivalent level of permissions as the admin user or are there things they > still won't be able to do ? If you want to have user with "admin" powers, all you need to do is to add the user to "admins" group as this is the group with the real powers. If you want to create less privileged administrators, you can use the RBAC model and create your custom roles with the chosen selection of privileges. If you want to do even more fine-grained permission control, you can even create own privileges based on the permissions, which is the lowest level of permission available in FreeIPA. More info on this topic should be in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html Martin From tde3000 at gmail.com Tue Jul 7 11:37:39 2015 From: tde3000 at gmail.com (John Stein) Date: Tue, 07 Jul 2015 11:37:39 +0000 Subject: [Freeipa-users] Using NTP SRV records Message-ID: Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jul 7 11:40:51 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Jul 2015 13:40:51 +0200 Subject: [Freeipa-users] Userpassword randomly not working anymore. In-Reply-To: References: Message-ID: <559BBAC3.4000407@redhat.com> On 07/05/2015 01:08 AM, Matt . wrote: > Hi Guys, > > I created a bug where no response is on yet for a week, so I thought > to ask the mailinglist if someone has seen this behaviour. Hi Matt, Sorry for the delay in the answer in Bugzilla, most of the team is now very busy with FreeIPA 4.2 finalization, so the responses are slower. In your case, I think we will need more data anyway, specifically what does it mean that >>The password of a user is randomly "not working"<<. If password reset is not behaving as it should, we will need full user entry *before* password reset ("ipa user-show USER --all --raw"), full user entry *after* password reset and password policy setting for the user ("ipa pwpolicy-show"). > https://bugzilla.redhat.com/show_bug.cgi?id=1236322 > > > Description of problem: > > The password of a user is randomly "not working" anymore and needs a > reset of the password. > > The user is added as passSyncManagersDNs entry and when this user sets > a password for another user the expire is set to 2035, it does the > same for itself. > > > Version-Release number of selected component (if applicable): > > 4.1 > > > How reproducible: > > Add a user to passSyncManagersDNs like described here: > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html > > > Steps to Reproduce: > 1. Add user to passSyncManagersDNs > 2. Reset this user his password, login and set the same password again > so ti stays the same until 2035 > 3. Wait for some days and try to login as this user the password is > expired or damaged but still says in the GUI it expires in 2035 > > Actual results: > > The password expires it get's currupted or so ? > > > Expected results: > > It should not expire until 2035! > > > > I hope someone has a clue here as I can't get anything logged about it. > > Thanks, > > Matt > From jbaird at follett.com Tue Jul 7 11:42:20 2015 From: jbaird at follett.com (Baird, Josh) Date: Tue, 7 Jul 2015 11:42:20 +0000 Subject: [Freeipa-users] Using NTP SRV records In-Reply-To: References: Message-ID: You need to specify '--no-ntp' on 'ipa-client-install' Josh From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of John Stein Sent: Tuesday, July 07, 2015 7:38 AM To: freeipa-users at redhat.com Subject: [Freeipa-users] Using NTP SRV records Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Tue Jul 7 12:55:24 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 7 Jul 2015 14:55:24 +0200 Subject: [Freeipa-users] Using NTP SRV records In-Reply-To: References: Message-ID: <20150707125524.GA14147@redhat.com> On Tue, Jul 07, 2015 at 11:37:39AM +0000, John Stein wrote: > Hi, > > I have an IPA server installed with --no-ntp, and created SRV records > _ntp._udp_.linux.john.com > pointing to my actual NTP servers. However, when I run ipa-client-install > it is configured with the IPA server as an NTP server. > > Am I missing something? I believe you might be hitting bug https://fedorahosted.org/freeipa/ticket/4981 The fix will go out with 4.2 release. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From tde3000 at gmail.com Tue Jul 7 13:05:40 2015 From: tde3000 at gmail.com (John Stein) Date: Tue, 07 Jul 2015 13:05:40 +0000 Subject: [Freeipa-users] Using NTP SRV records In-Reply-To: References: Message-ID: Thank you (both of you) John On Tue, Jul 7, 2015 at 2:42 PM Baird, Josh wrote: > You need to specify '--no-ntp' on 'ipa-client-install' > > > > Josh > > > > *From:* freeipa-users-bounces at redhat.com [mailto: > freeipa-users-bounces at redhat.com] *On Behalf Of *John Stein > *Sent:* Tuesday, July 07, 2015 7:38 AM > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Using NTP SRV records > > > > Hi, > > > > I have an IPA server installed with --no-ntp, and created SRV records > > _ntp._udp_.linux.john.com > > pointing to my actual NTP servers. However, when I run ipa-client-install > it is configured with the IPA server as an NTP server. > > > > Am I missing something? > > > > Thanks, > > John > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tde3000 at gmail.com Tue Jul 7 13:06:24 2015 From: tde3000 at gmail.com (John Stein) Date: Tue, 07 Jul 2015 13:06:24 +0000 Subject: [Freeipa-users] IPA Replication Questions In-Reply-To: <594201C9-5250-47E3-8B97-0D056DF3FB89@kofeina.net> References: <594201C9-5250-47E3-8B97-0D056DF3FB89@kofeina.net> Message-ID: Thanks for the reply. Maybe this should be added to the documentation? John On Tue, Jul 7, 2015 at 11:02 AM ?ukasz Jaworski wrote: > Yes. > ipa-replica-manage connect s2 s3 > > and for CA replication: > ipa-csreplica-manage connect s2 s3 > > Best regards, > Ender > > Wiadomo?? napisana przez John Stein w dniu 7 lip > 2015, o godz. 07:56: > > > Hi, > > > > Looking at the documentation, I've found no examples of creating > replication agreement with only one server. > > > > What I assume needs to be done is this: > > For each replica, run ipa-replica-prepare and follow the documentation. > This creates replication agreements between two nodes. > > From there, I should use ipa-replica-manage to add replication > agreements to whichever nodes I want that were not the original two. > > > > For instance: from server1 I run ipa-replica-prepare to prepare the > files for server2 and server3 and then run ipa-replica-install on them with > their respective files. > > So my replication agreements are > > s1 <-> s2 > > s1 <-> s3 > > After that I use ipa-replica-manage to create trust between server2 and > server3. > > > > Am I right? > > > > Thank you, > > John > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Mon Jul 6 16:10:49 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 6 Jul 2015 18:10:49 +0200 Subject: [Freeipa-users] IPA replica without CA, how to become CA In-Reply-To: <559AA4D3.8000700@redhat.com> References: <559AA4D3.8000700@redhat.com> Message-ID: Hi Rob, OK, I had difficulties with that and try it. What I actually did is: Turned off IPA1 (to act it like a dead one) and removed it from ipa2. Now when I install a new replica with ipa2 as it's master/source I get complains there is no CA. So my ipa2 needs to become ca in some way. I need to check but I thought I did what you said which didn't work... I need to debug it an report you this evening. Thanks, Matt 2015-07-06 17:54 GMT+02:00 Rob Crittenden : > Matt . wrote: >> >> Hi All, >> >> I'm cleaning up and playing around with some old dev setups and >> reviewing these tests. >> >> This is a replica setup but the replica is no CA. Now I'm testing out >> how to manage cluster when I remove the ipa1 (CA) and create a new >> replica with CA from the ipa2. >> >> IPA2 should become CA and out of that I can setup a replica again. >> What is my best approach to test this ? > > > Hard to say given I have no insight into your topology, but to add a CA > post-install use ipa-ca-install > > rob > From rcritten at redhat.com Tue Jul 7 14:22:10 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jul 2015 10:22:10 -0400 Subject: [Freeipa-users] error after change cert In-Reply-To: References: <559A84FA.2020106@redhat.com> <559AA268.7060709@redhat.com> <559AA459.8050200@redhat.com> Message-ID: <559BE092.6030508@redhat.com> barrykfl at gmail.com wrote: > Where is it ? > Could u advise ? > My old cert is godady > And.new cert is combro Please keep responses on the list. $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b cn=RSA,cn=encryption,cn=config nsSSLPersonalitySSL If the result doesn't match the nickname of your new cert then your simplest solution is: # ipactl stop # /etc/dirsrv/slapd-REALM/dse.ldif Find nsSSLPersonalitySSL and replace the value with the right one. # ipactl start rob > 2015?7?6? ??11:52? "Rob Crittenden" >??? > > > > barrykfl at gmail.com wrote: > >> > >> Where can i check.the config of nss? > >> > >> I.modified the nssdb and imported.cert successfully. > >> > >> should i change any ldif? > > > > > > I already told you in my initial reply: > > > > > > Check the value of nsSSLPersonalitySSL in > cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server > certificate to use. > > > > rob > > > >> > >> Many thks > >> > >> 2015?7?6? ??11:44? "Rob Crittenden" > >> >>??? > >> > >> > >> barrykfl at gmail.com > > wrote: > >> > >> Do u meant this : > >> > >> i already add the cert to nss and even \etc\ipa\ ca.cert > repalced > >> > >> > >> [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L > >> > >> Certificate Nickname > Trust > >> Attributes > >> > >> SSL,S/MIME,JAR/XPI > >> > >> COMODO RSA Domain Validation Secure Server CA > CT,C,C > >> IPA CA > CT,C,C > >> COMODO RSA Certification Authority > CT,C,C > >> > >> > >> This has no relationship to the error you're seeing. This database > >> is not used by either Apache or 389-ds. > >> > >> NSS uses nicknames to reference a given certificate. This nickname > >> needs to exist in it's database. I'm guessing that you changed the > >> database, and therefore the nickname in the database, without also > >> updating the server configuration with this new nickname. > >> > >> rob > >> > >> > >> > >> 2015-07-06 21:39 GMT+08:00 Rob Crittenden > > >> > > >> > >>>: > >> > >> barrykfl at gmail.com > > > >> > >> > >> wrote: > >> > >> the cert already in httpd / ldap side. but it > prompt error > >> > >> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the > >> cipher > >> are valid > >> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL > >> Initialization phase 2 > >> Failed. > >> > >> *.wisers.com > > >> - COMODO CA > >> Limited u,u,u > >> COMODO RSA Domain Validation Secure Server CA > >> CT,C,C > >> COMODO RSA Certification Authority > >> CT,C,C > >> > >> > >> Taking a wild guess here due to limited information, but > >> check the > >> value of nsSSLPersonalitySSL in > >> cn=RSA,cn=encryption,cn=config. This > >> is the NSS nickname of the server certificate to use. > >> > >> rob > >> > >> > >> > >> 2015-07-06 20:01 GMT+08:00 > >> > > >> >> > >> > > > >> >>>>: > >> > >> > >> hi: > >> > >> i changed cert lareadty but seemit still keep > >> hisoty of > >> godadday any > >> help.?? > >> > >> > >> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL > >> alert: Security > >> Initialization: Can't find certificate (*.wwwcom - > >> GoDaddy.com, > >> Inc.) for family cn=RSA,cn=encryption,cn=config > >> (Netscape > >> Portable > >> Runtime error -8174 - security library: bad > database.) > >> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security > >> Initialization: > >> Unable to retrieve private key for cert > *.www.com > >> > >> - > >> GoDaddy.com, Inc. of family > >> cn=RSA,cn=encryption,cn=config > >> (Netscape > >> Portable Runtime error -8174 - security library: > >> bad database.) > >> [06/Jul/2015:19:59:16 +0800] - SSL failure: None > >> of the > >> cipher are valid > >> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL > >> Initialization > >> phase 2 Failed. > >> > >> > >> > >> > >> > >> > >> > > > From christopher.lamb at ch.ibm.com Tue Jul 7 15:39:47 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 7 Jul 2015 17:39:47 +0200 Subject: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server Message-ID: Hi All Is there any way on the FreeIPA side to log / debug / trace the LDAP queries made by 3rd Party Tools against a FreeIPA Server? In another thread we are trying to solve some problems with integration of JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making against FreeIPA, then we will be well on the road to finding out what is going wrong / needs to be changed. I will be asking a similar question to Atlassian support for LDAP logging on the JIRA side (there I already have partial success, but am not seeing everything I want to see). Cheers Chris From mbasti at redhat.com Tue Jul 7 16:09:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 18:09:56 +0200 Subject: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server In-Reply-To: References: Message-ID: <559BF9D4.2080207@redhat.com> On 07/07/15 17:39, Christopher Lamb wrote: > Hi All > > Is there any way on the FreeIPA side to log / debug / trace the LDAP > queries made by 3rd Party Tools against a FreeIPA Server? > > In another thread we are trying to solve some problems with integration of > JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making > against FreeIPA, then we will be well on the road to finding out what is > going wrong / needs to be changed. > > I will be asking a similar question to Atlassian support for LDAP logging > on the JIRA side (there I already have partial success, but am not seeing > everything I want to see). > > Cheers > > Chris > Hello, all LDAP queries are logged in this log /var/log/dirsrv/slapd-*/access -- Martin Basti From rmeggins at redhat.com Tue Jul 7 16:14:19 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jul 2015 10:14:19 -0600 Subject: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server In-Reply-To: <559BF9D4.2080207@redhat.com> References: <559BF9D4.2080207@redhat.com> Message-ID: <559BFADB.5060803@redhat.com> On 07/07/2015 10:09 AM, Martin Basti wrote: > On 07/07/15 17:39, Christopher Lamb wrote: >> Hi All >> >> Is there any way on the FreeIPA side to log / debug / trace the LDAP >> queries made by 3rd Party Tools against a FreeIPA Server? >> >> In another thread we are trying to solve some problems with >> integration of >> JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is >> making >> against FreeIPA, then we will be well on the road to finding out what is >> going wrong / needs to be changed. >> >> I will be asking a similar question to Atlassian support for LDAP >> logging >> on the JIRA side (there I already have partial success, but am not >> seeing >> everything I want to see). >> >> Cheers >> >> Chris >> > Hello, > > all LDAP queries are logged in this log > /var/log/dirsrv/slapd-*/access > If by "query" you mean "search request", then all of the search request data is logged in the dirsrv access log. If you need details about other operations, you'll want to enable the audit log. From christopher.lamb at ch.ibm.com Tue Jul 7 17:00:34 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 7 Jul 2015 19:00:34 +0200 Subject: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server In-Reply-To: <559BFADB.5060803@redhat.com> References: <559BF9D4.2080207@redhat.com> <559BFADB.5060803@redhat.com> Message-ID: Rich, Martin Thanks, I saw the query Jira was performing to retrieve the groups in /var/log/dirsrv/slapd-*/access, and have been able to correctly configure Jira accordingly Chris From: Rich Megginson To: freeipa-users at redhat.com Date: 07.07.2015 18:15 Subject: Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server Sent by: freeipa-users-bounces at redhat.com On 07/07/2015 10:09 AM, Martin Basti wrote: > On 07/07/15 17:39, Christopher Lamb wrote: >> Hi All >> >> Is there any way on the FreeIPA side to log / debug / trace the LDAP >> queries made by 3rd Party Tools against a FreeIPA Server? >> >> In another thread we are trying to solve some problems with >> integration of >> JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is >> making >> against FreeIPA, then we will be well on the road to finding out what is >> going wrong / needs to be changed. >> >> I will be asking a similar question to Atlassian support for LDAP >> logging >> on the JIRA side (there I already have partial success, but am not >> seeing >> everything I want to see). >> >> Cheers >> >> Chris >> > Hello, > > all LDAP queries are logged in this log > /var/log/dirsrv/slapd-*/access > If by "query" you mean "search request", then all of the search request data is logged in the dirsrv access log. If you need details about other operations, you'll want to enable the audit log. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From christopher.lamb at ch.ibm.com Tue Jul 7 17:14:40 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 7 Jul 2015 19:14:40 +0200 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi Markus I can now replicate FreeIPA groups / group membership to Jira Local Directory /var/log/dirsrv/slapd-*/access showed me the queries Jira is performing to get the groups. Comparing this to the FreeIPA structure using Apache Directory Studio gave the answer. Under Group Schema Settings, change * Group Object Class from groupOfUniqueNames to groupOfNames * Group Object Filter from (objectclass=groupOfUniqueNames) to (objectclass=groupOfNames) Under Membership Schema Setting change * Group Members Attribute from uniqueMember to Member Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 06.07.2015 08:00 Subject: AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Chris, thanks for your help. Now we are able to login and have our mails delivered. Do you maybe know which configuration objects needs to be used in Jira to be able to use the FreeIPA groups? We have configured all necessary Jira Groups in FreeIPA but it doesn?t work as it should. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Mittwoch, 1. Juli 2015 09:31 An: Moj, Markus; abokovoy at redhat.com; mkosek at redhat.com Cc: freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Tue Jul 7 21:31:22 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 7 Jul 2015 23:31:22 +0200 Subject: [Freeipa-users] Userpassword randomly not working anymore. In-Reply-To: <559BBAC3.4000407@redhat.com> References: <559BBAC3.4000407@redhat.com> Message-ID: Hi Martin, No problem I thought you guys needed a vacation but you are working on 4.2, wow sounds great! I can provide that but it will take some time as I cannot see when it happens so need to check. I might can post it tomorrow! Good luck there with the release! Cheers, Matt 2015-07-07 13:40 GMT+02:00 Martin Kosek : > On 07/05/2015 01:08 AM, Matt . wrote: >> Hi Guys, >> >> I created a bug where no response is on yet for a week, so I thought >> to ask the mailinglist if someone has seen this behaviour. > > Hi Matt, > > Sorry for the delay in the answer in Bugzilla, most of the team is now very > busy with FreeIPA 4.2 finalization, so the responses are slower. > > In your case, I think we will need more data anyway, specifically what does it > mean that >>The password of a user is randomly "not working"<<. > > If password reset is not behaving as it should, we will need full user entry > *before* password reset ("ipa user-show USER --all --raw"), full user entry > *after* password reset and password policy setting for the user ("ipa > pwpolicy-show"). > >> https://bugzilla.redhat.com/show_bug.cgi?id=1236322 >> >> >> Description of problem: >> >> The password of a user is randomly "not working" anymore and needs a >> reset of the password. >> >> The user is added as passSyncManagersDNs entry and when this user sets >> a password for another user the expire is set to 2035, it does the >> same for itself. >> >> >> Version-Release number of selected component (if applicable): >> >> 4.1 >> >> >> How reproducible: >> >> Add a user to passSyncManagersDNs like described here: >> >> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html >> >> >> Steps to Reproduce: >> 1. Add user to passSyncManagersDNs >> 2. Reset this user his password, login and set the same password again >> so ti stays the same until 2035 >> 3. Wait for some days and try to login as this user the password is >> expired or damaged but still says in the GUI it expires in 2035 >> >> Actual results: >> >> The password expires it get's currupted or so ? >> >> >> Expected results: >> >> It should not expire until 2035! >> >> >> >> I hope someone has a clue here as I can't get anything logged about it. >> >> Thanks, >> >> Matt >> > From mkosek at redhat.com Wed Jul 8 07:50:47 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jul 2015 09:50:47 +0200 Subject: [Freeipa-users] IPA Replication Questions In-Reply-To: References: <594201C9-5250-47E3-8B97-0D056DF3FB89@kofeina.net> Message-ID: <559CD657.1060404@redhat.com> RHEL guide has https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#repl-tools Does that help? On 07/07/2015 03:06 PM, John Stein wrote: > Thanks for the reply. > > Maybe this should be added to the documentation? > > John > > On Tue, Jul 7, 2015 at 11:02 AM ?ukasz Jaworski wrote: > >> Yes. >> ipa-replica-manage connect s2 s3 >> >> and for CA replication: >> ipa-csreplica-manage connect s2 s3 >> >> Best regards, >> Ender >> >> Wiadomo?? napisana przez John Stein w dniu 7 lip >> 2015, o godz. 07:56: >> >>> Hi, >>> >>> Looking at the documentation, I've found no examples of creating >> replication agreement with only one server. >>> >>> What I assume needs to be done is this: >>> For each replica, run ipa-replica-prepare and follow the documentation. >> This creates replication agreements between two nodes. >>> From there, I should use ipa-replica-manage to add replication >> agreements to whichever nodes I want that were not the original two. >>> >>> For instance: from server1 I run ipa-replica-prepare to prepare the >> files for server2 and server3 and then run ipa-replica-install on them with >> their respective files. >>> So my replication agreements are >>> s1 <-> s2 >>> s1 <-> s3 >>> After that I use ipa-replica-manage to create trust between server2 and >> server3. >>> >>> Am I right? >>> >>> Thank you, >>> John >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> > > > From ilaria.cianci at gmail.com Wed Jul 8 08:11:38 2015 From: ilaria.cianci at gmail.com (ilaria cianci) Date: Wed, 8 Jul 2015 10:11:38 +0200 Subject: [Freeipa-users] services-based authentication Message-ID: Hi All, I am a new user and I have a question about FreeIPA authentication methods. Can FreeIPA select different auth methods (i.e. otp, password, etc) for the same user based on the service he wants to access? I mean using this user should use otp for the mail service, the password for the server access, etc.. How can I set this ? Thanks a lot in advanced for your answer, Best regards, Ilaria -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jul 8 09:50:27 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 08 Jul 2015 11:50:27 +0200 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: References: <55914D1F.4050704@redhat.com> Message-ID: <559CF263.6020300@redhat.com> On 5.7.2015 08:38, John Stein wrote: > Hi, > > I ran these commands in the IdM server > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > At the Active Directory I have A and PTR records for the IdM server and it > is configured as a global forwarder. > At the IdM server there are A and PTR records for both the IdM server and > another client. > However this setup does not work. > From the IdM and linux client every record is resolvable, however from the > AD only the IdM is resolvable and the client is not. > > Maybe there's another thing I need to configure in the AD in order to > enable forwarding that I'm missing? I'm not sure I understand you. A zone should be configured only on one server (or set of synchronized servers). Could you tell us what exactly (using what commands or GUI in IPA and AD) did you configure? It would be good if you did not obfuscate DNS names in the steps because the obfuscation often hides the real cause of problem :-) Have a nice day! Petr^2 Spacek > Thank you very much, > John > > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > >> On 29.6.2015 13:57, John Stein wrote: >>> Hi, >>> >>> I have an AD and IdM server. >>> AD domain - john.com >>> IdM domain - linux.john.com >>> >>> each spans multiple netwrok segments, with some segments having both >> linux >>> and windows machines. >>> >>> the IdM is configured to forward DNS requests to AD (forward first), and >>> the AD is configured to forward requests in the linux.john.com domain to >>> the IdM. >>> >>> However, I'm having a problem regarding reverse lookup zones. Where >> should >>> they be so they can be accessed from both linux and windows machines? >> >> >From DNS's point of view it does not matter, pick one side (AD or IPA) to >> host >> the reverse zone and configure delegation or forwarding on the other side. >> That is all you need if you are willing to update records manually. >> >>> If I put them in IdM, how will the AD know which requests to forward to >> the >>> IdM? >> >> Either properly configure delegation (if you have control over the parent >> zone) or add forwarder (only if you do not have control over parent zone - >> usual caveats for forwarding apply). >> >>> It seems to me that I need to somehow register them at the AD, so the A >>> record is in the IdM server and the PTR is in the AD. Is it possible to >> do >>> it automatically, >> >> "host/" principals from IPA Kerberos realm are generally not allowed to get >> tickets for AD realm so automatic update from IPA to AD is not possible. >> >> It might work the other way around (I did not test this): >> - Configure reverse zone in IPA >> - Configure delegation/forwarding in AD so all clients can properly resolve >> the reverse zone >> - Allow all clients to update their PTR records. Update policy like this >> might >> work: >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >> >> I would like to hear from you if this works in your environment or not. From karl.forner at gmail.com Wed Jul 8 12:26:02 2015 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 8 Jul 2015 14:26:02 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses Message-ID: Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? Thanks. Karl Forner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Wed Jul 8 12:32:31 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 8 Jul 2015 14:32:31 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: References: Message-ID: <20150708123231.GE3502@redhat.com> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: > > When using my freeIPA DNS name server for my domain example.test, I need to > exclude some names from the server( to be forwarded to the DNS forwarder > for instance. > > For example, I'd like foo.example.test not to be resolved, but forwarded. > How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From karl.forner at gmail.com Wed Jul 8 13:07:43 2015 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 8 Jul 2015 15:07:43 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: <20150708123231.GE3502@redhat.com> References: <20150708123231.GE3502@redhat.com> Message-ID: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora wrote: > On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: > > > > When using my freeIPA DNS name server for my domain example.test, I need > to > > exclude some names from the server( to be forwarded to the DNS forwarder > > for instance. > > > > For example, I'd like foo.example.test not to be resolved, but forwarded. > > How could I implement this ? > > That would mean you have two different nameservers authoritative for > the same DNS domain. That is generally not recommended setup. > Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. > > Can't you make foo.example.test a CNAME to foo.example.org or another > hostname, in domain with different authoritative DNS server? > Hmm yes that should work, thanks ! > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 8 14:09:00 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 16:09:00 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: References: Message-ID: <559D2EFC.8030101@redhat.com> On 08/07/15 14:26, Karl Forner wrote: > Hello, > > When using my freeIPA DNS name server for my domain example.test, I > need to exclude some names from the server( to be forwarded to the DNS > forwarder for instance. > > For example, I'd like foo.example.test not to be resolved, but forwarded. > How could I implement this ? > > Thanks. > Karl Forner > > Hello, If you plan to forward whole subzone, you can use forward zones in IPA. example.test -- master zone foo.example.test -- forward zones which IPA version o IPA do you have? If IPA > 4.0, than you can use ipa dnsforwardzone-add command. Otherwise dnszone-add with --forwarder option Do not forget to add proper NS delegation for all sub zones from parent zone. For example: ipa dnsrecord-add example.test. test --ns-rec=ipa.example.test. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From karl.forner at gmail.com Wed Jul 8 14:14:04 2015 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 8 Jul 2015 16:14:04 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: <559D2EFC.8030101@redhat.com> References: <559D2EFC.8030101@redhat.com> Message-ID: Thanks Martin, but I do not want to forward the whole subzone. I have the example.test zone from my web hosting site, that manages also the domain example.test I use the example.test domain in freeIPA. So the problem is that in the internal network, I can no longer resolve www.example.test. Of course I can define all such names manually in the freeIPA dns, but ideally (or naively) I'd like a way to configure the freeIPA dns like: if you do not know foo.example.test, instead of returning NXDOMAIN, please forward the request to this other nameserver. On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti wrote: > On 08/07/15 14:26, Karl Forner wrote: > > Hello, > > When using my freeIPA DNS name server for my domain example.test, I need > to exclude some names from the server( to be forwarded to the DNS forwarder > for instance. > > For example, I'd like foo.example.test not to be resolved, but forwarded. > How could I implement this ? > > Thanks. > Karl Forner > > > Hello, > > If you plan to forward whole subzone, you can use forward zones in IPA. > > example.test -- master zone > foo.example.test -- forward zones > > which IPA version o IPA do you have? > If IPA > 4.0, than you can use ipa dnsforwardzone-add command. > Otherwise dnszone-add with --forwarder option > > Do not forget to add proper NS delegation for all sub zones from parent > zone. > For example: ipa dnsrecord-add example.test. test > --ns-rec=ipa.example.test. > > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 8 14:25:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 16:25:20 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: References: <559D2EFC.8030101@redhat.com> Message-ID: <559D32D0.40909@redhat.com> On 08/07/15 16:14, Karl Forner wrote: > Thanks Martin, but I do not want to forward the whole subzone. > > I have the example.test zone from my web hosting site, that manages > also the domain example.test > I use the example.test domain in freeIPA. > So the problem is that in the internal network, I can no longer > resolve www.example.test. > > Of course I can define all such names manually in the freeIPA dns, but > ideally (or naively) I'd like a way to > configure the freeIPA dns like: if you do not know foo.example.test, > instead of returning NXDOMAIN, please forward the request to this > other nameserver. Okay, but DNS doesn't work in that way. Zone example.test. is authoritative, so it must contain the record or delegation or NXDOMAIN is returned. You cannot have multiple authoritative copies of one zone with different data. The best solution would be to have only internal.example.test. zone managed by IPA, and add delegation to this zone into example.test. Martin > > > > > > On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti > wrote: > > On 08/07/15 14:26, Karl Forner wrote: >> Hello, >> >> When using my freeIPA DNS name server for my domain example.test, >> I need to exclude some names from the server( to be forwarded to >> the DNS forwarder for instance. >> >> For example, I'd like foo.example.test not to be resolved, but >> forwarded. >> How could I implement this ? >> >> Thanks. >> Karl Forner >> >> > Hello, > > If you plan to forward whole subzone, you can use forward zones in > IPA. > > example.test -- master zone > foo.example.test -- forward zones > > which IPA version o IPA do you have? > If IPA > 4.0, than you can use ipa dnsforwardzone-add command. > Otherwise dnszone-add with --forwarder option > > Do not forget to add proper NS delegation for all sub zones from > parent zone. > For example: ipa dnsrecord-add example.test. test > --ns-rec=ipa.example.test. > > -- > Martin Basti > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jul 8 14:25:36 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 08 Jul 2015 16:25:36 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: References: <20150708123231.GE3502@redhat.com> Message-ID: <559D32E0.6060405@redhat.com> On 8.7.2015 15:07, Karl Forner wrote: > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora wrote: > >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: >>> >>> When using my freeIPA DNS name server for my domain example.test, I need >> to >>> exclude some names from the server( to be forwarded to the DNS forwarder >>> for instance. >>> >>> For example, I'd like foo.example.test not to be resolved, but forwarded. >>> How could I implement this ? >> >> That would mean you have two different nameservers authoritative for >> the same DNS domain. That is generally not recommended setup. >> > > Yes, that's what I read, but I do not know how to easily do differently. > But in the end, what I'd like for my users, is to have foo.example.test > resolved from the outside to my external server IP, and from the inside to > the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. http://www.freeipa.org/page/DNS#Caveats http://www.freeipa.org/page/Deployment_Recommendations#DNS Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. i.example.com for internal names and example.com for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. >> Can't you make foo.example.test a CNAME to foo.example.org or another >> hostname, in domain with different authoritative DNS server? >> > > Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point (6) but you should take into account point (3) into account, too :-) -- Petr^2 Spacek From karl.forner at gmail.com Wed Jul 8 14:28:32 2015 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 8 Jul 2015 16:28:32 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: <559D32D0.40909@redhat.com> References: <559D2EFC.8030101@redhat.com> <559D32D0.40909@redhat.com> Message-ID: Okay, but DNS doesn't work in that way. Zone example.test. is authoritative, so it must contain the record or delegation or NXDOMAIN is returned. You cannot have multiple authoritative copies of one zone with different data. > > The best solution would be to have only internal.example.test. zone > managed by IPA, and add delegation to this zone into example.test. > Ok I understand. But in this setting, how would I implement the lookup so that internally, ipa.example.test would resolve to ipa.internal.example.test (internal IP), and externally to the external IP ? thanks > > Martin > > > > > > > On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti wrote: > >> On 08/07/15 14:26, Karl Forner wrote: >> >> Hello, >> >> When using my freeIPA DNS name server for my domain example.test, I need >> to exclude some names from the server( to be forwarded to the DNS forwarder >> for instance. >> >> For example, I'd like foo.example.test not to be resolved, but forwarded. >> How could I implement this ? >> >> Thanks. >> Karl Forner >> >> >> Hello, >> >> If you plan to forward whole subzone, you can use forward zones in IPA. >> >> example.test -- master zone >> foo.example.test -- forward zones >> >> which IPA version o IPA do you have? >> If IPA > 4.0, than you can use ipa dnsforwardzone-add command. >> Otherwise dnszone-add with --forwarder option >> >> Do not forget to add proper NS delegation for all sub zones from parent >> zone. >> For example: ipa dnsrecord-add example.test. test >> --ns-rec=ipa.example.test. >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From karl.forner at gmail.com Wed Jul 8 14:32:33 2015 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 8 Jul 2015 16:32:33 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: <559D32E0.6060405@redhat.com> References: <20150708123231.GE3502@redhat.com> <559D32E0.6060405@redhat.com> Message-ID: Thanks Petr. My use case is: we have scripts that connect to some services, let's say a docker registry. I want these scripts to be work either internally or externally, without changing the URLs. What would the best or easiest setting to achieve this ? On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek wrote: > On 8.7.2015 15:07, Karl Forner wrote: > > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora > wrote: > > > >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: > >>> > >>> When using my freeIPA DNS name server for my domain example.test, I > need > >> to > >>> exclude some names from the server( to be forwarded to the DNS > forwarder > >>> for instance. > >>> > >>> For example, I'd like foo.example.test not to be resolved, but > forwarded. > >>> How could I implement this ? > >> > >> That would mean you have two different nameservers authoritative for > >> the same DNS domain. That is generally not recommended setup. > >> > > > > Yes, that's what I read, but I do not know how to easily do differently. > > But in the end, what I'd like for my users, is to have foo.example.test > > resolved from the outside to my external server IP, and from the inside > to > > the internal server IP. > > Such setup is generally not recommended because it is usually pain when it > comes to long-term operation and maintenance. > > http://www.freeipa.org/page/DNS#Caveats > http://www.freeipa.org/page/Deployment_Recommendations#DNS > > > Two main use-cases are: > > a) Two or more different servers are using the same name and which server > is > used depends on client's network. > > This is usually very cumbersome because DNS caching will play against you, > especially when we introduce system-wide cache into Fedora 23. > > It is also hard to manage and debug because you have to ask the same > question > from different networks etc. And it will be harder when you deploy DNSSEC > to > increase security... > > The typical recommendation is to use a sub-domain for internal names, e.g. > i.example.com for internal names and example.com for > externally-resolvable names. > > > b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. > > Yes, it is as bad idea as it sounds. > > > >> Can't you make foo.example.test a CNAME to foo.example.org or another > >> hostname, in domain with different authoritative DNS server? > >> > > > > Hmm yes that should work, thanks ! > > Please keep in mind that it only hides the problem under yet another layer > of > indirection. > > > Yes, it is always possible! We know it because it is written in > The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 > point > (6) but you should take into account point (3) into account, too :-) > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jul 8 14:50:33 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 08 Jul 2015 16:50:33 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: References: <20150708123231.GE3502@redhat.com> <559D32E0.6060405@redhat.com> Message-ID: <559D38B9.50705@redhat.com> On 8.7.2015 16:32, Karl Forner wrote: > Thanks Petr. > > My use case is: we have scripts that connect to some services, let's say a > docker registry. > I want these scripts to be work either internally or externally, without > changing the URLs. > What would the best or easiest setting to achieve this ? Personally I use config file for this. I.e. the script is the same and URLs, names, passwords, etc. are read from config file stored alongside the script. This allows me to test it easily without any changes in DNS or system-wide configuration like /etc/hosts. Yes, it requires more code, but in long-term it is way more debug-able than DNS tricks. Petr^2 Spacek > On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek wrote: > >> On 8.7.2015 15:07, Karl Forner wrote: >>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora >> wrote: >>> >>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: >>>>> >>>>> When using my freeIPA DNS name server for my domain example.test, I >> need >>>> to >>>>> exclude some names from the server( to be forwarded to the DNS >> forwarder >>>>> for instance. >>>>> >>>>> For example, I'd like foo.example.test not to be resolved, but >> forwarded. >>>>> How could I implement this ? >>>> >>>> That would mean you have two different nameservers authoritative for >>>> the same DNS domain. That is generally not recommended setup. >>>> >>> >>> Yes, that's what I read, but I do not know how to easily do differently. >>> But in the end, what I'd like for my users, is to have foo.example.test >>> resolved from the outside to my external server IP, and from the inside >> to >>> the internal server IP. >> >> Such setup is generally not recommended because it is usually pain when it >> comes to long-term operation and maintenance. >> >> http://www.freeipa.org/page/DNS#Caveats >> http://www.freeipa.org/page/Deployment_Recommendations#DNS >> >> >> Two main use-cases are: >> >> a) Two or more different servers are using the same name and which server >> is >> used depends on client's network. >> >> This is usually very cumbersome because DNS caching will play against you, >> especially when we introduce system-wide cache into Fedora 23. >> >> It is also hard to manage and debug because you have to ask the same >> question >> from different networks etc. And it will be harder when you deploy DNSSEC >> to >> increase security... >> >> The typical recommendation is to use a sub-domain for internal names, e.g. >> i.example.com for internal names and example.com for >> externally-resolvable names. >> >> >> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. >> >> Yes, it is as bad idea as it sounds. >> >> >>>> Can't you make foo.example.test a CNAME to foo.example.org or another >>>> hostname, in domain with different authoritative DNS server? >>>> >>> >>> Hmm yes that should work, thanks ! >> >> Please keep in mind that it only hides the problem under yet another layer >> of >> indirection. >> >> >> Yes, it is always possible! We know it because it is written in >> The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 >> point >> (6) but you should take into account point (3) into account, too :-) >> >> >> -- >> Petr^2 Spacek From orion at cora.nwra.com Wed Jul 8 17:31:27 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Wed, 8 Jul 2015 11:31:27 -0600 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <556C723F.3080508@redhat.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> Message-ID: <559D5E6F.5010902@cora.nwra.com> On 06/01/2015 08:54 AM, Rob Crittenden wrote: > Orion Poplawski wrote: >> On 05/28/2015 03:09 PM, Rob Crittenden wrote: >>> Orion Poplawski wrote: >>>> We did a CAless install: >>>> >>>> ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat >>>> /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt >>>> --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 >>>> --http_pin=XXXX --idstart=8000 >>>> >>>> But now when we try to setup a replica: >>>> >>>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>>> --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX >>>> Directory Manager (existing master) password: >>>> >>>> The full certificate chain is not present in nwra.com.p12 >>>> >>>> >>>> p12 file was created with: >>>> >>>> openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey >>>> /etc/pki/tls/private/nwra.com.key -certfile >>>> /etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12 >>>> >>>> ipa-server-4.1.0-18.sl7_1.3.x86_64 >>>> >>>> Any thoughts? >>>> >>> >>> At a glance your creation steps look ok. Strangely, the same code that loads >>> the PKCS#12 files are used both in the server install and replica prepare, the >>> only difference it seems is that with the server install we get a copy of the >>> CA separately too. >>> >>> Can you provide the output of: pk12util -l nwra.com.p12 >>> >>> Maybe we can work out what it thinks is missing. >>> >>> rob >> >> I think I need to redo our install with an updated (SHA-2?) certificate, but I >> wouldn't think that would affect this issue either. > > I don't believe this is related to the signature. > > It looks like the right certs are there so I'm not sure what is going on. It > may be that the built-ins aren't being found and this is needed because the > AddTrust External Root isn't included, and it shouldn't need to be. > > What is really blowing my mind is the same function that loads the PKCS#12 > file is called both on install and replica prepare but only failing on the later. > > Maybe Honza has some ideas. > > rob Okay, getting back to this. Looks like this behavior was introduced later. I installed with an earlier version of IPA. Now trying to reproduce the install with 4.1 I get the same error on ipa-server-install. Looks like the new behavior came in: commit 88083887c994ab505d6e07151e5dd26b56bb7732 Author: Jan Cholasta Date: Wed Sep 24 16:41:47 2014 +0200 CA-less installer options usability fixes The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have been replaced by --*-cert-file options which accept multiple files. ipa-server-certinstall now accepts multiple files as well. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. The --root-ca-file option of ipa-server-install has been replaced by --ca-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. The --*_pin options of ipa-server-install and ipa-replica-prepare have been renamed to --*-pin. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin And is here (I added the root_logger.debug lines to figure out what is going on): # Check we have the whole cert chain & the CA is in it root_logger.debug('get_trust_chain for %s' % (key_nickname)) trust_chain = list(reversed(nssdb.get_trust_chain(key_nickname))) root_logger.debug('trust_chain = %s' % (':'.join(trust_chain))) ca_cert = None for nickname in trust_chain[1:]: cert = nssdb.get_cert(nickname) if ca_cert is None: ca_cert = cert nss_cert = x509.load_certificate(cert, x509.DER) subject = DN(str(nss_cert.subject)) issuer = DN(str(nss_cert.issuer)) root_logger.debug('nickname = %s, subject = %s, issuer = %s' % (nickname, subject, issuer)) del nss_cert if subject == issuer: break else: raise ScriptError( "The full certificate chain is not present in %s" % (", ".join(cert_files))) So the issue for us is as follows: We are issued a wildcard cert for *.nwra.com from namecheap.com/COMODO SSL. They issue us a cert and a certificate chain file that provides two certs to chain back to: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE This cert is in Firefox's certdb (and presumably other browsers) and so works. FWIW - I don't seem to find this cert (or any AddTrust cert) in the openssl ca certs in /etc/pki. I'm not sure I follow the new logic. In the past with ldap SSL trusts in 389 we've always simply installed the cert that signed the DS cert as a trusted CA cert (via /etc/openldap/{,ca}certs). I don't understand why we're now insisting on having the issuer of the last cert in the DB. But I am able to work with it by extracting the 'AddTrust External CA Root' cert from firefox and then: # openssl pkcs12 -export -in STAR_nwra_com.crt -inkey nwra.com.key -certfile STAR_nwra_com.ca-bundle -out nwra.com.p12 (The ca-bundle is the one issued by namecheap with the two intermediate certs) # ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=AddTrustExternalCARoot --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX --idstart=8000 But then when I go to make a replica: # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE) security library failure. Which looks like others are experiencing (with not resolution that I could see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From karl.forner at gmail.com Wed Jul 8 18:46:19 2015 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 8 Jul 2015 20:46:19 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: <559D38B9.50705@redhat.com> References: <20150708123231.GE3502@redhat.com> <559D32E0.6060405@redhat.com> <559D38B9.50705@redhat.com> Message-ID: I forgot my main use case: I have name-based reverse proxies (SNI) for some web apps/services , that are accessible both from the internal and external network. They must be accessed with the exact same name/url, otherwise the dispatch can not work. Until now I manage this by manually editing all /etc/hosts on all internal computers, but I had hoped to benefit from the freeIPA DNS a more elegant solution. On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek wrote: > On 8.7.2015 16:32, Karl Forner wrote: > > Thanks Petr. > > > > My use case is: we have scripts that connect to some services, let's say > a > > docker registry. > > I want these scripts to be work either internally or externally, without > > changing the URLs. > > What would the best or easiest setting to achieve this ? > > Personally I use config file for this. I.e. the script is the same and > URLs, > names, passwords, etc. are read from config file stored alongside the > script. > > This allows me to test it easily without any changes in DNS or system-wide > configuration like /etc/hosts. > > Yes, it requires more code, but in long-term it is way more debug-able than > DNS tricks. > > Petr^2 Spacek > > > On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek wrote: > > > >> On 8.7.2015 15:07, Karl Forner wrote: > >>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora > >> wrote: > >>> > >>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: > >>>>> > >>>>> When using my freeIPA DNS name server for my domain example.test, I > >> need > >>>> to > >>>>> exclude some names from the server( to be forwarded to the DNS > >> forwarder > >>>>> for instance. > >>>>> > >>>>> For example, I'd like foo.example.test not to be resolved, but > >> forwarded. > >>>>> How could I implement this ? > >>>> > >>>> That would mean you have two different nameservers authoritative for > >>>> the same DNS domain. That is generally not recommended setup. > >>>> > >>> > >>> Yes, that's what I read, but I do not know how to easily do > differently. > >>> But in the end, what I'd like for my users, is to have foo.example.test > >>> resolved from the outside to my external server IP, and from the inside > >> to > >>> the internal server IP. > >> > >> Such setup is generally not recommended because it is usually pain when > it > >> comes to long-term operation and maintenance. > >> > >> http://www.freeipa.org/page/DNS#Caveats > >> http://www.freeipa.org/page/Deployment_Recommendations#DNS > >> > >> > >> Two main use-cases are: > >> > >> a) Two or more different servers are using the same name and which > server > >> is > >> used depends on client's network. > >> > >> This is usually very cumbersome because DNS caching will play against > you, > >> especially when we introduce system-wide cache into Fedora 23. > >> > >> It is also hard to manage and debug because you have to ask the same > >> question > >> from different networks etc. And it will be harder when you deploy > DNSSEC > >> to > >> increase security... > >> > >> The typical recommendation is to use a sub-domain for internal names, > e.g. > >> i.example.com for internal names and example.com for > >> externally-resolvable names. > >> > >> > >> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. > >> > >> Yes, it is as bad idea as it sounds. > >> > >> > >>>> Can't you make foo.example.test a CNAME to foo.example.org or another > >>>> hostname, in domain with different authoritative DNS server? > >>>> > >>> > >>> Hmm yes that should work, thanks ! > >> > >> Please keep in mind that it only hides the problem under yet another > layer > >> of > >> indirection. > >> > >> > >> Yes, it is always possible! We know it because it is written in > >> The Twelve Networking Truths: > https://tools.ietf.org/html/rfc1925#page-2 > >> point > >> (6) but you should take into account point (3) into account, too :-) > >> > >> > >> -- > >> Petr^2 Spacek > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Wed Jul 8 21:04:34 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 8 Jul 2015 23:04:34 +0200 Subject: [Freeipa-users] Apache not starting because of cert password issue ? Message-ID: I'm facing a httpd server which won't start with ipa, so IPA fails to start. As I'm really not able to find anything about it on the internet I wonder if someone knows why it's logging this and how I can fix it. [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for slot internal is incorrect. [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS initialization failed. Certificate database: /etc/httpd/alias. [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library Error: -8177 The security password entered is incorrect Cheers, Matt From nsollars at gmail.com Thu Jul 9 01:17:48 2015 From: nsollars at gmail.com (Nigel Sollars) Date: Wed, 8 Jul 2015 21:17:48 -0400 Subject: [Freeipa-users] Apache not starting because of cert password issue ? In-Reply-To: References: Message-ID: Looks similar to a TLS/SSL issue in this thread, http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ Hope this helps, Regards On Wed, Jul 8, 2015 at 5:04 PM, Matt . wrote: > I'm facing a httpd server which won't start with ipa, so IPA fails to > start. > > As I'm really not able to find anything about it on the internet I > wonder if someone knows why it's logging this and how I can fix it. > > [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for > slot internal is incorrect. > [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS > initialization failed. Certificate database: /etc/httpd/alias. > [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library > Error: -8177 The security password entered is incorrect > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Thu Jul 9 01:19:17 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 9 Jul 2015 03:19:17 +0200 Subject: [Freeipa-users] Apache not starting because of cert password issue ? In-Reply-To: References: Message-ID: Hi I found that but it didn't fix it, thanks btw. Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems that the maintainer empties the repo after every release... so older versions are not there anymore. 2015-07-09 3:17 GMT+02:00 Nigel Sollars : > Looks similar to a TLS/SSL issue in this thread, > > http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ > > Hope this helps, > > Regards > > On Wed, Jul 8, 2015 at 5:04 PM, Matt . wrote: >> >> I'm facing a httpd server which won't start with ipa, so IPA fails to >> start. >> >> As I'm really not able to find anything about it on the internet I >> wonder if someone knows why it's logging this and how I can fix it. >> >> [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for >> slot internal is incorrect. >> [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS >> initialization failed. Certificate database: /etc/httpd/alias. >> [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library >> Error: -8177 The security password entered is incorrect >> >> Cheers, >> >> Matt >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing From yamakasi.014 at gmail.com Thu Jul 9 01:25:37 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 9 Jul 2015 03:25:37 +0200 Subject: [Freeipa-users] Apache not starting because of cert password issue ? In-Reply-To: References: Message-ID: Hi, No I'm testing some recovering strategies for the docs, so I need to have that checked. I have emailed Martin Kosek if he can enable the olders repo's again, would be great! Thanks, Matt 2015-07-09 3:23 GMT+02:00 Nigel Sollars : > Would it not be wise to keep with current? > > There does seem to be alot of threads with issues regarding older versions. > That being said there is a thread also with regards to LDAP which could be > related also. > > Regards > > On Wed, Jul 8, 2015 at 9:19 PM, Matt . wrote: >> >> Hi I found that but it didn't fix it, thanks btw. >> >> Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems >> that the maintainer empties the repo after every release... so older >> versions are not there anymore. >> >> 2015-07-09 3:17 GMT+02:00 Nigel Sollars : >> > Looks similar to a TLS/SSL issue in this thread, >> > >> > >> > http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ >> > >> > Hope this helps, >> > >> > Regards >> > >> > On Wed, Jul 8, 2015 at 5:04 PM, Matt . wrote: >> >> >> >> I'm facing a httpd server which won't start with ipa, so IPA fails to >> >> start. >> >> >> >> As I'm really not able to find anything about it on the internet I >> >> wonder if someone knows why it's logging this and how I can fix it. >> >> >> >> [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for >> >> slot internal is incorrect. >> >> [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS >> >> initialization failed. Certificate database: /etc/httpd/alias. >> >> [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library >> >> Error: -8177 The security password entered is incorrect >> >> >> >> Cheers, >> >> >> >> Matt >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > >> > >> > >> > >> > -- >> > ?Science is a differential equation. Religion is a boundary condition.? >> > >> > Alan Turing > > > > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing From nsollars at gmail.com Thu Jul 9 01:27:37 2015 From: nsollars at gmail.com (Nigel Sollars) Date: Wed, 8 Jul 2015 21:27:37 -0400 Subject: [Freeipa-users] Apache not starting because of cert password issue ? In-Reply-To: References: Message-ID: Fair enough :) On Wed, Jul 8, 2015 at 9:25 PM, Matt . wrote: > Hi, > > No I'm testing some recovering strategies for the docs, so I need to > have that checked. > > I have emailed Martin Kosek if he can enable the olders repo's again, > would be great! > > Thanks, > > Matt > > 2015-07-09 3:23 GMT+02:00 Nigel Sollars : > > Would it not be wise to keep with current? > > > > There does seem to be alot of threads with issues regarding older > versions. > > That being said there is a thread also with regards to LDAP which could > be > > related also. > > > > Regards > > > > On Wed, Jul 8, 2015 at 9:19 PM, Matt . wrote: > >> > >> Hi I found that but it didn't fix it, thanks btw. > >> > >> Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems > >> that the maintainer empties the repo after every release... so older > >> versions are not there anymore. > >> > >> 2015-07-09 3:17 GMT+02:00 Nigel Sollars : > >> > Looks similar to a TLS/SSL issue in this thread, > >> > > >> > > >> > > http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ > >> > > >> > Hope this helps, > >> > > >> > Regards > >> > > >> > On Wed, Jul 8, 2015 at 5:04 PM, Matt . > wrote: > >> >> > >> >> I'm facing a httpd server which won't start with ipa, so IPA fails to > >> >> start. > >> >> > >> >> As I'm really not able to find anything about it on the internet I > >> >> wonder if someone knows why it's logging this and how I can fix it. > >> >> > >> >> [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for > >> >> slot internal is incorrect. > >> >> [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS > >> >> initialization failed. Certificate database: /etc/httpd/alias. > >> >> [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library > >> >> Error: -8177 The security password entered is incorrect > >> >> > >> >> Cheers, > >> >> > >> >> Matt > >> >> > >> >> -- > >> >> Manage your subscription for the Freeipa-users mailing list: > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> >> Go to http://freeipa.org for more info on the project > >> > > >> > > >> > > >> > > >> > -- > >> > ?Science is a differential equation. Religion is a boundary > condition.? > >> > > >> > Alan Turing > > > > > > > > > > -- > > ?Science is a differential equation. Religion is a boundary condition.? > > > > Alan Turing > -- ?Science is a differential equation. Religion is a boundary condition.? Alan Turing -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Thu Jul 9 02:05:53 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 9 Jul 2015 04:05:53 +0200 Subject: [Freeipa-users] Apache not starting because of cert password issue ? In-Reply-To: References: Message-ID: I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] Certificate not found: 'Server-Cert' So, it's no good at all :) 2015-07-09 3:27 GMT+02:00 Nigel Sollars : > Fair enough :) > > On Wed, Jul 8, 2015 at 9:25 PM, Matt . wrote: >> >> Hi, >> >> No I'm testing some recovering strategies for the docs, so I need to >> have that checked. >> >> I have emailed Martin Kosek if he can enable the olders repo's again, >> would be great! >> >> Thanks, >> >> Matt >> >> 2015-07-09 3:23 GMT+02:00 Nigel Sollars : >> > Would it not be wise to keep with current? >> > >> > There does seem to be alot of threads with issues regarding older >> > versions. >> > That being said there is a thread also with regards to LDAP which could >> > be >> > related also. >> > >> > Regards >> > >> > On Wed, Jul 8, 2015 at 9:19 PM, Matt . wrote: >> >> >> >> Hi I found that but it didn't fix it, thanks btw. >> >> >> >> Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems >> >> that the maintainer empties the repo after every release... so older >> >> versions are not there anymore. >> >> >> >> 2015-07-09 3:17 GMT+02:00 Nigel Sollars : >> >> > Looks similar to a TLS/SSL issue in this thread, >> >> > >> >> > >> >> > >> >> > http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ >> >> > >> >> > Hope this helps, >> >> > >> >> > Regards >> >> > >> >> > On Wed, Jul 8, 2015 at 5:04 PM, Matt . >> >> > wrote: >> >> >> >> >> >> I'm facing a httpd server which won't start with ipa, so IPA fails >> >> >> to >> >> >> start. >> >> >> >> >> >> As I'm really not able to find anything about it on the internet I >> >> >> wonder if someone knows why it's logging this and how I can fix it. >> >> >> >> >> >> [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for >> >> >> slot internal is incorrect. >> >> >> [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS >> >> >> initialization failed. Certificate database: /etc/httpd/alias. >> >> >> [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library >> >> >> Error: -8177 The security password entered is incorrect >> >> >> >> >> >> Cheers, >> >> >> >> >> >> Matt >> >> >> >> >> >> -- >> >> >> Manage your subscription for the Freeipa-users mailing list: >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> Go to http://freeipa.org for more info on the project >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > ?Science is a differential equation. Religion is a boundary >> >> > condition.? >> >> > >> >> > Alan Turing >> > >> > >> > >> > >> > -- >> > ?Science is a differential equation. Religion is a boundary condition.? >> > >> > Alan Turing > > > > > -- > ?Science is a differential equation. Religion is a boundary condition.? > > Alan Turing From rug at usm.lmu.de Thu Jul 9 09:09:55 2015 From: rug at usm.lmu.de (Rudolf Gabler) Date: Thu, 9 Jul 2015 11:09:55 +0200 Subject: [Freeipa-users] sendmail.schema Message-ID: <93C4017D-D6AF-40C7-B4C7-FD89D2349D1D@usm.lmu.de> Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn?t find it). Is there now a different approach for freeipa to deal with this problem. Regards, Rudi Gabler -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From canepa.n at mmfg.it Thu Jul 9 09:33:23 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 09 Jul 2015 11:33:23 +0200 Subject: [Freeipa-users] Migrating from custom auth system Message-ID: <559E3FE3.7030000@mmfg.it> Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? My workaround is to create user in the pam_exec-uted script, but I don't think this is a clean way of doing it, and I have to use LDAP as first login method. Thank you in advance for any link, suggestion or solution. Nicola From chamambom at afri-com.net Thu Jul 9 10:21:59 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Thu, 9 Jul 2015 10:21:59 +0000 Subject: [Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686 Message-ID: I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers [root at alvin ~]# cat /etc/sssd/sssd.conf [domain/xx.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xx.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = alvin.ai.co.zw chpass_provider = ipa ipa_server = _srv_, xxxx.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xx.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [root at alvin ~]# -------------- next part -------------- An HTML attachment was scrubbed... URL: From giorgio at di.unimi.it Thu Jul 9 10:36:53 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Thu, 09 Jul 2015 12:36:53 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150629131157.GC4748@p.redhat.com> References: <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> <5590FBF4.7000104@di.unimi.it> <20150629083008.GA4748@p.redhat.com> <55910EB0.90406@di.unimi.it> <20150629131157.GC4748@p.redhat.com> Message-ID: <559E4EC5.2030901@di.unimi.it> On 06/29/2015 03:11 PM, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: >> On 06/29/2015 10:30 AM, Sumit Bose wrote: >>> On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: >>>> On 06/26/2015 08:06 PM, Sumit Bose wrote: >>>>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: >>>>>> >>>>>> >>>>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: >>>>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: >>>>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: >>>>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >>>>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>>>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >>>>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>>>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >>>>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>>>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>>>>>>>>>>>>>> Hi everybody, >>>>>>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>>>>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>>>>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with >>>>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can >>>>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated during >>>>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>>>>>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the >>>>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has >>>>>>>>>>>>>>> actually tried this before. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> bye, >>>>>>>>>>>>>>> Sumit >>>>>>>>>>>>>> >>>>>>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. >>>>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. >>>>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful >>>>>>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for >>>>>>>>>>>>>> account2 at otherdomain.com done via ssh. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Bye and thanks for your help >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> It looks like the request is not properly propagated to sub-domains (the >>>>>>>>>>>>> trusted AD domain) but only send to the IPA domain. >>>>>>>>>>>>> >>>>>>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix >>>>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can >>>>>>>>>>>>> prepare a test build with the patch on top of this version. >>>>>>>>>>>>> >>>>>>>>>>>>> bye, >>>>>>>>>>>>> Sumit >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for >>>>>>>>>>>> any test. >>>>>>>>>>>> >>>>>>>>>>>> Here's the packages version for sssd: >>>>>>>>>>>> >>>>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch >>>>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>>> >>>>>>>>>>> Please try the packages at >>>>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>>>>>>>>>> >>>>>>>>>>> bye, >>>>>>>>>>> Sumit >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> I've installed the new RPMs, now if I run on the server: >>>>>>>>>> >>>>>>>>>> id account1 at mydomain.local >>>>>>>>>> id account2 at otherdomain.com >>>>>>>>>> id account2 at sub.otherdomain.com >>>>>>>>>> >>>>>>>>>> all the users are found but I'm still unable to log in via ssh with the accounts >>>>>>>>>> @otherdomain.com and @sub.otherdomain.com. >>>>>>>>>> >>>>>>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. >>>>>>>>> >>>>>>>>> Bother, I forgot to add the fix to the pam responder as well, please try >>>>>>>>> new packages from >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . >>>>>>>>> >>>>>>>>> bye, >>>>>>>>> Sumit >>>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> I've updated all the packages but still no login. >>>>>>>> >>>>>>>> Logs follows. >>>>>>> >>>>>>> I found another issue in the logs which should be fixed by the build >>>>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . >>>>>>> >>>>>>> Please send the sssd_pam log file as well it might contain more details >>>>>>> about what goes wrong during authentication. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>>> >>>>>> >>>>>> Hi, >>>>>> packages update, sssd and kerberos services restarted, cache flushed but still >>>>>> no login on the IPA server. >>>>>> >>>>>> As before, logs attached. I've also included the logs generated by the restart >>>>>> of sssd service because there were no logs in sssd_pam.log when trying to >>>>>> authenticate. >>>>>> >>>>>> Debug level is set to 6 in the sections: >>>>>> >>>>>> [domain/ipa.mydomain.local] >>>>>> [sssd] >>>>>> [nss] >>>>>> [pam] >>>>>> >>>>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to >>>>>> increase it. >>>>>> >>>>> >>>>> so far it is sufficient. I have another build for you to try at >>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 >>>>> >>>>> Thank you for your patience. >>>> >>>> Thanks for your help!! >>>> >>>> Still no successful login.. Logs attached >>> >>> Please increase the debug level at least for the domain log to 9 and >>> attach the krb5_child log as well. >>> >> >> Debug level increased and logs attached.. >> >> I'm sending this email again because I forgot to reply to the list... > > Unfortunately the IPA KDC cannot redirect the Kerberos request to the > AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll > try to figure out if this can be bypassed by tuning sssd.conf and > krb5.conf. Please allow 2 days for setting up a suitable environment and > testing different configurations. Hi, I saw new activity on https://fedorahosted.org/freeipa/ticket/3559 but I also saw that we're far away from 4.2.1 milestone. The deploy of freeIPA is a core part for the switch of a traditional dual boot pc lab into a VDI based on RHEV that we planned for september. I don't want to put rush on this, but I need to understand if it can be done on not to choose how to proceed. Is there any chance to have something working (patched version/alpha version) in our scenario with those extra UPNs in time to allow us to do the switch? If not we have to postpone the deployment during Christmas holidays. Thanks for your kind attention -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From sbose at redhat.com Thu Jul 9 10:49:07 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jul 2015 12:49:07 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <559E4EC5.2030901@di.unimi.it> References: <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> <5590FBF4.7000104@di.unimi.it> <20150629083008.GA4748@p.redhat.com> <55910EB0.90406@di.unimi.it> <20150629131157.GC4748@p.redhat.com> <559E4EC5.2030901@di.unimi.it> Message-ID: <20150709104907.GW22480@p.redhat.com> On Thu, Jul 09, 2015 at 12:36:53PM +0200, Giorgio Biacchi wrote: > On 06/29/2015 03:11 PM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > >> On 06/29/2015 10:30 AM, Sumit Bose wrote: > >>> On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > >>>> On 06/26/2015 08:06 PM, Sumit Bose wrote: > >>>>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > >>>>>> > >>>>>> > >>>>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > >>>>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >>>>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>>>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>>>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>>>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>>>>>> Hi everybody, > >>>>>>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > >>>>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >>>>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > >>>>>>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > >>>>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > >>>>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >>>>>>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >>>>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with > >>>>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can > >>>>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated during > >>>>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>>>>>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > >>>>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has > >>>>>>>>>>>>>>> actually tried this before. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> bye, > >>>>>>>>>>>>>>> Sumit > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. > >>>>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful > >>>>>>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for > >>>>>>>>>>>>>> account2 at otherdomain.com done via ssh. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Bye and thanks for your help > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> It looks like the request is not properly propagated to sub-domains (the > >>>>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix > >>>>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can > >>>>>>>>>>>>> prepare a test build with the patch on top of this version. > >>>>>>>>>>>>> > >>>>>>>>>>>>> bye, > >>>>>>>>>>>>> Sumit > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> Hi, > >>>>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > >>>>>>>>>>>> any test. > >>>>>>>>>>>> > >>>>>>>>>>>> Here's the packages version for sssd: > >>>>>>>>>>>> > >>>>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >>>>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>>> > >>>>>>>>>>> Please try the packages at > >>>>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>>>>>>>>>> > >>>>>>>>>>> bye, > >>>>>>>>>>> Sumit > >>>>>>>>>> > >>>>>>>>>> Hi, > >>>>>>>>>> I've installed the new RPMs, now if I run on the server: > >>>>>>>>>> > >>>>>>>>>> id account1 at mydomain.local > >>>>>>>>>> id account2 at otherdomain.com > >>>>>>>>>> id account2 at sub.otherdomain.com > >>>>>>>>>> > >>>>>>>>>> all the users are found but I'm still unable to log in via ssh with the accounts > >>>>>>>>>> @otherdomain.com and @sub.otherdomain.com. > >>>>>>>>>> > >>>>>>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > >>>>>>>>> > >>>>>>>>> Bother, I forgot to add the fix to the pam responder as well, please try > >>>>>>>>> new packages from > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > >>>>>>>>> > >>>>>>>>> bye, > >>>>>>>>> Sumit > >>>>>>>>> > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> I've updated all the packages but still no login. > >>>>>>>> > >>>>>>>> Logs follows. > >>>>>>> > >>>>>>> I found another issue in the logs which should be fixed by the build > >>>>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > >>>>>>> > >>>>>>> Please send the sssd_pam log file as well it might contain more details > >>>>>>> about what goes wrong during authentication. > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>>> > >>>>>> > >>>>>> Hi, > >>>>>> packages update, sssd and kerberos services restarted, cache flushed but still > >>>>>> no login on the IPA server. > >>>>>> > >>>>>> As before, logs attached. I've also included the logs generated by the restart > >>>>>> of sssd service because there were no logs in sssd_pam.log when trying to > >>>>>> authenticate. > >>>>>> > >>>>>> Debug level is set to 6 in the sections: > >>>>>> > >>>>>> [domain/ipa.mydomain.local] > >>>>>> [sssd] > >>>>>> [nss] > >>>>>> [pam] > >>>>>> > >>>>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to > >>>>>> increase it. > >>>>>> > >>>>> > >>>>> so far it is sufficient. I have another build for you to try at > >>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > >>>>> > >>>>> Thank you for your patience. > >>>> > >>>> Thanks for your help!! > >>>> > >>>> Still no successful login.. Logs attached > >>> > >>> Please increase the debug level at least for the domain log to 9 and > >>> attach the krb5_child log as well. > >>> > >> > >> Debug level increased and logs attached.. > >> > >> I'm sending this email again because I forgot to reply to the list... > > > > Unfortunately the IPA KDC cannot redirect the Kerberos request to the > > AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll > > try to figure out if this can be bypassed by tuning sssd.conf and > > krb5.conf. Please allow 2 days for setting up a suitable environment and > > testing different configurations. > > Hi, > I saw new activity on https://fedorahosted.org/freeipa/ticket/3559 but I also > saw that we're far away from 4.2.1 milestone. > > The deploy of freeIPA is a core part for the switch of a traditional dual boot > pc lab into a VDI based on RHEV that we planned for september. I don't want to > put rush on this, but I need to understand if it can be done on not to choose > how to proceed. Is there any chance to have something working (patched > version/alpha version) in our scenario with those extra UPNs in time to allow us > to do the switch? If not we have to postpone the deployment during Christmas > holidays. Sorry for the delay. So far I didn't found a reliable way to make it work with the existing code. So it looks fixing #3559 is needed. I will have a closer look next week to see what is missing for #3559 and what effort it would be to solve it. bye, Sumit > > Thanks for your kind attention > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From jpazdziora at redhat.com Thu Jul 9 11:05:34 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 9 Jul 2015 13:05:34 +0200 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <559E3FE3.7030000@mmfg.it> References: <559E3FE3.7030000@mmfg.it> Message-ID: <20150709110534.GK3502@redhat.com> On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: > Hello. > I was trying Freeipa as an addition and (maybe) future replacement for the > current SSO solution (custom and only for web apps). > I was able to authenticate (via pam_exec) LDAP users on the legacy system. > My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP > users not created by IPA. > > I enabled migration mode in Freeipa, so that authenticated users should get > Kerberos hash created upon first login, but I don't know how to make users > login without creating them in advance. > > Is there a (suggested) way to let users authenticate via Kerberos and create > users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From matthew.joseph at lmco.com Thu Jul 9 11:25:20 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 9 Jul 2015 11:25:20 +0000 Subject: [Freeipa-users] Multiple CA certificates Message-ID: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can't find any information on this so I figured I'd ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From canepa.n at mmfg.it Thu Jul 9 11:41:36 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 09 Jul 2015 13:41:36 +0200 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <20150709110534.GK3502@redhat.com> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> Message-ID: <559E5DF0.8000503@mmfg.it> I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: > On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: >> Hello. >> I was trying Freeipa as an addition and (maybe) future replacement for the >> current SSO solution (custom and only for web apps). >> I was able to authenticate (via pam_exec) LDAP users on the legacy system. >> My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP >> users not created by IPA. >> >> I enabled migration mode in Freeipa, so that authenticated users should get >> Kerberos hash created upon first login, but I don't know how to make users >> login without creating them in advance. >> >> Is there a (suggested) way to let users authenticate via Kerberos and create >> users authenticated by PAM upon first login? > Create user where -- in the Web application or in FreeIPA? > -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From aellert at numeezy.com Thu Jul 9 11:45:03 2015 From: aellert at numeezy.com (Alexandre Ellert) Date: Thu, 9 Jul 2015 13:45:03 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> Message-ID: 2015-06-29 19:37 GMT+02:00 Alexandre Ellert : > Hello, > > I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) > Ipa server doesn?t restart correctly (using systemctl restart ipa or reboot the whole server) : > # ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other services > ipa: INFO: The ipactl command was successful > > and I have to force the start process : > # ipactl start -f > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > > > Failed to start pki-tomcatd Service > Forced start, ignoring pki-tomcatd Service, continuing normal operation > Starting ipa-otpd Service > ipa: INFO: The ipactl command was successful > > But, as you see the pki-tomcatd is unable to start. > I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : > Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception > java.io.IOException: CS server is not ready to serve. > at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > I don?t know how to fix that error and also don?t know if it is the root cause. > Thanks for your help and please tell me if you need more information. > > Alexandre I spend a lot of time trying to understand why this issue occured but I'm still confused.. Can someone help plz ? Thank you From Andy.Thompson at e-tcc.com Thu Jul 9 11:57:21 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 9 Jul 2015 11:57:21 +0000 Subject: [Freeipa-users] nsslapd-maxbersize and cachememsize In-Reply-To: References: <559AC335.3070801@redhat.com> Message-ID: <6861c48952524746aea9d50a7382acf6@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Andy Thompson > Sent: Monday, July 6, 2015 2:28 PM > To: Rich Megginson; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize > > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > > bounces at redhat.com] On Behalf Of Rich Megginson > > Sent: Monday, July 6, 2015 2:05 PM > > To: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize > > > > On 07/06/2015 11:49 AM, Andy Thompson wrote: > > > I've got a couple warnings in different IPA installs that I'm not > > > sure how to > > find what values I should increase each config setting to. > > > > > > In one install I'm seeing the following > > > > > > [03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming > > > BER > > Element was too long, max allowable is 209715200 bytes. Change the > > nsslapd-maxbersize attribute in cn=config to increase. > > > > > > This ended up being a security scanner on the network causing the problem and nothing related to system functionality in any way. > > > Second installation I'm seeing this on startup > > > > > > WARNING: changelog: entry cache size 858992B is less than db size > > 2293760B; We recommend to increase the entry cache size nsslapd- > > cachememsize. > > > > > > How can I determine what to increase each config setting to? https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html-single/Configuration_and_Command-Line_Tool_Reference/index.html#cnconfig-nsslapd_maxbersize_Maximum_Message_Size -andy From abokovoy at redhat.com Thu Jul 9 12:08:40 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jul 2015 15:08:40 +0300 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <559E5DF0.8000503@mmfg.it> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> Message-ID: <20150709120840.GZ21928@redhat.com> Nicola, perhaps it would help if you explain what did you mean by saying below >>>My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP >>>users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: >I don't understand the question: aren't users created by IPA command >line the same as if they are created via the web GUI? > >Nicola > >Il 09/07/15 13:05, Jan Pazdziora ha scritto: >>On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: >>>Hello. >>>I was trying Freeipa as an addition and (maybe) future replacement for the >>>current SSO solution (custom and only for web apps). >>>I was able to authenticate (via pam_exec) LDAP users on the legacy system. >>>My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP >>>users not created by IPA. >>> >>>I enabled migration mode in Freeipa, so that authenticated users should get >>>Kerberos hash created upon first login, but I don't know how to make users >>>login without creating them in advance. >>> >>>Is there a (suggested) way to let users authenticate via Kerberos and create >>>users authenticated by PAM upon first login? >>Create user where -- in the Web application or in FreeIPA? >> > >-- > >Nicola Canepa >Tel: +39-0522-399-3474 >canepa.n at mmfg.it >--- >Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. > >The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From canepa.n at mmfg.it Thu Jul 9 12:15:21 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 09 Jul 2015 14:15:21 +0200 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <20150709120840.GZ21928@redhat.com> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> Message-ID: <559E65D9.9060706@mmfg.it> OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. Is there a way so that users are created in FreeIPA once they login in this way? From what you said, I need to use SSSD (I'm going to read the docs ASAP). Is migration mode only used when I also use "ipa migrate-ds"? Thank you very much. Nicola Il 09/07/15 14:08, Alexander Bokovoy ha scritto: > Nicola, > > perhaps it would help if you explain what did you mean by saying below >>>> My problem is with Kerberos and FreeIPA web GUI, which don't accept >>>> LDAP >>>> users not created by IPA. > > When you enabled migration mode and actually migrated users with 'ipa > migrate-ds' command, you will have those users in IPA and they will be > able to authenticate via LDAP with their old passwords. > > If your server (where your web app would be running) is enrolled into > IPA, then it would be already running SSSD and set up for using it via > pam_sss. Then configuring your web app to authenticate via PAM stack > (for example, like we explain on > http://www.freeipa.org/page/Web_App_Authentication) > takes care of properly logging in and updating passwords. > > SSSD knows about migration mode and has support for it. > > On Thu, 09 Jul 2015, Nicola Canepa wrote: >> I don't understand the question: aren't users created by IPA command >> line the same as if they are created via the web GUI? >> >> Nicola >> >> Il 09/07/15 13:05, Jan Pazdziora ha scritto: >>> On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: >>>> Hello. >>>> I was trying Freeipa as an addition and (maybe) future replacement >>>> for the >>>> current SSO solution (custom and only for web apps). >>>> I was able to authenticate (via pam_exec) LDAP users on the legacy >>>> system. >>>> My problem is with Kerberos and FreeIPA web GUI, which don't accept >>>> LDAP >>>> users not created by IPA. >>>> >>>> I enabled migration mode in Freeipa, so that authenticated users >>>> should get >>>> Kerberos hash created upon first login, but I don't know how to >>>> make users >>>> login without creating them in advance. >>>> >>>> Is there a (suggested) way to let users authenticate via Kerberos >>>> and create >>>> users authenticated by PAM upon first login? >>> Create user where -- in the Web application or in FreeIPA? >>> >> >> -- >> >> Nicola Canepa >> Tel: +39-0522-399-3474 >> canepa.n at mmfg.it >> --- >> Il contenuto della presente comunicazione ? riservato e destinato >> esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto >> da persona diversa dal destinatario sono proibite la diffusione, la >> distribuzione e la copia. Nel caso riceveste la presente per errore, >> Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal >> Vostro computer, senza utilizzare i dati contenuti. La presente >> comunicazione (comprensiva dei documenti allegati) non avr? valore di >> proposta contrattuale e/o accettazione di proposte provenienti dal >> destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o >> crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo >> accordo da chi pu? validamente obbligarci. Non deriver? alcuna >> responsabilit? precontrattuale a ns. carico, se la presente non sia >> seguita da contratto sottoscritto dalle parti. >> >> The content of the above communication is strictly confidential and >> reserved solely for the referred addressees. In the event of receipt >> by persons different from the addressee, copying, alteration and >> distribution are forbidden. If received by mistake we ask you to >> inform us and to destroy and/or delete from your computer without >> using the data herein contained. The present message (eventual >> annexes inclusive) shall not be considered a contractual proposal >> and/or acceptance of offer from the addressee, nor waiver >> recognizance of rights, debts and/or credits, nor shall it be binding >> when not executed as a subsequent agreement by persons who could >> lawfully represent us. No pre-contractual liability shall apply to us >> when the present communication is not followed by any binding >> agreement between the parties. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From abokovoy at redhat.com Thu Jul 9 12:44:28 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jul 2015 15:44:28 +0300 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <559E65D9.9060706@mmfg.it> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> <559E65D9.9060706@mmfg.it> Message-ID: <20150709124428.GB21928@redhat.com> On Thu, 09 Jul 2015, Nicola Canepa wrote: >OK, I'm sorry for the little information provided: I can't do >migrate-ds, since I'm not coming from a "DS" (which can only be >another LDAP server, I guess). >The only thing I can expect is that users will login to one of the >applicazions which I put under FreeIPA authentication. >So I mixed the "NIS migration" documentation (maintaining passwords) >with the "migration mode", hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. >Is there a way so that users are created in FreeIPA once they login in >this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: --->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8 >From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--- -- / Alexander Bokovoy From canepa.n at mmfg.it Thu Jul 9 12:55:07 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 09 Jul 2015 14:55:07 +0200 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <20150709124428.GB21928@redhat.com> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> <559E65D9.9060706@mmfg.it> <20150709124428.GB21928@redhat.com> Message-ID: <559E6F2B.8050402@mmfg.it> Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I'll test both ways. Nicola Il 09/07/15 14:44, Alexander Bokovoy ha scritto: > On Thu, 09 Jul 2015, Nicola Canepa wrote: >> OK, I'm sorry for the little information provided: I can't do >> migrate-ds, since I'm not coming from a "DS" (which can only be >> another LDAP server, I guess). >> The only thing I can expect is that users will login to one of the >> applicazions which I put under FreeIPA authentication. >> So I mixed the "NIS migration" documentation (maintaining passwords) >> with the "migration mode", hoping it was what I was looking for. > If you did create your users the same way as proposed with NIS > migration, then they wouldn't be different from what would have happened > with 'ipa migrate-ds'. End result, you have user entries in LDAP with > passwords set to their hashes in the previous system and no Kerberos > attributes. > >> Is there a way so that users are created in FreeIPA once they login in >> this way? > *You* need to create them. > http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords > walks you through that: > > --->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8 > > From your export file, import the users into IPA using the admin tools > and set the original hashed password: > > # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass > ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--- > -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From rcritten at redhat.com Thu Jul 9 13:15:06 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jul 2015 09:15:06 -0400 Subject: [Freeipa-users] Apache not starting because of cert password issue ? In-Reply-To: References: Message-ID: <559E73DA.4070809@redhat.com> Matt . wrote: > I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] > Certificate not found: 'Server-Cert' > > So, it's no good at all :) I think you need to take a step back and tell us what you've done to get into this situation. The error messages are fairly clear. The first one was you had a bad password for the database. This current error is that the certificate referenced by the NSSNickname directive in nss.conf does not exist in the Apache NSS database. These aren't the kinds of errors that pop up out of the blue. What, specifically, are you trying to do and what have you done to get to this point? rob > > 2015-07-09 3:27 GMT+02:00 Nigel Sollars : >> Fair enough :) >> >> On Wed, Jul 8, 2015 at 9:25 PM, Matt . wrote: >>> >>> Hi, >>> >>> No I'm testing some recovering strategies for the docs, so I need to >>> have that checked. >>> >>> I have emailed Martin Kosek if he can enable the olders repo's again, >>> would be great! >>> >>> Thanks, >>> >>> Matt >>> >>> 2015-07-09 3:23 GMT+02:00 Nigel Sollars : >>>> Would it not be wise to keep with current? >>>> >>>> There does seem to be alot of threads with issues regarding older >>>> versions. >>>> That being said there is a thread also with regards to LDAP which could >>>> be >>>> related also. >>>> >>>> Regards >>>> >>>> On Wed, Jul 8, 2015 at 9:19 PM, Matt . wrote: >>>>> >>>>> Hi I found that but it didn't fix it, thanks btw. >>>>> >>>>> Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems >>>>> that the maintainer empties the repo after every release... so older >>>>> versions are not there anymore. >>>>> >>>>> 2015-07-09 3:17 GMT+02:00 Nigel Sollars : >>>>>> Looks similar to a TLS/SSL issue in this thread, >>>>>> >>>>>> >>>>>> >>>>>> http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ >>>>>> >>>>>> Hope this helps, >>>>>> >>>>>> Regards >>>>>> >>>>>> On Wed, Jul 8, 2015 at 5:04 PM, Matt . >>>>>> wrote: >>>>>>> >>>>>>> I'm facing a httpd server which won't start with ipa, so IPA fails >>>>>>> to >>>>>>> start. >>>>>>> >>>>>>> As I'm really not able to find anything about it on the internet I >>>>>>> wonder if someone knows why it's logging this and how I can fix it. >>>>>>> >>>>>>> [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for >>>>>>> slot internal is incorrect. >>>>>>> [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS >>>>>>> initialization failed. Certificate database: /etc/httpd/alias. >>>>>>> [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library >>>>>>> Error: -8177 The security password entered is incorrect >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> ?Science is a differential equation. Religion is a boundary >>>>>> condition.? >>>>>> >>>>>> Alan Turing >>>> >>>> >>>> >>>> >>>> -- >>>> ?Science is a differential equation. Religion is a boundary condition.? >>>> >>>> Alan Turing >> >> >> >> >> -- >> ?Science is a differential equation. Religion is a boundary condition.? >> >> Alan Turing > From rcritten at redhat.com Thu Jul 9 13:17:56 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jul 2015 09:17:56 -0400 Subject: [Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686 In-Reply-To: References: Message-ID: <559E7484.9070809@redhat.com> Martin Chamambo wrote: > I have the following configuration below and im able to login via SSH > into a 32 bit server. With the same username im able to login on other > servers Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for the information necessary to assist. rob From abokovoy at redhat.com Thu Jul 9 13:20:52 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jul 2015 16:20:52 +0300 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <559E6F2B.8050402@mmfg.it> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> <559E65D9.9060706@mmfg.it> <20150709124428.GB21928@redhat.com> <559E6F2B.8050402@mmfg.it> Message-ID: <20150709132052.GC21928@redhat.com> On Thu, 09 Jul 2015, Nicola Canepa wrote: >Thank you Alexander. >If the previous password is not used, I could set an impossible-hash >password (such as "{crypt}*") and let users login authenticating >trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. >Or I could put the "user-add" in the pam_exec script (but only if the >user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- / Alexander Bokovoy From rcritten at redhat.com Thu Jul 9 13:23:14 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jul 2015 09:23:14 -0400 Subject: [Freeipa-users] Multiple CA certificates (for PassSync) In-Reply-To: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> Message-ID: <559E75C2.1040700@redhat.com> Joseph, Matthew (EXP) wrote: > Hello, > > We are currently in the process of replacing our IdM 3.x server with 4.x. > > There are going to be some major directory changes during the upgrade so > I need to keep both the old and new IdM servers up and running separately. > > Part of our configuration is using the password sync between IdM and > Active Directory. > > I can?t find any information on this so I figured I?d ask you guys to > see if anyone has done this before. > > Can I have two CA certificates from 2 IdM servers installed on the > Active Directory server? And will this cause any issues with our > password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Rich may know. rob From jpazdziora at redhat.com Thu Jul 9 13:27:28 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 9 Jul 2015 15:27:28 +0200 Subject: [Freeipa-users] Apache htaccess replacement In-Reply-To: <558DFA37.1020708@redhat.com> Message-ID: <20150709132728.GA14991@redhat.com> On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote: > On 05/19/2015 05:29 AM, thewebbie wrote: > > > >My requirements is to replace dozens of htaccess folders on one server. > >Each folder requiring a user group. So Host based will not work in this > >case > > Was this resolved in some way? I don't think it was. I believe the OP is following http://www.freeipa.org/page/Apache_Group_Based_Authorization which looks a bit outdated. What we probably should decide is, what group-based access control do we want to suggest to people who cannot use HBAC and want to get the groups. On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote: > > I have been attempting to use my 4.1.4 FreeIPA server to authenticate > folders on a web server as a replacement for the normal htaccess feature. I > do require group authentication. I have tried just about online example and > have only been able to get basic ldap and basic kerbos authentication. How > do I go about getting group based authentication working. > > I have tried to add the following to either example below and no luck. I > added the httpbind user from an ldif file from examples. I created a user > group named htaccess and added the users to it. > > AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com > AuthLDAPBindPassword XXXXXXXXXX > AuthLDAPGroupAttributeIsDN off > AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid [....] > [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client > xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP: > ldap_simple_bind_s() failed Are you able to able to bind with that DN and password using for example ldapsearch? > I have this working. > > > > SSLRequireSSL > AuthName "LDAP Authentication" > AuthType Basic > AuthzLDAPMethod ldap > AuthzLDAPServer ipa.test.com > AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com > AuthzLDAPUserKey uid > AuthzLDAPUserScope base > require valid-user > > > And this is working > > > > SSLRequireSSL > AuthName "KERBEROS Authentication" > AuthType Kerberos > KrbServiceName HTTP > KrbMethodK5Passwd On > KrbSaveCredentials On > KrbMethodNegotiate On > KrbAuthRealms TEST.COM > Krb5KeyTab /etc/httpd/conf.d/keytab > > AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName > Require valid-user I wonder -- with SSSD configured on the machine -- doesn't require group actually work? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From rmeggins at redhat.com Thu Jul 9 13:36:46 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Jul 2015 07:36:46 -0600 Subject: [Freeipa-users] Multiple CA certificates (for PassSync) In-Reply-To: <559E75C2.1040700@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> <559E75C2.1040700@redhat.com> Message-ID: <559E78EE.1030707@redhat.com> On 07/09/2015 07:23 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> We are currently in the process of replacing our IdM 3.x server with >> 4.x. >> >> There are going to be some major directory changes during the upgrade so >> I need to keep both the old and new IdM servers up and running >> separately. >> >> Part of our configuration is using the password sync between IdM and >> Active Directory. >> >> I can?t find any information on this so I figured I?d ask you guys to >> see if anyone has done this before. >> >> Can I have two CA certificates from 2 IdM servers installed on the >> Active Directory server? And will this cause any issues with our >> password sync? > > I'm not sure if you can do this. The CA is probably the least of your > problems. I don't believe the AD passsync service can be aware of > multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. > > Rich may know. > > rob From matthew.joseph at lmco.com Thu Jul 9 14:15:24 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 9 Jul 2015 14:15:24 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Multiple CA certificates (for PassSync) In-Reply-To: <559E78EE.1030707@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> <559E75C2.1040700@redhat.com> <559E78EE.1030707@redhat.com> Message-ID: <9621CE4454B9514B9E709C1719B2B943093E51F2@HCXDSPM1.ca.lmco.com> Yeah I knew that the passync utility would only communicate with 1 server. I'm not too worried about password sync for our new IdM server until it actually replaces the old server. I just didn't know how Windows would handle having multiple CA certs and if it would get cranky because of it. Last thing I want to do is have users coming to complain about the passwords not syncing. Thanks for the input guys, I'll give it a shot to see how it goes. Matt -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Thursday, July 09, 2015 10:37 AM To: Rob Crittenden; Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Multiple CA certificates (for PassSync) On 07/09/2015 07:23 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> We are currently in the process of replacing our IdM 3.x server with >> 4.x. >> >> There are going to be some major directory changes during the upgrade so >> I need to keep both the old and new IdM servers up and running >> separately. >> >> Part of our configuration is using the password sync between IdM and >> Active Directory. >> >> I can't find any information on this so I figured I'd ask you guys to >> see if anyone has done this before. >> >> Can I have two CA certificates from 2 IdM servers installed on the >> Active Directory server? And will this cause any issues with our >> password sync? > > I'm not sure if you can do this. The CA is probably the least of your > problems. I don't believe the AD passsync service can be aware of > multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. > > Rich may know. > > rob From canepa.n at mmfg.it Thu Jul 9 14:36:10 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 09 Jul 2015 16:36:10 +0200 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <20150709132052.GC21928@redhat.com> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> <559E65D9.9060706@mmfg.it> <20150709124428.GB21928@redhat.com> <559E6F2B.8050402@mmfg.it> <20150709132052.GC21928@redhat.com> Message-ID: <559E86DA.3030502@mmfg.it> If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: > On Thu, 09 Jul 2015, Nicola Canepa wrote: >> Thank you Alexander. >> If the previous password is not used, I could set an impossible-hash >> password (such as "{crypt}*") and let users login authenticating >> trhough PAM? > How would you authenticate then? Remember that it is the hash in > userPassword attribute that is used for actual authentication. If > password-handling plugin cannot calculate to the same hash based on the > plain-text password it was supplied via LDAP bind, how would user > successfully authenticate? > > If you migrate this way, you need password hashes, at least. > If you are going to issue users with new passwords, just create all of > them in IPA with these new passwords and ask them to login, at least > once, to IPA self-service. > >> Or I could put the "user-add" in the pam_exec script (but only if the >> user does not already exists). > I don't think is is sufficiently good, at least I wouldn't do it this > way. > -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From rmeggins at redhat.com Thu Jul 9 14:39:11 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Jul 2015 08:39:11 -0600 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <559E86DA.3030502@mmfg.it> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> <559E65D9.9060706@mmfg.it> <20150709124428.GB21928@redhat.com> <559E6F2B.8050402@mmfg.it> <20150709132052.GC21928@redhat.com> <559E86DA.3030502@mmfg.it> Message-ID: <559E878F.8010300@redhat.com> On 07/09/2015 08:36 AM, Nicola Canepa wrote: > If I enable the PAM plugin of 389-ds, I'm able to let users be > authenticated by PAM, even if the user is not present il LDAP, hence > the plain-text password is passed to PAM. > The only missing step is: if PAM correctly authenticates a > non-existing user, it should be created (using the just supplied > password). The 389-ds PAM passthrough auth plugin can't add users. You would have to add some additional functionality to either PAM, or another 389-ds plugin. > > Nicola > > Il 09/07/15 15:20, Alexander Bokovoy ha scritto: >> On Thu, 09 Jul 2015, Nicola Canepa wrote: >>> Thank you Alexander. >>> If the previous password is not used, I could set an impossible-hash >>> password (such as "{crypt}*") and let users login authenticating >>> trhough PAM? >> How would you authenticate then? Remember that it is the hash in >> userPassword attribute that is used for actual authentication. If >> password-handling plugin cannot calculate to the same hash based on the >> plain-text password it was supplied via LDAP bind, how would user >> successfully authenticate? >> >> If you migrate this way, you need password hashes, at least. >> If you are going to issue users with new passwords, just create all of >> them in IPA with these new passwords and ask them to login, at least >> once, to IPA self-service. >> >>> Or I could put the "user-add" in the pam_exec script (but only if >>> the user does not already exists). >> I don't think is is sufficiently good, at least I wouldn't do it this >> way. >> > From abokovoy at redhat.com Thu Jul 9 14:55:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jul 2015 17:55:05 +0300 Subject: [Freeipa-users] Migrating from custom auth system In-Reply-To: <559E86DA.3030502@mmfg.it> References: <559E3FE3.7030000@mmfg.it> <20150709110534.GK3502@redhat.com> <559E5DF0.8000503@mmfg.it> <20150709120840.GZ21928@redhat.com> <559E65D9.9060706@mmfg.it> <20150709124428.GB21928@redhat.com> <559E6F2B.8050402@mmfg.it> <20150709132052.GC21928@redhat.com> <559E86DA.3030502@mmfg.it> Message-ID: <20150709145505.GD21928@redhat.com> On Thu, 09 Jul 2015, Nicola Canepa wrote: >If I enable the PAM plugin of 389-ds, I'm able to let users be >authenticated by PAM, even if the user is not present il LDAP, hence >the plain-text password is passed to PAM. >The only missing step is: if PAM correctly authenticates a >non-existing user, it should be created (using the just supplied >password). I have feeling you are overcomplicating things for yourself. You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA. All you need is to create your users in IPA, assign them some temporary passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html, set up your web app to authenticate via PAM like http://www.freeipa.org/page/Web_App_Authentication explains, and you are done. -- / Alexander Bokovoy From christopher.lamb at ch.ibm.com Thu Jul 9 15:44:18 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 9 Jul 2015 17:44:18 +0200 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: <55780D66.1070701@redhat.com> References: <5577E59B.9010001@redhat.com> <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> <9BF9C8C4-B066-44C5-A5E5-9FFE56FC99B9@gmail.com> <55780D66.1070701@redhat.com> Message-ID: Hi Martin I have taken the plunge, and created a detailed HOWTO at http://www.freeipa.org/page/HowTos/LDAP_authentication_for_Atlassian_JIRA_using_FreeIPA @Petr, for the moment I have left your HOWTO / link in place, but have also linked to that thread from my HOWTO. I hope it helps Chris From: Martin Kosek To: Brian Topping , Sandor Juhasz Cc: freeipa-users at redhat.com Date: 10.06.2015 12:13 Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Sent by: freeipa-users-bounces at redhat.com Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on "how to configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: > FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. > > Cheers, Brian > >> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: >> >> Hi, >> >> here are our working configurations. Might be useful. >> We use compat tree for auth. >> We use user in group matching. >> We use group filter for login authorization. >> We use FedoraDS as ldap connector on JIRA's side. >> We don't use pw change or user create in IPA from JIRA side. >> Watch out not to have matching local users/groups or you will suffer bigtime. >> Initially it was setup not to use ldap groups, but was changed afterwards by >> creating all new groups in ldap for this purpose and readding the users. >> We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA . >> >> Attributes: >> "autoAddGroups": "" >> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" >> "com.atlassian.crowd.directory.sync.issynchronising": "false" >> "com.atlassian.crowd.directory.sync.lastdurationms": "373" >> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" >> "crowd.sync.incremental.enabled": "false" >> "directory.cache.synchronise.interval": "3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(| (cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": ******** >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "120000" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "60000" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" >> "ldap.user.username": "uid" >> "ldap.user.username.rdn": "" >> "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" >> "ldap.usermembership.use": "false" >> "ldap.usermembership.use.for.groups": "false" >> "localUserStatusEnabled": "false" >> >> S?ndor Juh?sz >> System Administrator >> ChemAxon Ltd. >> Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> From: "Martin Kosek" >> To: "Christopher Lamb" , freeipa-users at redhat.com >> Sent: Wednesday, June 10, 2015 9:22:03 AM >> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA >> >> On 06/08/2015 06:44 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> we are interested to know if anybody has succeeded (or for that matter >>> failed) in using FreeIPA to provide user authentication for Atlassian >>> products such as JIRA or Confluence? >>> >>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially >>> supported, so I guess that should set our expectations ..... >>> >>> If anyone has succeeded, then of course any tips on how best to do so would >>> be fantastic! >> >> I saw reply in the threads, so it should be covered. >> >> BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. >> It would be really cool if Jira would know FreeIPA out of the box and could >> connect to it natively! >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From john.1209 at yahoo.com Thu Jul 9 19:14:46 2015 From: john.1209 at yahoo.com (John Williams) Date: Thu, 9 Jul 2015 19:14:46 +0000 (UTC) Subject: [Freeipa-users] adding freeipa client fails Message-ID: <1994387659.2459953.1436469286693.JavaMail.yahoo@mail.yahoo.com> I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. ?Here is somebackground information. ?We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. ?Since then we've built a redundant ipa3.mydomain.com replica. ?Since then all the systems that were there previously work fine. ?But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining:? SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root at myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin at COM:?Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert? ? Subject: ? ? CN=Certificate Authority,O=COM? ? Issuer: ? ? ?CN=Certificate Authority,O=COM? ? Valid From: ?Thu Apr 04 23:20:27 2013 UTC? ? Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: ?SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jul 9 19:33:15 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jul 2015 15:33:15 -0400 Subject: [Freeipa-users] adding freeipa client fails In-Reply-To: <1994387659.2459953.1436469286693.JavaMail.yahoo@mail.yahoo.com> References: <1994387659.2459953.1436469286693.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1436470395.4097.29.camel@willson.usersys.redhat.com> On Thu, 2015-07-09 at 19:14 +0000, John Williams wrote: > I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. > The main error below (I believe) is: > Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' > Any idea how to fix? You probably added a cname pointing ipa -> ipa2, that won't work, drop the cname or force the client to use the ipa2 with the --server option. Simo. > Thanks in advance! > > root at myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM > Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin at COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC > Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' > Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete. -- Simo Sorce * Red Hat, Inc * New York From john.1209 at yahoo.com Thu Jul 9 20:46:57 2015 From: john.1209 at yahoo.com (John Williams) Date: Thu, 9 Jul 2015 20:46:57 +0000 (UTC) Subject: [Freeipa-users] adding freeipa client fails Message-ID: <1127013231.2555591.1436474817681.JavaMail.yahoo@mail.yahoo.com> (Not sure if this message went through initially, this is a resend.) I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. ?Here is somebackground information. ?We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. ?Since then we've built a redundant ipa3.mydomain.com replica. ?Since then all the systems that were there previously work fine. ?But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining:? SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root at myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin at COM:?Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert? ? Subject: ? ? CN=Certificate Authority,O=COM? ? Issuer: ? ? ?CN=Certificate Authority,O=COM? ? Valid From: ?Thu Apr 04 23:20:27 2013 UTC? ? Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: ?SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kurt.Bendl at nrel.gov Thu Jul 9 22:15:41 2015 From: Kurt.Bendl at nrel.gov (Bendl, Kurt) Date: Thu, 9 Jul 2015 22:15:41 +0000 Subject: [Freeipa-users] Import DNS records from another system Message-ID: Hello, I've been given a list of DNS info [ipaddress, FQDN] to import into FreeIPA. The current DNS setup doesn't allow me to do a zone transfer so the zone2dyndb-ldif tool won't help me at the moment. I'm hoping there is another method I can leverage to do the import. Some kind of API call would be awesome. Pointers on what I can try would be greatly appreciated. Thanks, Kurt PS: I'm running this against a test environment, currently: ipa-server-4.1.0-18 From Kurt.Bendl at nrel.gov Thu Jul 9 22:46:02 2015 From: Kurt.Bendl at nrel.gov (Bendl, Kurt) Date: Thu, 9 Jul 2015 22:46:02 +0000 Subject: [Freeipa-users] Import DNS records from another system In-Reply-To: References: Message-ID: Ah! Perfect! Thank you, Craig! On 7/9/15, 4:33 PM, "Craig White" wrote: >Should be relatively easy enough using ipa-admintools cli > >ipa help dnsrecord-add > >Craig White >System Administrator >O 623-201-8179 M 602-377-9752 > > > >SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 > >-----Original Message----- >From: freeipa-users-bounces at redhat.com >[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Bendl, Kurt >Sent: Thursday, July 09, 2015 3:16 PM >To: freeipa-users at redhat.com >Subject: [Freeipa-users] Import DNS records from another system > >Hello, > >I've been given a list of DNS info [ipaddress, FQDN] to import into >FreeIPA. The current DNS setup doesn't allow me to do a zone transfer so >the zone2dyndb-ldif tool won't help me at the moment. > >I'm hoping there is another method I can leverage to do the import. Some >kind of API call would be awesome. > >Pointers on what I can try would be greatly appreciated. > >Thanks, > Kurt > > >PS: >I'm running this against a test environment, currently: >ipa-server-4.1.0-18 > > > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project From janellenicole80 at gmail.com Fri Jul 10 00:56:02 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 09 Jul 2015 17:56:02 -0700 Subject: [Freeipa-users] KRA? 4.2? Message-ID: <559F1822.1090804@gmail.com> Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? ~Janelle From mkosek at redhat.com Fri Jul 10 06:41:30 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jul 2015 08:41:30 +0200 Subject: [Freeipa-users] services-based authentication In-Reply-To: References: Message-ID: <559F691A.6090806@redhat.com> On 07/08/2015 10:11 AM, ilaria cianci wrote: > Hi All, > > I am a new user and I have a question about FreeIPA authentication methods. > > Can FreeIPA select different auth methods (i.e. otp, password, etc) for the > same user based on the service he wants to access? I mean using this user > should use otp for the mail service, the password for the server access, etc.. > How can I set this ? > > Thanks a lot in advanced for your answer, > > Best regards, > Ilaria Hello, This does not work yet, although it is something that we crave for! If you are interested, you can subscribe to updates in respective RFE: https://fedorahosted.org/freeipa/ticket/433 From mkosek at redhat.com Fri Jul 10 06:43:29 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jul 2015 08:43:29 +0200 Subject: [Freeipa-users] sendmail.schema In-Reply-To: <93C4017D-D6AF-40C7-B4C7-FD89D2349D1D@usm.lmu.de> References: <93C4017D-D6AF-40C7-B4C7-FD89D2349D1D@usm.lmu.de> Message-ID: <559F6991.8030302@redhat.com> On 07/09/2015 11:09 AM, Rudolf Gabler wrote: > Hi, > > we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). > There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn?t find it). Is there now a different approach for freeipa to deal with this problem. > > Regards, > > Rudi Gabler I would recommend asking on 389-users at lists.fedoraproject.org if nobody in this list has a good answer. From mkosek at redhat.com Fri Jul 10 06:47:28 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jul 2015 08:47:28 +0200 Subject: [Freeipa-users] Multiple CA certificates In-Reply-To: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943093E50E7@HCXDSPM1.ca.lmco.com> Message-ID: <559F6A80.1090102@redhat.com> On 07/09/2015 01:25 PM, Joseph, Matthew (EXP) wrote: > Hello, > > We are currently in the process of replacing our IdM 3.x server with 4.x. > > There are going to be some major directory changes during the upgrade so I need > to keep both the old and new IdM servers up and running separately. This dangerous. I am not sure what platform do you use, but if you are using RHEL or CentOS, the general migration procedure to IdM 4.x (i.e. RHEL-7.0+) is to simply create RHEL-7 replicas for your RHEL-6 servers and deprecate the old ones. In case you do some split brain migration, where old and new IdM live separately, you may hit problems. More info here: https://www.freeipa.org/page/Howto/Migration > > Part of our configuration is using the password sync between IdM and Active > Directory. > > I can?t find any information on this so I figured I?d ask you guys to see if > anyone has done this before. > > Can I have two CA certificates from 2 IdM servers installed on the Active > Directory server? And will this cause any issues with our password sync? > > Thanks, > > Matt > > > From mkosek at redhat.com Fri Jul 10 06:55:21 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jul 2015 08:55:21 +0200 Subject: [Freeipa-users] KRA? 4.2? In-Reply-To: <559F1822.1090804@gmail.com> References: <559F1822.1090804@gmail.com> Message-ID: <559F6C59.9020603@redhat.com> On 07/10/2015 02:56 AM, Janelle wrote: > Hello, > > I see 4.2 is released today with lots of cool new features. I think I > understand the new Vault, but am not familiar with KRA? Wondering if there > might be some information on what this is? > > ~Janelle > KRA (or DRM) is the Dogtag subsystem we use for Vault :-) There is a lot of Vault related information on https://www.freeipa.org/page/V4/Password_Vault https://www.freeipa.org/page/V4/Password_Vault_Implementation Martin From pvoborni at redhat.com Fri Jul 10 08:26:11 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jul 2015 10:26:11 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 Message-ID: <559F81A3.3010708@redhat.com> The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository . This announcement with additional ticket and design page links is available at . == Highlights in 4.2 == === Enhancements === * Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules * Support One-Way Trust to Active Directory * User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - 'preserved' - to special tree and re-activated when user returns, preserving it's UID/GID * Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! * Datepicker is now used for datetime fields in the Web UI * Upgrade process was overhauled. There is now single upgrade tool ('ipa-server-upgrade') providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. * Service constrained delegation rules can be now added by UI and CLI * FreeIPA Web UI now provides API browser and documentation. See 'IPA Server' - 'API Browser' tab * Access control instructions were updated so that hosts can create their own services * FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service * FreeIPA Web Server no longer use deprecated 'mod_auth_kerb' but switched to the modern 'mod_auth_gssapi' * New automated migration tool from winsync to 'ID Views' * 'migrate-ds' command can now search the migrated users and groups with different scope * DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment_Recommendations#DNS|Deployment Recommendations for DNS. * 'ipa migrate-ds' command can now run with different search scopes * And many other small improvements or bug fixes! === Changes to upgrade === The server still upgrades automatically during RPM update. However, 'ipactl start' now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when 'ipa-server-upgrade' was not run during RPM update (for example during FedUp Fedora upgrade). Update files (files in '/usr/share/ipa/updates/') format was changed. Namely: * Updates are not merged, update files are applied one at a time * Update entries no longer support CSV - commas can be now freely used in the added attributes * Update can now use base64 values * Update plugins are now not run automatically, but when referenced from update files ('plugin: ') == Upgrading == Upgrade instructions are available on the Upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1 == === Ade Lee (3) === * Add a KRA to IPA * Add man page for ipa-kra-install * Re-enable uninstall feature for ipa-kra-install === Ales 'alich' Marecek (1) === * Ipatests DNS SOA Record Maintenance === Alexander Bokovoy (21) === * Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation * Support Samba PASSDB 0.2.0 aka interface version 24 * ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly * ipa-kdb: when processing transitions, hand over unknown ones to KDC * ipa-kdb: reject principals from disabled domains as a KDC policy * fix Makefile.am for daemons * slapi-nis: require 0.54.2 for CVE-2015-0283 fixes * ipaserver/dcerpc: Ensure LSA pipe has session key before using it * ipa-kdb: use proper memory chunk size when moving sids * ipa-kdb: filter out group membership from MS-PAC for exact SID matches too * add one-way trust support to ipasam * ipa-adtrust-install: add IPA master host principal to adtrust agents * trusts: pass AD DC hostname if specified explicitly * ipa-sidgen: reduce log level to normal if domain SID is not available * ipa-adtrust-install: allow configuring of trust agents * trusts: add support for one-way trust and switch to it by default * ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab * trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs * trust: support retrieving POSIX IDs with one-way trust during trust-add === Christian Heimes (4) === * Provide Kerberos over HTTP (MS-KKDCP) * Fix removal of ipa-kdc-proxy.conf symlink * Fix upgrade of HTTPInstance for KDC Proxy * Improve error handling in ipa-httpd-kdcproxy === David Kupka (27) === * Respect UID and GID soft static allocation. * Stop dirsrv last in ipactl stop. * Remove unneeded internal methods. Move code to public methods. * Remove service file even if it isn't link. * Produce better error in group-add command. * Fix --{user,group}-ignore-attribute in migration plugin. * ipa-restore: Check if directory is provided + better errors. * Fix error message for nonexistent members and add tests. * Use singular in help metavars + update man pages. * Always add /etc/hosts record when DNS is being configured. * Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output. * Abort backup restoration on not matching host. * idviews: Allow setting ssh public key on ipauseroverride-add * Use IPA CA certificate when available and ignore NO_TLS_LDAP when not. * Restore default.conf and use it to build API. * Always reload StateFile before getting or modifying the stored values. * Remove unused part of ipa.conf. * Use mod_auth_gssapi instead of mod_auth_kerb. * Bump ipa.conf version to 17. * Lint: Skip checking of functions stolen by python-nose. * Make lint work on Fedora 22. * Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1. * Do not store state if CA is enabled * Move CA installation code into single module. * Use 389-ds centralized scripts. * upgrade: Raise error when certmonger is not running. * ipa-replica-prepare: Do not create DNS zone it automatically. === Drew Erny (1) === * Migration now accepts scope as argument === Endi Sukma Dewata (8) === * Fixed KRA backend. * Modififed NSSConnection not to shutdown existing database. * Added vault plugin. * Added vault-archive and vault-retrieve commands. * Fixed KRA installation problem. * Added symmetric and asymmetric vaults. * Added ipaVaultPublicKey attribute. * Added vault access control. === Francesco Marella (1) === * Refactor selinuxenabled check === Fraser Tweedale (25) === * Support multiple host and service certificates * Fix certificate management with service-mod * Install CA with LDAP profiles backend * Add schema for certificate profiles * ipa-pki-proxy: provide access to profiles REST API * Add ACL to allow CA agent to modify profiles * Add certprofile plugin * Enable LDAP-based profiles in CA on upgrade * Import included profiles during install or upgrade * Add generic split_any_principal method * Add profile_id parameter to 'request_certificate' * Add usercertificate attribute to user plugin * Update cert-request to support user certs and profiles * Fix certificate subject base * Import profiles earlier during install * ipa-pki-proxy: allow certificate and password authentication * Add CA ACL plugin * Enforce CA ACLs in cert-request command * certprofile: fix doc error * Upgrade CA schema during upgrade * Migrate CA profiles after enabling LDAPProfileSubsystem * certprofile: add option to export profile config * certprofile: add ability to update profile config in Dogtag * caacl: fix incorrect construction of HbacRequest for hosts * cert-request: enforce caacl for principals in SAN === Gabe Alford (17) === * Remove trivial path constants from modules * ipa-server-install Directory Manager help incorrect * ipa-managed-entries requires password with bad password * Update default NTP configuration * Remove usage of app_PYTHON in ipaserver Makefiles * Remove dependency on subscription-manager * Typos in ipa-rmkeytab options help and man page * permission-add does not prompt for ipapermright in interactive mode * ipa-replica-prepare should document ipv6 options * ipatests: Add tests for valid and invalid ipa-advise * ipa-replica-prepare can only be created on the first master * Add message for skipping NTP configuration during client install * Remove unneeded ip-address option in ipa-adtrust-install * Unsaved changes dialog internally inconsistent * Allow ipa help command to run when ipa-client-install is not configured * Do not print traceback when pipe is broken * Clear SSSD caches when uninstalling the client === Jan Cholasta (109) === * Do not crash in CAInstance.__init__ when default argument values are used * Fix certmonger configuration in installer code * Do not check if port 8443 is available in step 2 of external CA install * Handle profile changes in dogtag-ipa-ca-renew-agent * Do not wait for new CA certificate to appear in LDAP in ipa-certupdate * Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage * Fix possible NULL dereference in ipa-kdb * Fix memory leaks in ipa-extdom-extop * Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken * Fix memory leak in ipa-pwd-extop * Fix memory leaks in ipa-join * Fix various bugs in ipap11helper * Fix CA certificate backup and restore * Fix wrong expiration date on renewed IPA CA certificates * Restore file extended attributes and SELinux context in ipa-restore * Use correct service name in cainstance.backup_config * Stop tracking certificates before restoring them in ipa-restore * Remove redefinition of LOG from ipa-otp-lasttoken * Unload P11_Helper object's library when it is finalized in ipap11helper * Fix Kerberos error handling in ipa-sam * Fix unchecked return value in ipa-kdb * Fix unchecked return values in ipa-winsync * Fix unchecked return value in ipa-join * Fix unchecked return value in krb5 common utils * Fix memory leak in GetKeytabControl asn1 code * Add TLS 1.2 to the protocol list in mod_nss config * Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent * Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent * Improve validation of --instance and --backend options in ipa-restore * Check subject name encoding in ipa-cacert-manage renew * Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage * Fix ipa-restore on systems without IPA installed * Remove RUV from LDIF files before using them in ipa-restore * Fix CA certificate renewal syslog alert * Do not crash on unknown services in installutils.stopped_service * Restart dogtag when its server certificate is renewed * Make certificate renewal process synchronized * Fix validation of ipa-restore options * Do not assume certmonger is running in httpinstance * Put LDIF files to their original location in ipa-restore * Revert "Make all ipatokenTOTP attributes mandatory" * Create correct log directories during full restore in ipa-restore * Do not crash when replica is unreachable in ipa-restore * Bump 389-ds-base and pki-ca dependencies for POODLE fixes * ipalib: Allow multiple API instances * ipalib: Move plugin package setup to ipalib-specific API subclass * advise: Add separate API object for ipa-advise * ldap2: Use self API instance instead of ipalib.api * replica-install: Use different API instance for the remote server * certstore: Make certificate retrieval more robust * client-install: Do not crash on invalid CA certificate in LDAP * client: Fix ca_is_enabled calls * upload_cacrt: Fix empty cACertificate in cn=CAcert * ldap: Drop python-ldap tuple compatibility * ldap: Remove unused IPAdmin methods * ldap: Add connection management to LDAPClient * ldap: Use LDAPClient connection management in IPAdmin * ldap: Use LDAPClient connection management in ldap2 * ldap: Add bind and unbind methods to LDAPClient * ldap: Use LDAPClient bind and unbind methods in IPAdmin * ldap: Use LDAPClient bind and unbind methods in ldap2 * ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password * cainstance: Use LDAPClient instead of IPASimpleLDAPObject * makeaci: Use LDAPClient instead of IPASimpleLDAPObject * ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient * ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry * ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient * ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient * ldap: Remove IPASimpleLDAPObject * Fix stop_tracking_certificates call in ipa-restore * baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry * client-install: Fix kinits with non-default Kerberos config file * install: Make a package out of ipaserver.install.server * install: Move ipa-server-install code into a module * install: Move ipa-replica-install code into a module * install: Move ipa-server-upgrade code into a module * install: Fix missing variable initialization in replica install * install: Fix CA-less server install * install: Fix external CA server install * install: Move private_ccache from ipaserver to ipapython * install: Introduce installer framework ipapython.install * install: Migrate ipa-server-install to the install framework * install: Handle Knob cli_name and cli_aliases values consistently * install: Add support for positional arguments in CLI tools * install: Allow setting usage in CLI tools * install: Migrate ipa-replica-install to the install framework * vault: Move vaults to cn=vaults,cn=kra * install: Initialize API early in server and replica install * vault: Fix ipa-kra-install * install: Fix logging setup in server and replica install * User life cycle: provide preserved user virtual attribute * install: Fix ipa-replica-install not installing RA cert * User life cycle: change user-del flags to be CLI-specific * plugable: Move plugin base class and override logic to API * ipalib: Load ipaserver plugins when api.env.in_server is True * ipalib: Move find_modules_in_dir from util to plugable * plugable: Specify plugins to import in API by module names * plugable: Load plugins only from modules imported by API * plugable: Pass API to plugins on initialization rather than using set_api * plugable: Do not use DictProxy for API * plugable: Lock API on finalization rather than on initialization * ipaplatform: Do not use MagicDict for KnownServices * plugable: Remove SetProxy, DictProxy and MagicDict * plugable: Change is_production_mode to method of API * plugable: Specify plugin base classes and modules using API properties * plugable: Remove unused call method of Plugin * replica prepare: Do not use entry after disconnecting from LDAP * ipalib: Fix skip_version_check option * spec file: Update minimal versions of required packages === Jan Pazdziora (1) === * No explicit zone specification. === Lenka Ryznarova (1) === * Test Objectclass of postdetach group === Ludwig Krispenz (14) === * ds plugin - manage replication topology in the shared tree * install part - manage topology in shared tree * replica install fails with domain level 1 * accept missing binddn group * plugin uses 1 as minimum domain level to become active no calculation based on plugin version * crash when removing a replica * check for existing and self referential segments * make sure the agremment rdn match the rdn used in the segment * v2-reject modifications of endpoints and connectivity of a segment * correct management of one directional segments * fix coverity issues * v2 clear start attr from segment after initialization * v2 improve processing of invalid data. * allow deletion of segment if endpoint is not managed === Luk?? Slebodn?k (2) === * SPEC: Explicitly requires python-sssdconfig * SPEC: Require python2 version of sssd bindings === Martin Babinsky (43) === * Use 'remove-ds.pl' to remove DS instance * Moved dbus-python dependence to freeipa-python package * ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message * always get PAC for client principal if AS_REQ is true * ipa-kdb: more robust handling of principal addition/editing * OTP: failed search for the user of last token emits an error message * ipa-pwd-extop: added an informational comment about intentional fallthrough * ipa-uuid: emit a message when unexpected mod type is encountered * OTP: emit a log message when LDAP entry for config record is not found * ipa-client-install: put eol character after the last line of altered config file(s) * migrate-ds: exit with error message if no users/groups to migrate are found * Changing the token owner changes also the manager * ipa-dns-install: use STARTTLS to connect to DS * ipa-dns-install: use LDAPI to connect to DS * migrate-ds: print out failed attempts when no users/groups are migrated * show the exception message thrown by dogtag._parse_ca_status during install * do not log BINDs to non-existent users as errors * fix improper handling of boolean option in * proper client host setup/teardown in forced client reenrollment integration test suite * do not install CA on replica during integration test if setup_ca=False * ipautil: new functions kinit_keytab and kinit_password * ipa-client-install: try to get host TGT several times before giving up * Adopted kinit_keytab and kinit_password for kerberos auth * use separate ccache filename for each IPA DNSSEC daemon * point the users to PKI-related logs when CA configuration fails * suppress errors arising from deleting non-existent files during client uninstall * prevent duplicate IDs when setting up multiple replicas against single master * ipa-server-install: deprecate manual setting of master KDC password * update 'api.env.ca_host' if a different hostname is used during server install * provide dedicated ccache file for httpd * move IPA-related http runtime directories to common subdirectory * explicitly destroy httpd service ccache file during httpinstance removal * do not check for directory manager password during KRA uninstall * merge KRA installation machinery to a single module * KRA: get the right dogtag version during server uninstall * add DS index for userCertificate attribute * generalize certificate creation during testing * ipa-kdb: common function to get key encodings/salt types * increase NSS memcache timeout for IPA server * baseldap: add support for API commands managing only a single attribute * reworked certificate normalization and revocation * new commands to manage user/host/service certificates * add option to skip client API version check === Martin Ba?ti (126) === * Dogtag 10.2 to spec.file * Fix dns zonemgr validation regression * Add bind-dyndb-ldap working dir to IPA specfile * Fix CI tests: install_adtrust * Fix upgrade: do not use invalid ldap connection * Fix: DNS installer adds invalid zonemgr email * Fix: DNS policy upgrade raises asertion error * Fix upgrade referint plugin * Upgrade: fix trusts objectclass violationi * Fix named working directory permissions * Fix: zonemgr must be unicode value * Fix warning message should not contain CLI commands * Show warning instead of error if CA did not start * Raise right exception if domain name is not valid * Fix pk11helper module compiler warnings * Fix: read_ip_addresses should return ipaddr object * Fix detection of encoding in zonemgr option * Fix zonemgr option encoding detection * Throw zonemgr error message before installation proceeds * Upgrade fix: masking named should be executed only once * Using wget to get status of CA * Show SSHFP record containing space in fingerprint * Fix don't check certificate during getting CA status * Fix: Upgrade forwardzones zones after adding newer replica * Fix zone find during forwardzone upgrade * Fix traceback if zonemgr error contains unicode * DNS tests: separate current forward zone tests * New test cases for Forward_zones * Detect and warn about invalid DNS forward zone configuration * DNS tests: warning if forward zone is inactive * Add debug messages into client autodetection * DNSSEC catch ldap exceptions in ipa-dnskeysyncd * DNSSEC: fix root zone dns name conversion * Always return absolute idnsname in dnszone commands * Use dyndns_update instead of deprecated sssd option * Fix reference counting in pkcs11 extension * Prevent install scripts fail silently if timeout exceeded * Fix warning message on client side * Fix restoring services status during uninstall * Fix do not enable service before storing status * Uninstall configured services only * Fix saving named restore status * Migrate uniquess plugins configuration to new style * Fix uniqueness plugins * DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism * Fix memory leaks in ipap11helper * Remove unused method from ipap11pkcs helper module * Remove unused disable-betxn.ldif file * DNS fix: do not traceback if unsupported records are in LDAP * DNS fix: do not show part options for unsupported records * DNS: remove NSEC3PARAM from records * Fix dead code in ipap11helper module * Server Upgrade: Remove unused PRE_SCHEMA_UPDATE * Server Upgrade: do not sort updates by DN * Server Upgrade: Upgrade one file per time * Server Upgrade: Set modified to false, before each update * Server Upgrade: Update entries in order specified in file * Server Upgrade: order update files by default * Server Upgrade: respect --test option in plugins * Server Upgrade: remove --test option * Server Upgrade: Fix comments * DNSSEC: Do not log into files * Fix ldap2 shared connection * Server Upgrade: use only LDAPI connection * Server Upgrade: remove unused code in upgrade * Server Upgrade: Apply plugin updates immediately * Server Upgrade: specify order of plugins in update files * Server Upgrade: plugins should use ldapupdater API instance * Server Upgrade: Handle connection better in updates_from_dict * Server Upgrade: use ldap2 connection in fix_replica_agreements * Server Upgrade: restart DS using ipaplatfom service * Server Upgrade: only root can run updates * DNSSEC CI tests * ipa client: make --ntp-server option multivalued * ipa client: use NTP servers detected from SRV * ipa client: use NTP servers specified by user * Server Upgrade: ipa-server-upgrade command * Server Upgrade: Verify version and platform * Server Upgrade: use ipa-server-upgrade in RPM upgrade * Server Upgrade: fix a comment in ldapupdater * move realm_to_serverid to installutils module * Server Upgrade: use LDIF parser to modify DSE.ldif * Server Upgrade: enable DS global lock during upgrade * Server Upgrade: remove CSV from upgrade files * Server Upgrade: Allow base64 encoded values * Server Upgrade: fix memberUid index * Dont use the proxy to check CA status * Server Upgrade: Do not start DS if it was stopped before upgrade * Server Upgrade: raise RuntimeError instead exit() * Server Upgrade: do not allow to run upgradeinstace alone * Server Upgrade: handle errors better * Server Upgrade: ipa-ldap-updater will not do overall upgrade * Server Upgrade: Fix uniqueness plugins * DNSSEC: FIX Do not re-create kasp.db if already exists * DNSSEC: update OpenDNSSEC KASP configuration * DNS install: extract DNS installer into one module * Pylint: fix false positive warning for domain * Uid uniqueness: fix: exclude compat tree from uniqueness * Server Upgrade: wait until DS is ready * Server Upgrade: Fix: execute schema update * Server Upgrade: Move code from ipa-upgradeconfig to separate module * Fix: use DS socket check only for upgrade * Server Upgrade: fix remove statement * Installers fix: remove temporal ccache * ULC: fix: upgrade for stage Stage User Admins failed * Fix: regression in host and service plugin * DNSSEC: Improve global forwarders validation * DNSSEC: validate forward zone forwarders * Revert 389-DS BuildRequires version to 1.3.3.9 * DNSSEC: fix traceback during shutdown phase * Server Upgrade: disconnect ldap2 connection before DS restart * DNS: add UnknownRecord to schema * ipa-ca-install fix: reconnect ldap2 after DS restart * Server Upgrade: create default config for NIS Server plugin * Fix indicies ntUserDomainId, ntUniqueId * Sanitize CA replica install * DNS: Do not traceback if DNS is not installed * KRA Install: check replica file if contains req. certificates * Server Upgrade: use debug log level for upgrade instead of info * DNSSEC: allow to disable/replace DNSSEC key master * DNSSEC: update message * Allow to run subprocess with suplementary groups * FIX: Clear SSSD caches when uninstalling the client * Fix regression: ipa-dns-install will add CA records if required * Upgrade: Do not show upgrade failed message when IPA is not installed * Fix logging in API === Martin Ko?ek (11) === * Fix ImportError in ipa-ca-install * Bump SSSD Requires to 1.12.3 * Fix IPA_BACKUP_DIR path name * Allow PassSync user to locate and update NT users * Allow Replication Administrators manipulate Winsync Agreements * Replication Administrators cannot remove replication agreements * Add anonymous read ACI for DUA profile * Print PublicError traceback when in debug mode * group-detach does not add correct objectclasses * Remove references to GPL v2.0 license * Fix typo in ipa-server-upgrade man page === Milan Kub?k (3) === * ipatests: port of p11helper test from github * Abstract the HostTracker class from host plugin test * Fix for a typo in certprofile mod command. === Nathan Kinder (2) === * Timeout when performing time sync during client install * Skip time sync during client install when using --no-ntp === Nathaniel McCallum (15) === * Ensure that a password exists after OTP validation * Improve otptoken help messages * Ensure users exist when assigning tokens to them * Enable QR code display by default in otptoken-add * Catch USBError during YubiKey location * Preliminary refactoring of libotp files * Move authentication configuration cache into libotp * Enable last token deletion when password auth type is configured * Make token auth and sync windows configurable * Create an OTP help topic * Prefer TCP connections to UDP in krb5 clients * Expose the disabled User Auth Type * Update python-yubico dependency version * Fix a signedness bug in OTP code * Fix OTP token URI generation === Petr Viktorin (35) === * ipa-restore: Don't crash if AD trust is not installed * ipaplatform: Use the dirsrv service, not target * Do not restore SELinux settings that were not backed up * Add additional backup & restore checks * tests: Use PEP8-compliant setup/teardown method names * tests: Add configuration for pytest * ipatests.util.ClassChecker: Raise AttributeError in get_subcls * test_automount_plugin: Fix test ordering * Use setup_class/teardown_class in Declarative tests * dogtag plugin: Don't use doctest syntax for non-doctest examples * test_webui: Don't use __init__ for test classes * test_ipapython: Use functions instead of classes in test generators * Configure pytest to run doctests * Declarative tests: Move cleanup to setup_class/teardown_class * Declarative tests: Switch to pytest * Integration tests: Port the ordering plugin to pytest * Switch make-test to pytest * Add local pytest plugin for --with-xunit and --logging-level * Switch ipa-run-tests to pytest * Switch integration testing config to a fixture * Integration tests: Port the BeakerLib plugin and log collection to pytest * test_integration: Adjust tests for pytest * copy_schema_to_ca: Fallback to old import location for ipaplatform.services * Ignore ipap11helper/setup.py in doctests * test_integration: Use python-pytest-multihost * test_integration: Use collect_log from the host, not the testing class * test_integration: Parametrize test instead of using a generator * ipatests: Use pytest-beakerlib * ipatests: Use pytest-sourceorder * Run pylint on tests * test_host_plugin: Convert tests to imperative style * test_host_plugin: Split tests into independent classes * test_host_plugin: Use HostTracker fixtures * rename_managed: Remove use of EditableDN * Remove Editable DN and DN component classes === Petr Voborn?k (113) === * build: increase java stack size for all arches * ranges: prohibit setting --rid-base with ipa-trust-ad-posix type * unittests: baserid for ipa-ad-trust-posix idranges * ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges * idrange: include raw range type in output * webui: prohibit setting rid base with ipa-trust-ad-posix type * webui: fix potential XSS vulnerabilities * restore: clear httpd ccache after restore * webui: use domain name instead of domain SID in idrange adder dialog * webui: normalize idview tab labels * webui: add radius fields to user page * fix indentation in ipa-restore page * add --hosts and --hostgroup options to allow/retrieve keytab methods * webui: fix service unprovisioning * webui: increase duration of notification messages * revert removal of cn attribute from idnsRecord * migrate-ds: fix compat plugin check * rpcclient: use json_encode_binary for verbose output * Fix TOTP Synchronization Window label * ipatests: add missing ssh object classes to idoverrideuser * webui: service: add ipakrbrequirespreauth checkbox * webui: unable to select single value in CB by enter key * webui: use no_members option in entity select search * performance: faster DN implementation * speed up convert_attribute_members * speed up indirect member processing * webui: add pwpolicy link to group details page if group has associated pwpolicy * webui-ci: do not open 2 browser windows * Update BUILD.txt * allow to call ldap2.destroy_connection multiple times * use Connectible.disconnect() instead of .destroy_connection() * jQuery.ordered_map: faster creation * jQuery.ordered_map: remove map attribute * migrate-ds: optimize adding users to default group * migrate-ds: skip default group option * migrate-ds: remove unused def_group_gid context property * migrate-ds: optimize gid checks by utilizing dictionary nature of set * migrate-ds: log migrated group members only on debug level * cli: differentiate Flag a Bool when autofill is set * webui-ci: fix type error in host_tasks inicializations * webui: update patternfly to v1.1.4 * webui: rename IPA.user_* to IPA.user.* * webui: declare search command options in search facet * webui: register construction spec based on existing spec * webui: entity facets in facet registry * webui: entity menu items navigate to main entity facet * webui: prefer entity fallback in menu item select * webui: navigation: do not remember selected childs of menu item * webui: navigation: unique names on entity facet menu items * webui: metadata validator min and max value overrides * webui: custom facet groups in a facet * webui: facet groups widget * webui: allow to replace facet tabs with sidebar * webui: allow to hide facet tabs or sidebar * webui: facet policies for all facets * webui: stageuser plugin * webui: extend user deleter dialog with --permanent and --preserve options * webui: update stageuser/user pages based on action in diffrent user search page * webui: stageusers, display page elements based on user state * webui: prefer search facet's deleter dialog * webui: fix empty table border in Firefox * webui: option to not create user private group * webui: add boostrap-datepicker files * webui: datetime widget with datepicker * git ignore ipaplatform/__init__.py * server-find and server-show commands * topology: ipa management commands * webui: IPA.command_dialog - a new dialog base class * webui: use command_dialog as a base class for password dialog * webui: make usage of --all in details facet optional * webui: topology plugin * webui: configurable refresh command * webui: don't log in back after logout * topology: allow only one node to be specified in topologysegment-refresh * topology: hide topologysuffix-add del mod commands * move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX * add entries required by topology plugin on update * webui: make topology suffices UI readonly * rename topologysegment_refresh to topologysegment_reinitialize * disallow mod of topology segment nodes * topology: restrict direction changes * topology: fix swapped topologysegment-reinitialize behavior * regenerate ACI.txt after stage user permission rename * ipa-replica-manage: Do not allow topology altering commands from DL 1 * server: add "del" command * ipa-replica-manage: adjust del to work with managed topology * webui: adjust user deleter dialog to new api * Become IPA 4.2.0 Alpha 1 * fix handling of ldap.LDAPError in installer * add python-setuptools to requires * fix force-sync, re-initialize of replica and a check for replication agreement existence * topology: check topology in ipa-replica-manage del * Verify replication topology for a suffix * replication: fix regression in get_agreement_type * ipa-replica-manage del: relax segment deletement check if topology is disconnected * ipa-replica-manage del: add timeout to segment removal check * topologysegment: hide direction and enable options * topology: make cn of new segment consistent with topology plugin * include more information in metadata * webui: ListViewWidget * webui: fix webui specific metadata * webui: menu and navigation fixes * webui: API browser * webui: add mangedby tab to otptoken * webui: certificate profiles * webui: caacl * webui: hide facet tab in certificate details facet * move session_logout command to ipalib/plugins directory * webui: cert-request improvements * webui: show multiple cert * webui: remove cert manipulation actions from host and service * fix error message when certificate CN is invalid * Become IPA 4.2.0 === Petr ?pa?ek (28) === * Fix zone name to directory name conversion in BINDMgr. * Fix minimal version of BIND for Fedora 20 and 21 * Fix default value type for wait_for_dns option * p11helper: standardize indentation and other visual aspects of the code * p11helper: use sizeof() instead of magic constants * p11helper: clarify error message * Clarify messages related to adding DNS forwarders * Grammar fix in 'Estimated time' messages printed by installer * Clarify host name output in ipa-client-install * Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. * DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures. * Bump run-time requires to SoftHSM 2.0.0rc1. * Improve error messages about reverse address resolution in ipa-replica-prepare * Clarify recommendation about --ip-address option in ipa-replica-prepapre * Clarify error messages in ipa-replica-prepare: add_dns_records() * Hide traceback in ipa-dnskeysyncd if kinit failed. * Bump minimal BIND version for CentOS. * Rate-limit while loop in SystemdService.is_active(). * Add hint how to re-run IPA upgrade. * DNSSEC: Detect invalid master keys in LDAP. * DNSSEC: Accept ipa-ods-exporter commands from command line. * DNSSEC: ipa-ods-exporter: move zone synchronization into separate function * DNSSEC: log ipa-ods-exporter file lock operations into debug log * DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter. * DNSSEC: Improve ipa-ods-exporter log messages with key metadata. * DNSSEC: Store time & date key metadata in UTC. * DNSSEC: ipa-dns-install: Detect existing master server sooner. * DNSSEC: Detect attempt to install & disable master at the same time. === Rob Crittenden (5) === * Search using proper scope when connecting CA instances * Use NSS protocol range API to set available TLS protocols * Add plugin to manage service constraint delegations * Add ACI to allow hosts to add their own services * Don't rely on positional arguments for python-kerberos calls === Simo Sorce (14) === * Add UTC date to GIT snapshot version generation * Fix filtering of enctypes in server code. * Add asn1c generated code for keytab controls * Use asn1c helpers to encode/decode the getkeytab control * Stop saving the master key in a stash file * Avoid calling ldap functions without a context * Remove the removal of the ccache * Handle DAL ABI change in MIT 1.13 * Add a clear OpenSSL exception. * Stop including the DES algorythm from openssl. * Detect default encsalts kadmin password change * Add compatibility function for older libkrb5 * Fix s4u2proxy README and add warning * Replicas cannot define their own master password. === Sumit Bose (16) === * ipa-range-check: do not treat missing objects as error * Add configure check for cwrap libraries * extdom: handle ERANGE return code for getXXYYY_r() calls * extdom: make nss buffer configurable * extdom: return LDAP_NO_SUCH_OBJECT to the client * extdom: fix memory leak * extdom: add err_msg member to request context * extdom: add add_err_msg() with test * extdom: add selected error messages * extdom: migrate check-based test to cmocka * extdom: fix wrong realloc size * extdom: add unit-test for get_user_grouplist() * ipa-kdb: convert test to cmocka * ipa-kdb: add unit-test for filter_logon_info() * ipa-kdb: make string_to_sid() and dom_sid_string() more robust * ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string() === Thierry Bordaz (19) === * User Life Cycle: create containers and scoping DS plugins * User Life Cycle: DNA scopes full SUFFIX * Deadlock in schema compat plugin (between automember_update_membership task and dse update) * User Life Cycle: Exclude subtree for ipaUniqueID generation * User life cycle: stageuser-add verb * User life cycle: allows MODRDN from ldap2 * User life cycle: new stageuser commands del/mod/find/show * User life cycle: new stageuser commands activate * User life cycle: new stageuser commands activate (provisioning) * User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user * User life cycle: user-find support finding delete users * User life cycle: support of user-undel * User life cycle: DNA DS plugin should exclude provisioning DIT * User life cycle: Stage user Administrators permission/priviledge * User life cycle: Add 'Stage User Provisioning' permission/priviledge * Stage User: Fix permissions naming and split them where apropriate. * Display the wrong attribute name when mandatory attribute is missing * Limit deadlocks between DS plugin DNA and slapi-nis * User life cycle: permission to delete a preserved user === Thorsten Scherf (4) === * pwpolicy-add: Added better error handling * Add help string on how to configure multiple DNS forwards for various cli tools * Removed recommendation from ipa-adtrust-install * Changed in-tree development setup instructions === Tom?? Babej (52) === * Bump 4.2 development version to 4.1.99 * specfile: Add BuildRequires for pki-base 10.2.1-0 * Re-initialize NSS database after otptoken plugin tests * certs: Fix incorrect flag handling in load_cacert * hosts: Display assigned ID view by default in host-find and show commands * ipatests: Increase required version for pytest-multihost plugin * idviews: Complain if host is already assigned the ID View in idview-apply * idviews: Ignore host or hostgroup options set to None * ipatests: Invoke class install methods properly with respect to pytest-multihost * ipatests: Set the correct number of required clients for IntegrationTest * ipatests: Refactor and fix docstrings in integration pytest plugin * baseldap: Handle missing parent objects properly in *-find commands * spec: Add BuildRequires for python-pytest plugins * ipatests: Make descriptions sorted according to the order of the tests * ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView * ipatests: Fix old command references in the ID views tests * ipatests: Fix incorrect assumptions in idviews tests * ipapython: Fix incorrect python shebangs * ipatests: Add coverage for adding and removing sshpubkeys in ID overrides * ipalib: Make sure correct attribute name is referenced for fax * idviews: Use case-insensitive detection of Default Trust View * Revert "Server Upgrade: respect --test option in plugins" * replica-manage: Properly delete nested entries * Add Domain Level feature * idviews: Set dcerpc detection flag properly * idviews: Allow users specify the raw anchor directly as identifier * idviews: Remove ID overrides for permanently removed users and groups * ipaplatform: Remove redundant definitions * winsync-migrate: Add initial plumbing * winsync-migrate: Add a way to find all winsync users * migrate-winsync: Create user ID overrides in place of winsynced user entries * migrate-winsync: Add option validation and handling * winsync-migrate: Move the api initalization and LDAP connection to the main method * dcerpc: Change logging level for debug information * dcerpc: Add debugging message to failing kinit as http * winsync-migrate: Require root privileges * idviews: Do not abort the find & show commands on conversion errors * winsync-migrate: Require explicit specification of the target server and validate existing agreement * winsync-migrate: Delete winsync agreement prior to migration * winsync-migrate: Rename to tool to achive consistency with other tools * winsync-migrate: Move the tool under ipaserver.install package * winsync-migrate: Include the tool parts in Makefile and friends * idviews: Fallback to AD DC LDAP only if specifically allowed * man: Add manpage for ipa-winsync-migrate * winsync_migrate: Migrate memberships of the winsynced users * winsync_migrate: Generalize membership migration * l10n: Add configuration file for Zanata * l10n: Update translation strings * Hide topology and domainlevel features * dcerpc: Raise ACIError correctly * adtrustinstance: Enable and start oddjobd * upgrade: Enable and start oddjobd if adtrust is available -- Petr Vobornik From simo at redhat.com Fri Jul 10 08:38:10 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 04:38:10 -0400 Subject: [Freeipa-users] KRA? 4.2? In-Reply-To: <559F1822.1090804@gmail.com> References: <559F1822.1090804@gmail.com> Message-ID: <1436517490.4097.49.camel@willson.usersys.redhat.com> On Thu, 2015-07-09 at 17:56 -0700, Janelle wrote: > Hello, > > I see 4.2 is released today with lots of cool new features. I think I > understand the new Vault, but am not familiar with KRA? Wondering if > there might be some information on what this is? KRA is the name of the Dogtag project component that implements the secure storage for the Vault feature. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From jpazdziora at redhat.com Fri Jul 10 09:00:01 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 10 Jul 2015 11:00:01 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <559F81A3.3010708@redhat.com> References: <559F81A3.3010708@redhat.com> Message-ID: <20150710090001.GD4325@redhat.com> On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: > The FreeIPA team is proud to announce FreeIPA v4.2.0 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds > for Fedora 22 and Fedora Rawhide will be available in the official COPR > repository . Are copr builds for RHEL 7 / CentOS 7 planned? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Fri Jul 10 12:40:58 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 10 Jul 2015 14:40:58 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <559F81A3.3010708@redhat.com> References: <559F81A3.3010708@redhat.com> Message-ID: <20150710124058.GB17047@redhat.com> On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: > The FreeIPA team is proud to announce FreeIPA v4.2.0 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds > for Fedora 22 and Fedora Rawhide will be available in the official COPR > repository . Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From pvoborni at redhat.com Fri Jul 10 12:46:41 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jul 2015 14:46:41 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <20150710124058.GB17047@redhat.com> References: <559F81A3.3010708@redhat.com> <20150710124058.GB17047@redhat.com> Message-ID: <559FBEB1.8010800@redhat.com> On 07/10/2015 02:40 PM, Jan Pazdziora wrote: > On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: >> The FreeIPA team is proud to announce FreeIPA v4.2.0 release! >> >> It can be downloaded from http://www.freeipa.org/page/Downloads. The builds >> for Fedora 22 and Fedora Rawhide will be available in the official COPR >> repository . > > Any ETA about the availability of the Fedora 22 bits? I can see > > https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ > > succeeded but when I try to install with that repo enabled on my > Fedora 22, I don't get the 4.2.0 packages. > I was able to install freeipa-server-4.2.0-0.fc22.x86_64 using the COPR repository. -- Petr Vobornik From jpazdziora at redhat.com Fri Jul 10 12:55:59 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 10 Jul 2015 14:55:59 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <20150710124058.GB17047@redhat.com> References: <559F81A3.3010708@redhat.com> <20150710124058.GB17047@redhat.com> Message-ID: <20150710125558.GD17047@redhat.com> On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: > On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: > > The FreeIPA team is proud to announce FreeIPA v4.2.0 release! > > > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds > > for Fedora 22 and Fedora Rawhide will be available in the official COPR > > repository . > > Any ETA about the availability of the Fedora 22 bits? I can see > > https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ > > succeeded but when I try to install with that repo enabled on my > Fedora 22, I don't get the 4.2.0 packages. Hmm, when I run dnf install freeipa-server the 4.1.4-4 from fedora updates repository gets put to the transaction. When I specify dnf install freeipa-server-4.2.0 I get Error: nothing provides 389-ds-base >= 1.3.4.0 needed by freeipa-server-4.2.0-0.fc22.x86_64 -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From ghilteras at gmail.com Fri Jul 10 03:59:11 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Thu, 9 Jul 2015 20:59:11 -0700 Subject: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues Message-ID: I have the exact same problem, have a windows AD that trusts IPA server and an IPA client that connect to the IPA server via sssd.If I try to ssh on the IPA client using an AD user it fails authentication. The same happens if I try to su - ADuser. Basically IPA server is not correctly proxying the requests to AD, I can pull the info with getent, so I know the trust is working, but when I try to authenticate it's always failing. The relevant bits I found in the sssd logs suggests a problem contacting the AD subdomain via kerberos (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child[12110]]]] [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"] is there manual customization that I am missing that I need to put on krb5 or sssd.conf? Angelo > On 05/06/2015 12:14 AM, Nathan Peters wrote: >>> From this link : >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb >> >> >> The diagram in that section shows the client communicating with >> FreeIPA and FreeIPA contacting AD. >> >> So why are you saying the client authenticates with the AD DC directly? > > You are looking at the older documentation. It is for RHEL6. Please use > RHEL7.1 docs to get the latest info about 4.1 functionality. > Well according to the 7 docs here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html it still shows in section 5.1.3.1 of that page that the sssd sends the request on behalf of the client and the client never directly connects to the AD dc. Both the 6 and 7 docs show the exact same diagram. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Jul 10 14:09:45 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jul 2015 16:09:45 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <20150710125558.GD17047@redhat.com> References: <559F81A3.3010708@redhat.com> <20150710124058.GB17047@redhat.com> <20150710125558.GD17047@redhat.com> Message-ID: <559FD229.3090604@redhat.com> On 07/10/2015 02:55 PM, Jan Pazdziora wrote: > On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: >> On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: >>> The FreeIPA team is proud to announce FreeIPA v4.2.0 release! >>> >>> It can be downloaded from http://www.freeipa.org/page/Downloads. The builds >>> for Fedora 22 and Fedora Rawhide will be available in the official COPR >>> repository . >> >> Any ETA about the availability of the Fedora 22 bits? I can see >> >> https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ >> >> succeeded but when I try to install with that repo enabled on my >> Fedora 22, I don't get the 4.2.0 packages. > > Hmm, when I run > > dnf install freeipa-server > > the 4.1.4-4 from fedora updates repository gets put to the transaction. > > When I specify > > dnf install freeipa-server-4.2.0 > > I get > > Error: nothing provides 389-ds-base >= 1.3.4.0 needed by freeipa-server-4.2.0-0.fc22.x86_64 > Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. # dnf clean metadata # dnf install freeipa-server --disablerepo=*testing # rpm -q freeipa-server freeipa-server-4.2.0-0.fc22.x86_64 ... -- Petr Vobornik From karl.forner at gmail.com Fri Jul 10 14:19:55 2015 From: karl.forner at gmail.com (Karl Forner) Date: Fri, 10 Jul 2015 16:19:55 +0200 Subject: [Freeipa-users] ipa client on ubuntu and sudo rules Message-ID: Hello, I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to work. I then realized that I used ipa-client-install version 3.3.4. Is this a plausible cause ? And if so, where can I get a more recent version for ubuntu/debian ? Thanks, Karl -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Jul 10 14:36:35 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 10 Jul 2015 16:36:35 +0200 Subject: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate Message-ID: hi, earlier today I was reading a post about the new freeipa version on my mobile device and got plenty of warnings about an invalid certificate. On a fedora laptop no warnings, but this is the problem: $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname was NOT found in DNS cache * Trying 54.227.25.77... * Connected to www.freeipa.org (54.227.25.77) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=www.freeipa.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US * start date: Jul 16 00:00:00 2014 GMT * expire date: Jul 19 12:00:00 2016 GMT * common name: www.freeipa.org * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html You need to add the intermediate digicert certrificate, it seems. Thanks! -- regards, natxo -- -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jul 10 14:47:56 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Jul 2015 16:47:56 +0200 Subject: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues In-Reply-To: References: Message-ID: <20150710144756.GC10170@hendrix.redhat.com> On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote: > I have the exact same problem, have a windows AD that trusts IPA server and > an IPA client that connect to the IPA server via sssd.If I try to ssh on > the IPA client using an AD user it fails authentication. The same happens > if I try to su - ADuser. > > Basically IPA server is not correctly proxying the requests to AD, I can > pull the info with getent, so I know the trust is working, Are you sure SSSD is not just returning records from cache? Do you have full SSSD logs? > but when I try > to authenticate it's always failing. > > The relevant bits I found in the sssd logs suggests a problem contacting > the AD subdomain via kerberos > > (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child[12110]]]] [get_and_save_tgt] > (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"] The original poster had non-standard UPNs, so the users with those UPNs were failing. Is that your case also or do all users fail like this? From jpazdziora at redhat.com Fri Jul 10 14:51:06 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 10 Jul 2015 16:51:06 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <559FD229.3090604@redhat.com> References: <559F81A3.3010708@redhat.com> <20150710124058.GB17047@redhat.com> <20150710125558.GD17047@redhat.com> <559FD229.3090604@redhat.com> Message-ID: <20150710145106.GG17047@redhat.com> On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: > Some of the dependencies are still in updates-testing repository. They have > been added to the COPR repository. > > Now FreeIPA 4.2 could be installed even with the updates-testing repo > disabled. Sorry for your inconvenience. I confirm things work now, I'm able to install and setup FreeIPA 4.2 server on Fedora 22 with the copr repo. Thank you! Any plans for the RHEL/CentOS 7 copr repo? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From lslebodn at redhat.com Fri Jul 10 15:18:47 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 10 Jul 2015 17:18:47 +0200 Subject: [Freeipa-users] ipa client on ubuntu and sudo rules In-Reply-To: References: Message-ID: <20150710151846.GE31272@mail.corp.redhat.com> On (10/07/15 16:19), Karl Forner wrote: >Hello, > >I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to >work. >I then realized that I used ipa-client-install version 3.3.4. >Is this a plausible cause ? >And if so, where can I get a more recent version for ubuntu/debian ? Never version of ipa-client configures sssd integration with sudo by default. Please follow intructions from manual page sssd-sudo and you should be able to configure it yourself. Different version of sssd requires different configuration with ipa provider. IIRC sssd > 1.10 nas native ipa sudo provider so you need't to configure sudo ldap provider with IPA. That's the reason why it's better to follow instruction form man page sssd-sudo. LS From ellertalexandre at gmail.com Fri Jul 10 15:28:35 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Fri, 10 Jul 2015 17:28:35 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> Message-ID: > Le 30 juin 2015 ? 10:16, Alexandre Ellert a ?crit : > > >> Could you please provide the content of logfile: >> `/var/log/pki/pki-tomcat/ca/debug', around the time the error >> occurs? >> >> Thanks, >> Fraser > > When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug > > [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ > [30/Jun/2015:10:02:13][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= > [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ > [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug > [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug > [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log > [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs > [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true > [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init > [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true > [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() > [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins > [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends > [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true > [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true > [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException > Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) > at com.netscape.certsrv.apps.CMS.init(CMS.java:189) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) > at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine.shutdown() > [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown > [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown > > [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown > [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown > > [30/Jun/2015:10:02:15][ajp-bio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. > > I checked that ns-slapd was running on port 636 > # netstat -antp|grep 636 > tcp6 0 0 :::636 :::* LISTEN 22855/ns-slapd > > After a quick search, I found this bug https://fedorahosted.org/freeipa/ticket/4666 is quite similar. > Many workarounds are suggested there but I?m confused about which could be efficient for me. > Up plz. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Jul 10 15:35:26 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jul 2015 17:35:26 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 In-Reply-To: <20150710145106.GG17047@redhat.com> References: <559F81A3.3010708@redhat.com> <20150710124058.GB17047@redhat.com> <20150710125558.GD17047@redhat.com> <559FD229.3090604@redhat.com> <20150710145106.GG17047@redhat.com> Message-ID: <559FE63E.1090500@redhat.com> On 07/10/2015 04:51 PM, Jan Pazdziora wrote: > On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: >> Some of the dependencies are still in updates-testing repository. They have >> been added to the COPR repository. >> >> Now FreeIPA 4.2 could be installed even with the updates-testing repo >> disabled. Sorry for your inconvenience. > > I confirm things work now, I'm able to install and setup FreeIPA 4.2 > server on Fedora 22 with the copr repo. > > Thank you! > > Any plans for the RHEL/CentOS 7 copr repo? > I'm sorry, I don't have a date for you yet. But as IPA 4.1 has Epel 7 COPR repo, IPA 4.2 will have it as well. -- Petr Vobornik From ghilteras at gmail.com Fri Jul 10 19:07:06 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Fri, 10 Jul 2015 12:07:06 -0700 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users Message-ID: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? Angelo -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jul 10 19:29:22 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jul 2015 22:29:22 +0300 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: Message-ID: <20150710192922.GJ21928@redhat.com> On Fri, 10 Jul 2015, Angelo Pantano wrote: >I have a freeipa server trusting an active directory domain, if I ssh to >the ipa server everything works, but if I try to ssh on an ipa client the >authentication fails. > >I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: > >failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > >Also in the logs I see: > >log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name >ad.local (sitename NULL) > >everything else works though, I can getent users and group just fine. > >Can you please help me? We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed on those platforms, SSSD is used to resolve users, not winbindd. Winbindd is only used to manage forest topology. -- / Alexander Bokovoy From ghilteras at gmail.com Fri Jul 10 19:42:43 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Fri, 10 Jul 2015 12:42:43 -0700 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: <20150710192922.GJ21928@redhat.com> References: <20150710192922.GJ21928@redhat.com> Message-ID: I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in Kerberos database] also # kinit freeipa at AD.TWEEK kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy wrote: > On Fri, 10 Jul 2015, Angelo Pantano wrote: > >> I have a freeipa server trusting an active directory domain, if I ssh to >> the ipa server everything works, but if I try to ssh on an ipa client the >> authentication fails. >> >> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: >> >> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >> >> Also in the logs I see: >> >> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name >> ad.local (sitename NULL) >> >> everything else works though, I can getent users and group just fine. >> >> Can you please help me? >> > We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at > least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed > on those platforms, SSSD is used to resolve users, not winbindd. > Winbindd is only used to manage forest topology. > > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jul 10 19:48:58 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jul 2015 22:48:58 +0300 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: <20150710192922.GJ21928@redhat.com> Message-ID: <20150710194858.GK21928@redhat.com> On Fri, 10 Jul 2015, Angelo Pantano wrote: >and this is the error I see in krb5_child.log > >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): >Will perform online auth >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >(0x0400): Attempting kinit for realm [AD.TWEEK] >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >(0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >Kerberos database] >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] >(0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >Kerberos database] > > >also > ># kinit freeipa at AD.TWEEK >kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial >credentials > >any idea what's the problem? It seems kerberos cannot find users in the AD >subdomain Run KRB5_TRACE=/dev/stderr kinit freeipa at AD.TWEEK to see what Kerberos library tries to connect to. If AD.TWEEK is your Active Directory's domain realm, then according to your krb5.conf it should be discovered via SRV records and appropriate AD DC would be contacted. This is first part to solve. The rest (sssd output above) is due to SSSD not being able to find out proper AD DC to talk to and thus talks to IPA DC which doesn't know this principal and errors out. >this is my sssd.conf > >[domain/ipa.tweek] >debug_level = 6 >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = ipa.tweek >id_provider = ipa >auth_provider = ipa >ldap_tls_cacert = /etc/ipa/ca.crt >ipa_hostname = someaddress_here >chpass_provider = ipa >ipa_server = _srv_, centos.ipa.tweek >dns_discovery_domain = ipa.tweek >cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek ^^ what is this? >subdomains_provider = ipa -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jul 10 19:50:22 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jul 2015 22:50:22 +0300 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: <20150710192922.GJ21928@redhat.com> Message-ID: <20150710195022.GL21928@redhat.com> On Fri, 10 Jul 2015, Angelo Pantano wrote: >I am using sssd and from ipa clients the authentication is not working >(works fine if I ssh on the ipa-server). I thought it could be due to the >external groups being empty and not mapping the AD users. > >Anyway this is the krb5.conf on the ipa client: > >#File modified by ipa-client-install > >includedir /var/lib/sss/pubconf/krb5.include.d/ > >[libdefaults] > default_realm = IPA.TWEEK > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > >[realms] > IPA.TWEEK = { > kdc = centos.ipa.tweek:88 > master_kdc = centos.ipa.tweek:88 > admin_server = centos.ipa.tweek:749 > default_domain = ipa.tweek > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ > auth_to_local = DEFAULT > } > AD.TWEEK = { > kdc = centos.ipa.tweek:88 > pkinit_anchors = FILE:/etc/ipa/ca.crt > } Why did you override AD.TWEEK KDC to point to FreeIPA? Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. > >[domain_realm] > .ipa.tweek = IPA.TWEEK > ipa.tweek = IPA.TWEEK > .ad.tweek = AD.TWEEK > ad.tweek = AD.TWEEK > > >and this is the error I see in krb5_child.log > >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): >Will perform online auth >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >(0x0400): Attempting kinit for realm [AD.TWEEK] >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >(0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >Kerberos database] >(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] >(0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >Kerberos database] > > >also > ># kinit freeipa at AD.TWEEK >kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial >credentials > >any idea what's the problem? It seems kerberos cannot find users in the AD >subdomain > > >this is my sssd.conf > >[domain/ipa.tweek] >debug_level = 6 >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = ipa.tweek >id_provider = ipa >auth_provider = ipa >ldap_tls_cacert = /etc/ipa/ca.crt >ipa_hostname = someaddress_here >chpass_provider = ipa >ipa_server = _srv_, centos.ipa.tweek >dns_discovery_domain = ipa.tweek >cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek >subdomains_provider = ipa >[sssd] >services = nss, pam, pac, ssh >config_file_version = 2 >debud_level = 6 >domains = ipa.tweek > >On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy >wrote: > >> On Fri, 10 Jul 2015, Angelo Pantano wrote: >> >>> I have a freeipa server trusting an active directory domain, if I ssh to >>> the ipa server everything works, but if I try to ssh on an ipa client the >>> authentication fails. >>> >>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: >>> >>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >>> >>> Also in the logs I see: >>> >>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name >>> ad.local (sitename NULL) >>> >>> everything else works though, I can getent users and group just fine. >>> >>> Can you please help me? >>> >> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at >> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed >> on those platforms, SSSD is used to resolve users, not winbindd. >> Winbindd is only used to manage forest topology. >> >> >> >> -- >> / Alexander Bokovoy >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From orion at cora.nwra.com Fri Jul 10 20:33:11 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Fri, 10 Jul 2015 14:33:11 -0600 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <559D5E6F.5010902@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> Message-ID: <55A02C07.3090906@cora.nwra.com> On 07/08/2015 11:31 AM, Orion Poplawski wrote: > But then when I go to make a replica: > > # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 > --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX > Directory Manager (existing master) password: > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > Which looks like others are experiencing (with not resolution that I could > see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html > > Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. > Filed https://fedorahosted.org/freeipa/ticket/5117 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From ghilteras at gmail.com Fri Jul 10 20:29:22 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Fri, 10 Jul 2015 13:29:22 -0700 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: <20150710195022.GL21928@redhat.com> References: <20150710192922.GJ21928@redhat.com> <20150710195022.GL21928@redhat.com> Message-ID: I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in: secure.log says: Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano at ad.tweek Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano at ad.tweek Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: Can't contact LDAP server Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for apantano at ad.tweek from 10.61.205.107 port 61833 ssh2 Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user apantano at ad.tweek by PAM account configuration [preauth] That's odd in so many ways, I got both a failure from pam_unix and a success from pam_sss... On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy wrote: > On Fri, 10 Jul 2015, Angelo Pantano wrote: > >> I am using sssd and from ipa clients the authentication is not working >> (works fine if I ssh on the ipa-server). I thought it could be due to the >> external groups being empty and not mapping the AD users. >> >> Anyway this is the krb5.conf on the ipa client: >> >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = IPA.TWEEK >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> IPA.TWEEK = { >> kdc = centos.ipa.tweek:88 >> master_kdc = centos.ipa.tweek:88 >> admin_server = centos.ipa.tweek:749 >> default_domain = ipa.tweek >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ >> auth_to_local = DEFAULT >> } >> AD.TWEEK = { >> kdc = centos.ipa.tweek:88 >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> > Why did you override AD.TWEEK KDC to point to FreeIPA? > > Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and > 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. > > > >> [domain_realm] >> .ipa.tweek = IPA.TWEEK >> ipa.tweek = IPA.TWEEK >> .ad.tweek = AD.TWEEK >> ad.tweek = AD.TWEEK >> >> >> and this is the error I see in krb5_child.log >> >> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): >> Will perform online auth >> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >> (0x0400): Attempting kinit for realm [AD.TWEEK] >> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >> (0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >> Kerberos database] >> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] >> (0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >> Kerberos database] >> >> >> also >> >> # kinit freeipa at AD.TWEEK >> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial >> credentials >> >> any idea what's the problem? It seems kerberos cannot find users in the AD >> subdomain >> >> >> this is my sssd.conf >> >> [domain/ipa.tweek] >> debug_level = 6 >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = ipa.tweek >> id_provider = ipa >> auth_provider = ipa >> ldap_tls_cacert = /etc/ipa/ca.crt >> ipa_hostname = someaddress_here >> chpass_provider = ipa >> ipa_server = _srv_, centos.ipa.tweek >> dns_discovery_domain = ipa.tweek >> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek >> subdomains_provider = ipa >> [sssd] >> services = nss, pam, pac, ssh >> config_file_version = 2 >> debud_level = 6 >> domains = ipa.tweek >> >> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy >> wrote: >> >> On Fri, 10 Jul 2015, Angelo Pantano wrote: >>> >>> I have a freeipa server trusting an active directory domain, if I ssh to >>>> the ipa server everything works, but if I try to ssh on an ipa client >>>> the >>>> authentication fails. >>>> >>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: >>>> >>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >>>> >>>> Also in the logs I see: >>>> >>>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name >>>> ad.local (sitename NULL) >>>> >>>> everything else works though, I can getent users and group just fine. >>>> >>>> Can you please help me? >>>> >>>> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at >>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed >>> on those platforms, SSSD is used to resolve users, not winbindd. >>> Winbindd is only used to manage forest topology. >>> >>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jul 10 21:04:13 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 11 Jul 2015 00:04:13 +0300 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: <20150710192922.GJ21928@redhat.com> <20150710195022.GL21928@redhat.com> Message-ID: <20150710210413.GP21928@redhat.com> On Fri, 10 Jul 2015, Angelo Pantano wrote: >I removed the stanza, but anyway I found one problem was the DNS. I needed >to setup the nameserver in resolv.conf with the ip of the ipa server. I can >kinit now but ssh is still failing, connection gets closed instead of >letting me in: > >secure.log says: > >Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): >authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >rhost=10.61.205.107 user=apantano at ad.tweek >Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): >authentication success; logname= uid=0 euid=0 tty=ssh ruser= >rhost=10.61.205.107 user=apantano at ad.tweek >Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: >Can't contact LDAP server >Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for >apantano at ad.tweek from 10.61.205.107 port 61833 ssh2 >Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user >apantano at ad.tweek by PAM account configuration [preauth] > >That's odd in so many ways, I got both a failure from pam_unix and a >success from pam_sss... That's how it should be, it is a _stack_ of authentication modules. pam_unix doesn't know anything beyond /etc/passwd and /etc/shadow. I don't understand *why* do you have pam_ldap configured. You only need pam_sss, remove pam_ldap, this is definitely not a default configuration. > > >On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy >wrote: > >> On Fri, 10 Jul 2015, Angelo Pantano wrote: >> >>> I am using sssd and from ipa clients the authentication is not working >>> (works fine if I ssh on the ipa-server). I thought it could be due to the >>> external groups being empty and not mapping the AD users. >>> >>> Anyway this is the krb5.conf on the ipa client: >>> >>> #File modified by ipa-client-install >>> >>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>> >>> [libdefaults] >>> default_realm = IPA.TWEEK >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> udp_preference_limit = 0 >>> default_ccache_name = KEYRING:persistent:%{uid} >>> >>> [realms] >>> IPA.TWEEK = { >>> kdc = centos.ipa.tweek:88 >>> master_kdc = centos.ipa.tweek:88 >>> admin_server = centos.ipa.tweek:749 >>> default_domain = ipa.tweek >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ >>> auth_to_local = DEFAULT >>> } >>> AD.TWEEK = { >>> kdc = centos.ipa.tweek:88 >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> } >>> >> Why did you override AD.TWEEK KDC to point to FreeIPA? >> >> Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and >> 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. >> >> >> >>> [domain_realm] >>> .ipa.tweek = IPA.TWEEK >>> ipa.tweek = IPA.TWEEK >>> .ad.tweek = AD.TWEEK >>> ad.tweek = AD.TWEEK >>> >>> >>> and this is the error I see in krb5_child.log >>> >>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): >>> Will perform online auth >>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >>> (0x0400): Attempting kinit for realm [AD.TWEEK] >>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] >>> (0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >>> Kerberos database] >>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] >>> (0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >>> Kerberos database] >>> >>> >>> also >>> >>> # kinit freeipa at AD.TWEEK >>> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial >>> credentials >>> >>> any idea what's the problem? It seems kerberos cannot find users in the AD >>> subdomain >>> >>> >>> this is my sssd.conf >>> >>> [domain/ipa.tweek] >>> debug_level = 6 >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = ipa.tweek >>> id_provider = ipa >>> auth_provider = ipa >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> ipa_hostname = someaddress_here >>> chpass_provider = ipa >>> ipa_server = _srv_, centos.ipa.tweek >>> dns_discovery_domain = ipa.tweek >>> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek >>> subdomains_provider = ipa >>> [sssd] >>> services = nss, pam, pac, ssh >>> config_file_version = 2 >>> debud_level = 6 >>> domains = ipa.tweek >>> >>> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy >>> wrote: >>> >>> On Fri, 10 Jul 2015, Angelo Pantano wrote: >>>> >>>> I have a freeipa server trusting an active directory domain, if I ssh to >>>>> the ipa server everything works, but if I try to ssh on an ipa client >>>>> the >>>>> authentication fails. >>>>> >>>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: >>>>> >>>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >>>>> >>>>> Also in the logs I see: >>>>> >>>>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name >>>>> ad.local (sitename NULL) >>>>> >>>>> everything else works though, I can getent users and group just fine. >>>>> >>>>> Can you please help me? >>>>> >>>>> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at >>>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed >>>> on those platforms, SSSD is used to resolve users, not winbindd. >>>> Winbindd is only used to manage forest topology. >>>> >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> / Alexander Bokovoy >> -- / Alexander Bokovoy From ghilteras at gmail.com Fri Jul 10 21:11:37 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Fri, 10 Jul 2015 14:11:37 -0700 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: <20150710210413.GP21928@redhat.com> References: <20150710192922.GJ21928@redhat.com> <20150710195022.GL21928@redhat.com> <20150710210413.GP21928@redhat.com> Message-ID: I still had it because I am in the middle of a PoC for a migration, the legacy used pam_ldap and if I just remove it not only the error does not go away, but in the secure logs you also see this new error: Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module: /lib64/security/pam_ldap.so I even tried to invoke authconfig to force disable pam_ldap and enable only sssd but instead it absurdly stops sssd and starts oddjobd in its place On Fri, Jul 10, 2015 at 2:04 PM, Alexander Bokovoy wrote: > On Fri, 10 Jul 2015, Angelo Pantano wrote: > >> I removed the stanza, but anyway I found one problem was the DNS. I needed >> to setup the nameserver in resolv.conf with the ip of the ipa server. I >> can >> kinit now but ssh is still failing, connection gets closed instead of >> letting me in: >> >> secure.log says: >> >> Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=10.61.205.107 user=apantano at ad.tweek >> Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): >> authentication success; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=10.61.205.107 user=apantano at ad.tweek >> Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: >> Can't contact LDAP server >> Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for >> apantano at ad.tweek from 10.61.205.107 port 61833 ssh2 >> Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for >> user >> apantano at ad.tweek by PAM account configuration [preauth] >> >> That's odd in so many ways, I got both a failure from pam_unix and a >> success from pam_sss... >> > That's how it should be, it is a _stack_ of authentication modules. > pam_unix doesn't know anything beyond /etc/passwd and /etc/shadow. > > I don't understand *why* do you have pam_ldap configured. You only need > pam_sss, remove pam_ldap, this is definitely not a default > configuration. > > > >> >> On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy >> wrote: >> >> On Fri, 10 Jul 2015, Angelo Pantano wrote: >>> >>> I am using sssd and from ipa clients the authentication is not working >>>> (works fine if I ssh on the ipa-server). I thought it could be due to >>>> the >>>> external groups being empty and not mapping the AD users. >>>> >>>> Anyway this is the krb5.conf on the ipa client: >>>> >>>> #File modified by ipa-client-install >>>> >>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>> >>>> [libdefaults] >>>> default_realm = IPA.TWEEK >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> udp_preference_limit = 0 >>>> default_ccache_name = KEYRING:persistent:%{uid} >>>> >>>> [realms] >>>> IPA.TWEEK = { >>>> kdc = centos.ipa.tweek:88 >>>> master_kdc = centos.ipa.tweek:88 >>>> admin_server = centos.ipa.tweek:749 >>>> default_domain = ipa.tweek >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ >>>> auth_to_local = DEFAULT >>>> } >>>> AD.TWEEK = { >>>> kdc = centos.ipa.tweek:88 >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> Why did you override AD.TWEEK KDC to point to FreeIPA? >>> >>> Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and >>> 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. >>> >>> >>> >>> [domain_realm] >>>> .ipa.tweek = IPA.TWEEK >>>> ipa.tweek = IPA.TWEEK >>>> .ad.tweek = AD.TWEEK >>>> ad.tweek = AD.TWEEK >>>> >>>> >>>> and this is the error I see in krb5_child.log >>>> >>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): >>>> Will perform online auth >>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] >>>> [get_and_save_tgt] >>>> (0x0400): Attempting kinit for realm [AD.TWEEK] >>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] >>>> [get_and_save_tgt] >>>> (0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >>>> Kerberos database] >>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] >>>> (0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >>>> Kerberos database] >>>> >>>> >>>> also >>>> >>>> # kinit freeipa at AD.TWEEK >>>> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial >>>> credentials >>>> >>>> any idea what's the problem? It seems kerberos cannot find users in the >>>> AD >>>> subdomain >>>> >>>> >>>> this is my sssd.conf >>>> >>>> [domain/ipa.tweek] >>>> debug_level = 6 >>>> cache_credentials = True >>>> krb5_store_password_if_offline = True >>>> ipa_domain = ipa.tweek >>>> id_provider = ipa >>>> auth_provider = ipa >>>> ldap_tls_cacert = /etc/ipa/ca.crt >>>> ipa_hostname = someaddress_here >>>> chpass_provider = ipa >>>> ipa_server = _srv_, centos.ipa.tweek >>>> dns_discovery_domain = ipa.tweek >>>> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek >>>> subdomains_provider = ipa >>>> [sssd] >>>> services = nss, pam, pac, ssh >>>> config_file_version = 2 >>>> debud_level = 6 >>>> domains = ipa.tweek >>>> >>>> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy < >>>> abokovoy at redhat.com> >>>> wrote: >>>> >>>> On Fri, 10 Jul 2015, Angelo Pantano wrote: >>>> >>>>> >>>>> I have a freeipa server trusting an active directory domain, if I ssh >>>>> to >>>>> >>>>>> the ipa server everything works, but if I try to ssh on an ipa client >>>>>> the >>>>>> authentication fails. >>>>>> >>>>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is >>>>>> failing: >>>>>> >>>>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >>>>>> >>>>>> Also in the logs I see: >>>>>> >>>>>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for >>>>>> name >>>>>> ad.local (sitename NULL) >>>>>> >>>>>> everything else works though, I can getent users and group just fine. >>>>>> >>>>>> Can you please help me? >>>>>> >>>>>> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- >>>>>> at >>>>>> >>>>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed >>>>> on those platforms, SSSD is used to resolve users, not winbindd. >>>>> Winbindd is only used to manage forest topology. >>>>> >>>>> >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>>> >>>>> -- >>> >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jul 10 21:31:22 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 11 Jul 2015 00:31:22 +0300 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: <20150710192922.GJ21928@redhat.com> <20150710195022.GL21928@redhat.com> <20150710210413.GP21928@redhat.com> Message-ID: <20150710213122.GT21928@redhat.com> On Fri, 10 Jul 2015, Angelo Pantano wrote: >I still had it because I am in the middle of a PoC for a migration, the >legacy used pam_ldap and if I just remove it not only the error does not go >away, but in the secure logs you also see this new error: > >Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to >dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot >open shared object file: No such file or directory >Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module: >/lib64/security/pam_ldap.so You should just remove it from the PAM config files, not the pam_ldap.so. >From what I see, you broke default configuration and pam_ldap module actually returns an error code that SSH interprets as a signal to deny logon. You may, of course, spend time fighting this but I don't really see a benefit. If you need to authenticate/get identities from older LDAP server, just configure a second domain in sssd.conf and use 'id_provider=ldap' there to point to your LDAP server. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jul 10 21:35:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 11 Jul 2015 00:35:05 +0300 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: <20150710192922.GJ21928@redhat.com> <20150710195022.GL21928@redhat.com> <20150710210413.GP21928@redhat.com> Message-ID: <20150710213505.GU21928@redhat.com> On Fri, 10 Jul 2015, Angelo Pantano wrote: >ok I managed to fix it by running: > >yum remove pam_ldap; sed -i '/pam_ldap/d' /etc/pam.d/* > >Thanks for pointing me to the dns problem though, that was the real deal. >Is there a way to setup ipa-client without messing up with resolv.conf? >like disabling the discovery or using just a forwarder? ipa-client-install doesn't override /etc/resolv.conf. It only reads /etc/resolv.conf to understand what domains are served. If you have working DNS setup that properly handles queries for IPA domain, that's all you need. -- / Alexander Bokovoy From ghilteras at gmail.com Fri Jul 10 21:26:25 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Fri, 10 Jul 2015 14:26:25 -0700 Subject: [Freeipa-users] wbinfo cannot pull Active Directory domain users In-Reply-To: References: <20150710192922.GJ21928@redhat.com> <20150710195022.GL21928@redhat.com> <20150710210413.GP21928@redhat.com> Message-ID: ok I managed to fix it by running: yum remove pam_ldap; sed -i '/pam_ldap/d' /etc/pam.d/* Thanks for pointing me to the dns problem though, that was the real deal. Is there a way to setup ipa-client without messing up with resolv.conf? like disabling the discovery or using just a forwarder? On Fri, Jul 10, 2015 at 2:11 PM, Angelo Pantano wrote: > I still had it because I am in the middle of a PoC for a migration, the > legacy used pam_ldap and if I just remove it not only the error does not go > away, but in the secure logs you also see this new error: > > Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to > dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot > open shared object file: No such file or directory > Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module: > /lib64/security/pam_ldap.so > > I even tried to invoke authconfig to force disable pam_ldap and enable > only sssd but instead it absurdly stops sssd and starts oddjobd in its > place > > On Fri, Jul 10, 2015 at 2:04 PM, Alexander Bokovoy > wrote: > >> On Fri, 10 Jul 2015, Angelo Pantano wrote: >> >>> I removed the stanza, but anyway I found one problem was the DNS. I >>> needed >>> to setup the nameserver in resolv.conf with the ip of the ipa server. I >>> can >>> kinit now but ssh is still failing, connection gets closed instead of >>> letting me in: >>> >>> secure.log says: >>> >>> Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): >>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >>> rhost=10.61.205.107 user=apantano at ad.tweek >>> Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): >>> authentication success; logname= uid=0 euid=0 tty=ssh ruser= >>> rhost=10.61.205.107 user=apantano at ad.tweek >>> Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: >>> Can't contact LDAP server >>> Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for >>> apantano at ad.tweek from 10.61.205.107 port 61833 ssh2 >>> Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for >>> user >>> apantano at ad.tweek by PAM account configuration [preauth] >>> >>> That's odd in so many ways, I got both a failure from pam_unix and a >>> success from pam_sss... >>> >> That's how it should be, it is a _stack_ of authentication modules. >> pam_unix doesn't know anything beyond /etc/passwd and /etc/shadow. >> >> I don't understand *why* do you have pam_ldap configured. You only need >> pam_sss, remove pam_ldap, this is definitely not a default >> configuration. >> >> >> >>> >>> On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy >> > >>> wrote: >>> >>> On Fri, 10 Jul 2015, Angelo Pantano wrote: >>>> >>>> I am using sssd and from ipa clients the authentication is not working >>>>> (works fine if I ssh on the ipa-server). I thought it could be due to >>>>> the >>>>> external groups being empty and not mapping the AD users. >>>>> >>>>> Anyway this is the krb5.conf on the ipa client: >>>>> >>>>> #File modified by ipa-client-install >>>>> >>>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>>> >>>>> [libdefaults] >>>>> default_realm = IPA.TWEEK >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> rdns = false >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> udp_preference_limit = 0 >>>>> default_ccache_name = KEYRING:persistent:%{uid} >>>>> >>>>> [realms] >>>>> IPA.TWEEK = { >>>>> kdc = centos.ipa.tweek:88 >>>>> master_kdc = centos.ipa.tweek:88 >>>>> admin_server = centos.ipa.tweek:749 >>>>> default_domain = ipa.tweek >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ >>>>> auth_to_local = DEFAULT >>>>> } >>>>> AD.TWEEK = { >>>>> kdc = centos.ipa.tweek:88 >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>> } >>>>> >>>>> Why did you override AD.TWEEK KDC to point to FreeIPA? >>>> >>>> Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and >>>> 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. >>>> >>>> >>>> >>>> [domain_realm] >>>>> .ipa.tweek = IPA.TWEEK >>>>> ipa.tweek = IPA.TWEEK >>>>> .ad.tweek = AD.TWEEK >>>>> ad.tweek = AD.TWEEK >>>>> >>>>> >>>>> and this is the error I see in krb5_child.log >>>>> >>>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): >>>>> Will perform online auth >>>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] >>>>> [get_and_save_tgt] >>>>> (0x0400): Attempting kinit for realm [AD.TWEEK] >>>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] >>>>> [get_and_save_tgt] >>>>> (0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >>>>> Kerberos database] >>>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] >>>>> (0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in >>>>> Kerberos database] >>>>> >>>>> >>>>> also >>>>> >>>>> # kinit freeipa at AD.TWEEK >>>>> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial >>>>> credentials >>>>> >>>>> any idea what's the problem? It seems kerberos cannot find users in >>>>> the AD >>>>> subdomain >>>>> >>>>> >>>>> this is my sssd.conf >>>>> >>>>> [domain/ipa.tweek] >>>>> debug_level = 6 >>>>> cache_credentials = True >>>>> krb5_store_password_if_offline = True >>>>> ipa_domain = ipa.tweek >>>>> id_provider = ipa >>>>> auth_provider = ipa >>>>> ldap_tls_cacert = /etc/ipa/ca.crt >>>>> ipa_hostname = someaddress_here >>>>> chpass_provider = ipa >>>>> ipa_server = _srv_, centos.ipa.tweek >>>>> dns_discovery_domain = ipa.tweek >>>>> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek >>>>> subdomains_provider = ipa >>>>> [sssd] >>>>> services = nss, pam, pac, ssh >>>>> config_file_version = 2 >>>>> debud_level = 6 >>>>> domains = ipa.tweek >>>>> >>>>> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy < >>>>> abokovoy at redhat.com> >>>>> wrote: >>>>> >>>>> On Fri, 10 Jul 2015, Angelo Pantano wrote: >>>>> >>>>>> >>>>>> I have a freeipa server trusting an active directory domain, if I >>>>>> ssh to >>>>>> >>>>>>> the ipa server everything works, but if I try to ssh on an ipa client >>>>>>> the >>>>>>> authentication fails. >>>>>>> >>>>>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is >>>>>>> failing: >>>>>>> >>>>>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >>>>>>> >>>>>>> Also in the logs I see: >>>>>>> >>>>>>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for >>>>>>> name >>>>>>> ad.local (sitename NULL) >>>>>>> >>>>>>> everything else works though, I can getent users and group just fine. >>>>>>> >>>>>>> Can you please help me? >>>>>>> >>>>>>> We don't use wbinfo and don't recommend it with FreeIPA AD trusts >>>>>>> -- at >>>>>>> >>>>>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed >>>>>> on those platforms, SSSD is used to resolve users, not winbindd. >>>>>> Winbindd is only used to manage forest topology. >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> / Alexander Bokovoy >>>>>> >>>>>> >>>>>> -- >>>> >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >> -- >> / Alexander Bokovoy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Sun Jul 12 08:05:05 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sun, 12 Jul 2015 09:05:05 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates Message-ID: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE From Less at imagine-sw.com Mon Jul 13 09:11:09 2015 From: Less at imagine-sw.com (Les Stott) Date: Mon, 13 Jul 2015 09:11:09 +0000 Subject: [Freeipa-users] freeipa and User Private Groups Message-ID: <4ED173A868981548967B4FCA2707222628165C1D@AACMBXP04.exchserver.com> Hi All, Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 So, by default, when you create a user in freeipa, That user will be set to have a primary group that is hidden and not a POSIX group. This means that when the user logs in to a host, they will see something like... id: cannot find name for group ID running the id command shows no name returned for this group. I understand you can disable private groups globally, however it is discouraged. I also realise you can simply create POSIX groups when creating users. In the spirit of trying to stick with the defaults.... Is there a way to avoid the login error where id can't retrieve the group name from a UPG? Thanks, Les -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 13 10:20:05 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jul 2015 12:20:05 +0200 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: Message-ID: <55A390D5.4050104@redhat.com> On 12/07/15 10:05, Sina Owolabi wrote: > Hi > > I have several dns zones defined in IPA. I noticed recently that the > zone files are empty. I find this odd because I created them like the > example below. > Is it possible to force clients to auto-update reverse zones? > > Thanks in advance! > > How I created all the zones: > > ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 > --allow-sync-ptr=TRUE --dynamic-update > Zone name: 0.14.10.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: services.ourdomain.com. > Administrator e-mail address: hostmaster > SOA serial: 1436688202 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3000 > BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Allow PTR sync: TRUE > Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/AAAA records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti From karl.forner at gmail.com Mon Jul 13 12:49:00 2015 From: karl.forner at gmail.com (Karl Forner) Date: Mon, 13 Jul 2015 14:49:00 +0200 Subject: [Freeipa-users] ipa client on ubuntu and sudo rules In-Reply-To: <20150710151846.GE31272@mail.corp.redhat.com> References: <20150710151846.GE31272@mail.corp.redhat.com> Message-ID: For reference: I could not make the sudo rules on ubuntu 12.04, I tried many many things. Worked like a charm on ubuntu 14.04: as simple as adding sudo to services in [sssd] section of nsssd.conf. On Fri, Jul 10, 2015 at 5:18 PM, Lukas Slebodnik wrote: > On (10/07/15 16:19), Karl Forner wrote: > >Hello, > > > >I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to > >work. > >I then realized that I used ipa-client-install version 3.3.4. > >Is this a plausible cause ? > >And if so, where can I get a more recent version for ubuntu/debian ? > Never version of ipa-client configures sssd integration with sudo by > default. > Please follow intructions from manual page sssd-sudo and you should be able > to configure it yourself. Different version of sssd requires different > configuration with ipa provider. > > IIRC sssd > 1.10 nas native ipa sudo provider so you need't to > configure sudo ldap provider with IPA. That's the reason why it's better to > follow instruction form man page sssd-sudo. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Mon Jul 13 14:05:48 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 13 Jul 2015 07:05:48 -0700 Subject: [Freeipa-users] Primary certificates Message-ID: <55A3C5BC.9020501@gmail.com> Good morning, I was wondering, I install my servers with the self-signed certs. Now my management wants me to use official certificates. Is there an easy/recommended way to swap out all the certificates on all the servers? Especially with 16 servers, just trying to figure out if this is something I could script with PSSH or similar in order to do them all at once. Does it matter the order? Thank you ~Janelle From aebruno2 at buffalo.edu Mon Jul 13 14:46:19 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 13 Jul 2015 10:46:19 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage Message-ID: <20150713144619.GA15499@dead.ccr.buffalo.edu> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and 389-ds 1.3.3.1-16. Recently, the ns-slapd process on one of our replicas started showing higher than normal CPU usage. ns-slapd is pegged at high CPU usage more or less constantly. Seems very similar to this thread: https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not sure if these are related): [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] access logs seem to be showing normal activity. Here's the number of open connections: # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l 62 Note: the other two replicas have much higher open connections (>250) and low cpu load avgs. Here's some output of logconv.pl from our most recent access log on the replica with high cpu load: Start of Logs: 13/Jul/2015:04:49:18 End of Logs: 13/Jul/2015:10:06:11 Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds Restarts: 0 Total Connections: 2343 - LDAP Connections: 2120 - LDAPI Connections: 223 - LDAPS Connections: 0 - StartTLS Extended Ops: 45 Secure Protocol Versions: - TLS1.2 128-bit AES - 45 Peak Concurrent Connections: 22 Total Operations: 111865 Total Results: 111034 Overall Performance: 99.3% Searches: 95585 (5.03/sec) (301.64/min) Modifications: 3369 (0.18/sec) (10.63/min) Adds: 0 (0.00/sec) (0.00/min) Deletes: 0 (0.00/sec) (0.00/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds: 7082 (0.37/sec) (22.35/min) Proxied Auth Operations: 0 Persistent Searches: 0 Internal Operations: 0 Entry Operations: 0 Extended Operations: 5317 Abandoned Requests: 416 Smart Referrals Received: 0 VLV Operations: 96 VLV Unindexed Searches: 0 VLV Unindexed Components: 32 SORT Operations: 64 Entire Search Base Queries: 0 Paged Searches: 3882 Unindexed Searches: 0 Unindexed Components: 5 FDs Taken: 2566 FDs Returned: 2643 Highest FD Taken: 249 Broken Pipes: 0 Connections Reset By Peer: 0 Resource Unavailable: 0 Max BER Size Exceeded: 0 Binds: 7082 Unbinds: 2443 - LDAP v2 Binds: 0 - LDAP v3 Binds: 6859 - AUTOBINDs: 223 - SSL Client Binds: 0 - Failed SSL Client Binds: 0 - SASL Binds: 6814 GSSAPI - 6591 EXTERNAL - 223 - Directory Manager Binds: 0 - Anonymous Binds: 6591 - Other Binds: 491 strace timing on the ns-slapd process: % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 94.40 0.346659 5977 58 poll 4.10 0.015057 15057 1 restart_syscall 0.91 0.003353 57 59 59 getpeername 0.49 0.001796 150 12 futex 0.10 0.000364 73 5 read ------ ----------- ----------- --------- --------- ---------------- 100.00 0.367229 135 59 total top output (with threads 'H'): PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any pointers on where else to look? Thanks in advance. --Andrew From pspacek at redhat.com Mon Jul 13 14:53:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jul 2015 16:53:18 +0200 Subject: [Freeipa-users] DNS configuration for not resolving some addresses In-Reply-To: References: <20150708123231.GE3502@redhat.com> <559D32E0.6060405@redhat.com> <559D38B9.50705@redhat.com> Message-ID: <55A3D0DE.30003@redhat.com> On 8.7.2015 20:46, Karl Forner wrote: > I forgot my main use case: I have name-based reverse proxies (SNI) for some > web apps/services , that are accessible both from the internal and external > network. > They must be accessed with the exact same name/url, otherwise the dispatch > can not work. > Until now I manage this by manually editing all /etc/hosts on all internal > computers, but I had hoped to benefit from the freeIPA DNS a more elegant > solution. Standard DNS cannot provide you with this, you need to hack it yourself. Sorry! Petr Spacek @ Red Hat > On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek wrote: > >> On 8.7.2015 16:32, Karl Forner wrote: >>> Thanks Petr. >>> >>> My use case is: we have scripts that connect to some services, let's say >> a >>> docker registry. >>> I want these scripts to be work either internally or externally, without >>> changing the URLs. >>> What would the best or easiest setting to achieve this ? >> >> Personally I use config file for this. I.e. the script is the same and >> URLs, >> names, passwords, etc. are read from config file stored alongside the >> script. >> >> This allows me to test it easily without any changes in DNS or system-wide >> configuration like /etc/hosts. >> >> Yes, it requires more code, but in long-term it is way more debug-able than >> DNS tricks. >> >> Petr^2 Spacek >> >>> On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek wrote: >>> >>>> On 8.7.2015 15:07, Karl Forner wrote: >>>>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora >>>> wrote: >>>>> >>>>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: >>>>>>> >>>>>>> When using my freeIPA DNS name server for my domain example.test, I >>>> need >>>>>> to >>>>>>> exclude some names from the server( to be forwarded to the DNS >>>> forwarder >>>>>>> for instance. >>>>>>> >>>>>>> For example, I'd like foo.example.test not to be resolved, but >>>> forwarded. >>>>>>> How could I implement this ? >>>>>> >>>>>> That would mean you have two different nameservers authoritative for >>>>>> the same DNS domain. That is generally not recommended setup. >>>>>> >>>>> >>>>> Yes, that's what I read, but I do not know how to easily do >> differently. >>>>> But in the end, what I'd like for my users, is to have foo.example.test >>>>> resolved from the outside to my external server IP, and from the inside >>>> to >>>>> the internal server IP. >>>> >>>> Such setup is generally not recommended because it is usually pain when >> it >>>> comes to long-term operation and maintenance. >>>> >>>> http://www.freeipa.org/page/DNS#Caveats >>>> http://www.freeipa.org/page/Deployment_Recommendations#DNS >>>> >>>> >>>> Two main use-cases are: >>>> >>>> a) Two or more different servers are using the same name and which >> server >>>> is >>>> used depends on client's network. >>>> >>>> This is usually very cumbersome because DNS caching will play against >> you, >>>> especially when we introduce system-wide cache into Fedora 23. >>>> >>>> It is also hard to manage and debug because you have to ask the same >>>> question >>>> from different networks etc. And it will be harder when you deploy >> DNSSEC >>>> to >>>> increase security... >>>> >>>> The typical recommendation is to use a sub-domain for internal names, >> e.g. >>>> i.example.com for internal names and example.com for >>>> externally-resolvable names. >>>> >>>> >>>> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. >>>> >>>> Yes, it is as bad idea as it sounds. >>>> >>>> >>>>>> Can't you make foo.example.test a CNAME to foo.example.org or another >>>>>> hostname, in domain with different authoritative DNS server? >>>>>> >>>>> >>>>> Hmm yes that should work, thanks ! >>>> >>>> Please keep in mind that it only hides the problem under yet another >> layer >>>> of >>>> indirection. >>>> >>>> >>>> Yes, it is always possible! We know it because it is written in >>>> The Twelve Networking Truths: >> https://tools.ietf.org/html/rfc1925#page-2 >>>> point >>>> (6) but you should take into account point (3) into account, too :-) >>>> >>>> >>>> -- >>>> Petr^2 Spacek From lkrispen at redhat.com Mon Jul 13 14:58:46 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 13 Jul 2015 16:58:46 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150713144619.GA15499@dead.ccr.buffalo.edu> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> Message-ID: <55A3D226.3070808@redhat.com> can you get a pstack of the slapd process along with a top -H to find th ethread with high cpu usage Ludwig On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > 389-ds 1.3.3.1-16. > > Recently, the ns-slapd process on one of our replicas started showing higher > than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > constantly. > > Seems very similar to this thread: > https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > > There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > sure if these are related): > > > [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > > access logs seem to be showing normal activity. Here's the number of open > connections: > > # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > 62 > > Note: the other two replicas have much higher open connections (>250) and low > cpu load avgs. > > Here's some output of logconv.pl from our most recent access log on the replica > with high cpu load: > > Start of Logs: 13/Jul/2015:04:49:18 > End of Logs: 13/Jul/2015:10:06:11 > > Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > > Restarts: 0 > Total Connections: 2343 > - LDAP Connections: 2120 > - LDAPI Connections: 223 > - LDAPS Connections: 0 > - StartTLS Extended Ops: 45 > Secure Protocol Versions: > - TLS1.2 128-bit AES - 45 > > Peak Concurrent Connections: 22 > Total Operations: 111865 > Total Results: 111034 > Overall Performance: 99.3% > > Searches: 95585 (5.03/sec) (301.64/min) > Modifications: 3369 (0.18/sec) (10.63/min) > Adds: 0 (0.00/sec) (0.00/min) > Deletes: 0 (0.00/sec) (0.00/min) > Mod RDNs: 0 (0.00/sec) (0.00/min) > Compares: 0 (0.00/sec) (0.00/min) > Binds: 7082 (0.37/sec) (22.35/min) > > Proxied Auth Operations: 0 > Persistent Searches: 0 > Internal Operations: 0 > Entry Operations: 0 > Extended Operations: 5317 > Abandoned Requests: 416 > Smart Referrals Received: 0 > > VLV Operations: 96 > VLV Unindexed Searches: 0 > VLV Unindexed Components: 32 > SORT Operations: 64 > > Entire Search Base Queries: 0 > Paged Searches: 3882 > Unindexed Searches: 0 > Unindexed Components: 5 > > FDs Taken: 2566 > FDs Returned: 2643 > Highest FD Taken: 249 > > Broken Pipes: 0 > Connections Reset By Peer: 0 > Resource Unavailable: 0 > Max BER Size Exceeded: 0 > > Binds: 7082 > Unbinds: 2443 > - LDAP v2 Binds: 0 > - LDAP v3 Binds: 6859 > - AUTOBINDs: 223 > - SSL Client Binds: 0 > - Failed SSL Client Binds: 0 > - SASL Binds: 6814 > GSSAPI - 6591 > EXTERNAL - 223 > - Directory Manager Binds: 0 > - Anonymous Binds: 6591 > - Other Binds: 491 > > > > > strace timing on the ns-slapd process: > > > % time seconds usecs/call calls errors syscall > ------ ----------- ----------- --------- --------- ---------------- > 94.40 0.346659 5977 58 poll > 4.10 0.015057 15057 1 restart_syscall > 0.91 0.003353 57 59 59 getpeername > 0.49 0.001796 150 12 futex > 0.10 0.000364 73 5 read > ------ ----------- ----------- --------- --------- ---------------- > 100.00 0.367229 135 59 total > > > top output (with threads 'H'): > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > > > ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > pointers on where else to look? > > Thanks in advance. > > --Andrew > From aebruno2 at buffalo.edu Mon Jul 13 15:05:32 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 13 Jul 2015 11:05:32 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A3D226.3070808@redhat.com> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> Message-ID: <20150713150532.GD15499@dead.ccr.buffalo.edu> On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: > can you get a pstack of the slapd process along with a top -H to find th > ethread with high cpu usage Attached is the full stacktrace of the running ns-slapd proccess. top -H shows this thread (2879) with high cpu usage: 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > >We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > >389-ds 1.3.3.1-16. > > > >Recently, the ns-slapd process on one of our replicas started showing higher > >than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > >constantly. > > > >Seems very similar to this thread: > >https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > > > >There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > >sure if these are related): > > > > > >[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > >[13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > >[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > >[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > >[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > >[13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > >[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > >[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > > > > >access logs seem to be showing normal activity. Here's the number of open > >connections: > > > ># ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > >62 > > > >Note: the other two replicas have much higher open connections (>250) and low > >cpu load avgs. > > > >Here's some output of logconv.pl from our most recent access log on the replica > >with high cpu load: > > > >Start of Logs: 13/Jul/2015:04:49:18 > >End of Logs: 13/Jul/2015:10:06:11 > > > >Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > > > >Restarts: 0 > >Total Connections: 2343 > > - LDAP Connections: 2120 > > - LDAPI Connections: 223 > > - LDAPS Connections: 0 > > - StartTLS Extended Ops: 45 > > Secure Protocol Versions: > > - TLS1.2 128-bit AES - 45 > > > >Peak Concurrent Connections: 22 > >Total Operations: 111865 > >Total Results: 111034 > >Overall Performance: 99.3% > > > >Searches: 95585 (5.03/sec) (301.64/min) > >Modifications: 3369 (0.18/sec) (10.63/min) > >Adds: 0 (0.00/sec) (0.00/min) > >Deletes: 0 (0.00/sec) (0.00/min) > >Mod RDNs: 0 (0.00/sec) (0.00/min) > >Compares: 0 (0.00/sec) (0.00/min) > >Binds: 7082 (0.37/sec) (22.35/min) > > > >Proxied Auth Operations: 0 > >Persistent Searches: 0 > >Internal Operations: 0 > >Entry Operations: 0 > >Extended Operations: 5317 > >Abandoned Requests: 416 > >Smart Referrals Received: 0 > > > >VLV Operations: 96 > >VLV Unindexed Searches: 0 > >VLV Unindexed Components: 32 > >SORT Operations: 64 > > > >Entire Search Base Queries: 0 > >Paged Searches: 3882 > >Unindexed Searches: 0 > >Unindexed Components: 5 > > > >FDs Taken: 2566 > >FDs Returned: 2643 > >Highest FD Taken: 249 > > > >Broken Pipes: 0 > >Connections Reset By Peer: 0 > >Resource Unavailable: 0 > >Max BER Size Exceeded: 0 > > > >Binds: 7082 > >Unbinds: 2443 > > - LDAP v2 Binds: 0 > > - LDAP v3 Binds: 6859 > > - AUTOBINDs: 223 > > - SSL Client Binds: 0 > > - Failed SSL Client Binds: 0 > > - SASL Binds: 6814 > > GSSAPI - 6591 > > EXTERNAL - 223 > > - Directory Manager Binds: 0 > > - Anonymous Binds: 6591 > > - Other Binds: 491 > > > > > > > > > >strace timing on the ns-slapd process: > > > > > >% time seconds usecs/call calls errors syscall > >------ ----------- ----------- --------- --------- ---------------- > > 94.40 0.346659 5977 58 poll > > 4.10 0.015057 15057 1 restart_syscall > > 0.91 0.003353 57 59 59 getpeername > > 0.49 0.001796 150 12 futex > > 0.10 0.000364 73 5 read > >------ ----------- ----------- --------- --------- ---------------- > >100.00 0.367229 135 59 total > > > > > >top output (with threads 'H'): > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > > 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > > 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > > 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > > 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > > 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > > 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > > 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > > 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > > 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > > 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > > 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > > 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > > 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > > 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > > 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > > 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > > 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > > 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > > 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > > 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > > 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > > 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > > > > > >ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > >pointers on where else to look? > > > >Thanks in advance. > > > >--Andrew > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done. done. Attaching to program: /usr/sbin/ns-slapd, process 2870 Reading symbols from /usr/lib64/dirsrv/libslapd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libslapd.so.0 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5.so.3.3.debug...done. done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libk5crypto.so.3.1.debug...done. done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libcom_err.so.2.1.debug...done. done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libpcre.so.1...Reading symbols from /usr/lib/debug/usr/lib64/libpcre.so.1.2.0.debug...done. done. Loaded symbols for /lib64/libpcre.so.1 Reading symbols from /lib64/libldap_r-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libldap_r-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/libldap_r-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/liblber-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /lib64/libssl3.so...Reading symbols from /usr/lib/debug/usr/lib64/libssl3.so.debug...done. done. Loaded symbols for /lib64/libssl3.so Reading symbols from /lib64/libnss3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnss3.so.debug...done. done. Loaded symbols for /lib64/libnss3.so Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.17.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplc4.so.debug...done. done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplds4.so.debug...done. done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/usr/lib64/libnspr4.so.debug...done. done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /lib64/libsasl2.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.3.0.0.debug...done. done. Loaded symbols for /lib64/libsasl2.so.3 Reading symbols from /lib64/libsvrcore.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libsvrcore.so.0.0.0.debug...done. done. Loaded symbols for /lib64/libsvrcore.so.0 Reading symbols from /lib64/libpthread.so.0...Reading symbols from /usr/lib/debug/lib64/libpthread-2.17.so.debug...done. done. [New LWP 32409] [New LWP 2965] [New LWP 2918] [New LWP 2917] [New LWP 2916] [New LWP 2915] [New LWP 2914] [New LWP 2913] [New LWP 2912] [New LWP 2911] [New LWP 2910] [New LWP 2909] [New LWP 2908] [New LWP 2907] [New LWP 2906] [New LWP 2905] [New LWP 2904] [New LWP 2903] [New LWP 2902] [New LWP 2901] [New LWP 2900] [New LWP 2899] [New LWP 2898] [New LWP 2897] [New LWP 2896] [New LWP 2895] [New LWP 2894] [New LWP 2892] [New LWP 2891] [New LWP 2890] [New LWP 2889] [New LWP 2888] [New LWP 2887] [New LWP 2885] [New LWP 2884] [New LWP 2883] [New LWP 2882] [New LWP 2881] [New LWP 2880] [New LWP 2879] [New LWP 2878] [New LWP 2877] [New LWP 2875] [New LWP 2874] [New LWP 2873] [New LWP 2872] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.17.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5support.so.0.1.debug...done. done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libresolv.so.2...Reading symbols from /usr/lib/debug/lib64/libresolv-2.17.so.debug...done. done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.17.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libsmime3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsmime3.so.debug...done. done. Loaded symbols for /lib64/libsmime3.so Reading symbols from /lib64/libnssutil3.so...Reading symbols from /lib64/libnssutil3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssutil3.so Reading symbols from /lib64/libz.so.1...Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/librt.so.1...Reading symbols from /usr/lib/debug/lib64/librt-2.17.so.debug...done. done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.17.so.debug...done. done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/liblzma.so.5...Reading symbols from /lib64/liblzma.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblzma.so.5 Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/dirsrv/plugins/libsyntax-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libsyntax-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libbitwise-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libbitwise-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcollation-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcollation-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcollation-plugin.so Reading symbols from /lib64/libicui18n.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicui18n.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicui18n.so.50 Reading symbols from /lib64/libicuuc.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicuuc.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicuuc.so.50 Reading symbols from /lib64/libicudata.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicudata.so.50.1.2.debug...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicudata.so.50 Reading symbols from /lib64/libstdc++.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libstdc++.so.6.0.19.debug...done. done. Loaded symbols for /lib64/libstdc++.so.6 Reading symbols from /lib64/libm.so.6...Reading symbols from /usr/lib/debug/lib64/libm-2.17.so.debug...done. done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.8.3-20140911.so.1.debug...done. done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdes-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdes-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdes-plugin.so Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-5.3.so...Reading symbols from /usr/lib/debug/usr/lib64/libdb-5.3.so.debug...done. done. Loaded symbols for /lib64/libdb-5.3.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libdigestmd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /lib64/libcrypto.so.10...Reading symbols from /usr/lib/debug/usr/lib64/libcrypto.so.1.0.1e.debug...done. done. Loaded symbols for /lib64/libcrypto.so.10 Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libcrammd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libplain.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libplain.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libplain.so Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libgssapiv2.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libgssapi_krb5.so.2.2.debug...done. done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/liblogin.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/liblogin.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/liblogin.so Reading symbols from /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libattr-unique-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctusability-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctusability-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctusability-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacl-plugin.so Reading symbols from /usr/lib64/dirsrv/libns-dshttpd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libns-dshttpd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libns-dshttpd.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libautomember-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libautomember-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libautomember-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libchainingdb-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcos-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcos-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcos-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcontentsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libderef-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libderef-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libderef-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdna-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdna-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdna-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libhttp-client-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_dns.so Reading symbols from /lib64/libkrad.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrad.so.0.0.debug...done. done. Loaded symbols for /lib64/libkrad.so.0 Reading symbols from /lib64/libverto.so.1...Reading symbols from /lib64/libverto.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libverto.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_lockout.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_modrdn.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_counter.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_range_check.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_uuid.so Reading symbols from /lib64/libuuid.so.1...Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_repl_version.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_winsync.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libback-ldbm.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libback-ldbm.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libback-ldbm.so Reading symbols from /usr/lib64/dirsrv/plugins/libreplication-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreplication-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreplication-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmemberof-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmemberof-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmemberof-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so Reading symbols from /lib64/libpam.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libpam.so.0.83.1.debug...done. done. Loaded symbols for /lib64/libpam.so.0 Reading symbols from /lib64/libaudit.so.1...Reading symbols from /lib64/libaudit.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libaudit.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpassthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpassthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpassthru-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libreferint-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreferint-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreferint-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libretrocl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libretrocl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libretrocl-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libroles-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libroles-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libroles-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/librootdn-access-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/schemacompat-plugin.so Reading symbols from /lib64/libsss_nss_idmap.so.0...Reading symbols from /lib64/libsss_nss_idmap.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsss_nss_idmap.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libschemareload-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libschemareload-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libschemareload-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libstatechange-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libstatechange-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libstatechange-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libusn-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libusn-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libusn-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libviews-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libviews-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libviews-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libwhoami-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libwhoami-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libwhoami-plugin.so Reading symbols from /lib64/libsoftokn3.so...Reading symbols from /lib64/libsoftokn3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsoftokn3.so Reading symbols from /lib64/libsqlite3.so.0...Reading symbols from /lib64/libsqlite3.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsqlite3.so.0 Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnssdbm3.so...Reading symbols from /lib64/libnssdbm3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssdbm3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 Reading symbols from /usr/lib64/krb5/plugins/preauth/pkinit.so...Reading symbols from /usr/lib/debug/usr/lib64/krb5/plugins/preauth/pkinit.so.debug...done. done. Loaded symbols for /usr/lib64/krb5/plugins/preauth/pkinit.so Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so Reading symbols from /lib64/libnss_dns.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libnss_myhostname.so.2...Reading symbols from /lib64/libnss_myhostname.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_myhostname.so.2 Reading symbols from /usr/lib64/gssproxy/proxymech.so...Reading symbols from /usr/lib64/gssproxy/proxymech.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/gssproxy/proxymech.so Reading symbols from /lib64/libgssrpc.so.4...Reading symbols from /usr/lib/debug/usr/lib64/libgssrpc.so.4.2.debug...done. done. Loaded symbols for /lib64/libgssrpc.so.4 Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135 135 2: movl %edx, %eax Thread 47 (Thread 0x7f0d92bfb700 (LWP 2872)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=100) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 38235} #2 0x00007f0d96dd0507 in deadlock_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4511 rval = priv = 0x7f0da487d410 li = interval = #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0d230) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0d230 detached = 1 id = 139696273340160 tid = 2872 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d92bfb700) at pthread_create.c:308 __res = pd = 0x7f0d92bfb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696273340160, -1088326907459832651, 0, 139696273340864, 139696273340160, 1, 1080398881526346933, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 46 (Thread 0x7f0d923fa700 (LWP 2873)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 101561} #2 0x00007f0d96dd45d6 in checkpoint_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4720 time_of_last_checkpoint_completion = 1436794054 interval = rval = priv = li = debug_checkpointing = 0 checkpoint_interval = home_dir = list = 0x0 listp = penv = 0x7f0da4a7b730 time_of_last_comapctdb_completion = 1434571369 compactdb_interval = 2592000 txn = {back_txn_txn = 0x0} #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0ce70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0ce70 detached = 1 id = 139696264947456 tid = 2873 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d923fa700) at pthread_create.c:308 __res = pd = 0x7f0d923fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696264947456, -1088326907459832651, 0, 139696264948160, 139696264947456, 1, 1080397780404106421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 45 (Thread 0x7f0d91bf9700 (LWP 2874)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 213502} #2 0x00007f0d96dd077f in trickle_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4937 interval = 250 rval = priv = 0x7f0da487d410 li = debug_checkpointing = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4acec10) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4acec10 detached = 1 id = 139696256554752 tid = 2874 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d91bf9700) at pthread_create.c:308 __res = pd = 0x7f0d91bf9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696256554752, -1088326907459832651, 0, 139696256555456, 139696256554752, 1, 1080405477522371765, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 44 (Thread 0x7f0d913f8700 (LWP 2875)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 900907} #2 0x00007f0d96e22d54 in perfctrs_wait (milliseconds=milliseconds at entry=1000, priv=, db_env=) at ldap/servers/slapd/back-ldbm/perfctrs.c:277 interval = #3 0x00007f0d96dcb437 in perf_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4011 priv = 0x7f0da487d410 li = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4ad0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4ad0e60 detached = 1 id = 139696248162048 tid = 2875 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d913f8700) at pthread_create.c:308 __res = pd = 0x7f0d913f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696248162048, -1088326907459832651, 0, 139696248162752, 139696248162048, 1, 1080404380695098549, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 43 (Thread 0x7f0d909ee700 (LWP 2877)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65bf0d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f0e60 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65bf0d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d994f164e in cos_cache_wait_on_change (arg=) at ldap/servers/plugins/cos/cos_cache.c:436 No locals. #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f0e60 detached = 1 id = 139696237635328 tid = 2877 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d909ee700) at pthread_create.c:308 __res = pd = 0x7f0d909ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696237635328, -1088326907459832651, 0, 139696237636032, 139696237635328, 1, 1080403542102734005, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 42 (Thread 0x7f0da3004700 (LWP 2878)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a26558, ml=0x7f0da6324e70, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436794076, tv_usec = 441814} tmo = {tv_sec = 1436794376, tv_nsec = 441814000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a26550, timeout=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6513050 #3 0x00007f0d96b2df74 in _cl5TrimMain (param=) at ldap/servers/plugins/replication/cl5_api.c:3466 timePrev = 1436794076 timeCompactPrev = 1434571375 timeNow = 1436794076 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6513050) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6513050 detached = 1 id = 139696546006784 tid = 2878 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0da3004700) at pthread_create.c:308 __res = pd = 0x7f0da3004700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696546006784, -1088326907459832651, 0, 139696546007488, 139696546006784, 1, 1080365221330777269, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 41 (Thread 0x7f0d8bfff700 (LWP 2879)): #0 0x00007f0da2c728a8 in slapi_ch_free (ptr=ptr at entry=0x7f0d8000c538) at ldap/servers/slapd/ch_malloc.c:373 No locals. #1 0x00007f0da2c7a9d9 in slapi_sdn_done (sdn=0x7f0d8000c530) at ldap/servers/slapd/dn.c:2332 No locals. #2 0x00007f0da2c7b02a in slapi_sdn_free (sdn=sdn at entry=0x7f0d8bffece8) at ldap/servers/slapd/dn.c:2352 is_allocated = 1 #3 0x00007f0da2cb3d7b in operation_parameters_done (sop=0x7f0d8bffecd0) at ldap/servers/slapd/operation.c:557 No locals. #4 0x00007f0d96b461ad in send_updates (num_changes_sent=0x7f0d8bffec60, remote_update_vector=, prp=0x7f0da651a450) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1721 finished = 0 replay_crc = csn_str = "559baca7004700050000" return_value = 203 rd = 0x7f0d8000c6f0 entry = {op = 0x7f0d8bffecd0, time = 1436265603} op = {operation_type = 8, target_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x7f0d8000c530}, csn = 0x7f0d8002e5c0, request_controls = 0x0, p = {p_add = {target_entry = 0x7f0d80028cf0, parentuniqueid = 0x0}, p_bind = {bind_method = -2147316496, bind_creds = 0x0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x7f0d80028cf0 "", ava_value = {bv_len = 0, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x7f0d80028cf0}, p_modrdn = {modrdn_newrdn = 0x7f0d80028cf0 "", modrdn_deloldrdn = 0, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = -2147316496, search_deref = 32525, search_sizelimit = 0, search_timelimit = 0, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = {abandon_targetmsgid = -2147316496}, p_extended = {exop_oid = 0x7f0d80028cf0 "", exop_value = 0x0}}} rc = changelog_iterator = 0x7f0d8002ec80 message_id = 0 #5 repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1073 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d8002e9c0 ruv = 0x7f0d8002b500 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1436751442 busywaittime = 3 pausetime = 0 loops = wait_change_timer_set = current_state = next_state = optype = 5 ldaprc = 0 done = 0 e1 = #6 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da6338a90) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da6338a90 done = 0 agmt = 0x7f0da65a5de0 #7 0x00007f0da10b67bb in _pt_root (arg=0x7f0da63261b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da63261b0 detached = 0 id = 139696160110336 tid = 2879 #8 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8bfff700) at pthread_create.c:308 __res = pd = 0x7f0d8bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696160110336, -1088326907459832651, 0, 139696160111040, 139696160110336, 1, 1080419220343977141, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #9 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 40 (Thread 0x7f0d8b7fe700 (LWP 2880)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da64fc9f8, ml=0x7f0da64dcc50, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436794009, tv_usec = 859283} tmo = {tv_sec = 1436794309, tv_nsec = 859283000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da64fc9f0, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da65c0980 #3 0x00007f0d96b44324 in protocol_sleep (prp=prp at entry=0x7f0da64dc920, duration=300000) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1236 No locals. #4 0x00007f0d96b47526 in repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:797 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d78052730 ruv = 0x0 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1435778665 busywaittime = 0 pausetime = 0 loops = wait_change_timer_set = 1 current_state = 2 next_state = 2 optype = 5 ldaprc = 0 done = 0 e1 = #5 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da64fcb00) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da64fcb00 done = 0 agmt = 0x7f0da64ee990 #6 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65c0980) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65c0980 detached = 0 id = 139696151717632 tid = 2880 #7 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d8b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696151717632, -1088326907459832651, 0, 139696151718336, 139696151717632, 1, 1080418119221736629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #8 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 39 (Thread 0x7f0d8a7d1700 (LWP 2881)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64db1d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f4490 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64db1d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da64dbd40) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da64dbd40 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f4490) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f4490 detached = 1 id = 139696134756096 tid = 2881 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8a7d1700) at pthread_create.c:308 __res = pd = 0x7f0d8a7d1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696134756096, -1088326907459832651, 0, 139696134756800, 139696134756096, 1, 1080415909997933749, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 38 (Thread 0x7f0d89fd0700 (LWP 2882)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64fb090, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65b0b90 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64fb090, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61dab80) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61dab80 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65b0b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65b0b90 detached = 1 id = 139696126363392 tid = 2882 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d89fd0700) at pthread_create.c:308 __res = pd = 0x7f0d89fd0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696126363392, -1088326907459832651, 0, 139696126364096, 139696126363392, 1, 1080423592083813557, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 37 (Thread 0x7f0d897cf700 (LWP 2883)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65b0690, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da6337330 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65b0690, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61daa70) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61daa70 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6337330) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6337330 detached = 1 id = 139696117970688 tid = 2883 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d897cf700) at pthread_create.c:308 __res = pd = 0x7f0d897cf700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696117970688, -1088326907459832651, 0, 139696117971392, 139696117970688, 1, 1080422493109056693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 36 (Thread 0x7f0d88fce700 (LWP 2884)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a27518, ml=0x7f0da634af80, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436794069, tv_usec = 634936} tmo = {tv_sec = 1436794099, tv_nsec = 634936000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a27510, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da629ef70 #3 0x00007f0da3197aa3 in housecleaning (cur_time=) at ldap/servers/slapd/house.c:77 interval = 30000 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da629ef70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da629ef70 detached = 0 id = 139696109577984 tid = 2884 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d88fce700) at pthread_create.c:308 __res = pd = 0x7f0d88fce700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696109577984, -1088326907459832651, 0, 139696109578688, 139696109577984, 1, 1080421391986816181, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 35 (Thread 0x7f0d7ffff700 (LWP 2885)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da49f80b8, ml=0x7f0da4a06530, timeout=timeout at entry=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436794079, tv_usec = 873326} tmo = {tv_sec = 1436794089, tv_nsec = 873326000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da49f80b0, timeout=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6336ca0 #3 0x00007f0da2c8a0e8 in eq_loop (arg=) at ldap/servers/slapd/eventq.c:355 timeout = until = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6336ca0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6336ca0 detached = 0 id = 139695958783744 tid = 2885 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7ffff700) at pthread_create.c:308 __res = pd = 0x7f0d7ffff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695958783744, -1088326907459832651, 0, 139695958784448, 139695958783744, 1, 1080727083599754421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 34 (Thread 0x7f0d7f7fe700 (LWP 2887)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1700 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7f7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7f7fdae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1700) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1700 detached = 1 id = 139695950391040 tid = 2887 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7f7fe700) at pthread_create.c:308 __res = pd = 0x7f0d7f7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695950391040, -1088326907459832651, 0, 139695950391744, 139695950391040, 1, 1080725982477513909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 33 (Thread 0x7f0d7effd700 (LWP 2888)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f19f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7effcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7effcae0 conn = 0x7f0d8853f610 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f19f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f19f0 detached = 1 id = 139695941998336 tid = 2888 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7effd700) at pthread_create.c:308 __res = pd = 0x7f0d7effd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695941998336, -1088326907459832651, 0, 139695941999040, 139695941998336, 1, 1080724883502757045, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 32 (Thread 0x7f0d7e7fc700 (LWP 2889)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1ce0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7e7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7e7fbae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1ce0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1ce0 detached = 1 id = 139695933605632 tid = 2889 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7e7fc700) at pthread_create.c:308 __res = pd = 0x7f0d7e7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695933605632, -1088326907459832651, 0, 139695933606336, 139695933605632, 1, 1080723786675483829, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 31 (Thread 0x7f0d7dffb700 (LWP 2890)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1fd0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7dffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7dffaae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1fd0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1fd0 detached = 1 id = 139695925212928 tid = 2890 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7dffb700) at pthread_create.c:308 __res = pd = 0x7f0d7dffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695925212928, -1088326907459832651, 0, 139695925213632, 139695925212928, 1, 1080731483793749173, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 30 (Thread 0x7f0d7d7fa700 (LWP 2891)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f22c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7d7f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7d7f9ae0 conn = 0x7f0d8853f610 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f22c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f22c0 detached = 1 id = 139695916820224 tid = 2891 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7d7fa700) at pthread_create.c:308 __res = pd = 0x7f0d7d7fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695916820224, -1088326907459832651, 0, 139695916820928, 139695916820224, 1, 1080730382671508661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 29 (Thread 0x7f0d7cff9700 (LWP 2892)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f25b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7cff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7cff8ae0 conn = 0x7f0d88539100 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f25b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f25b0 detached = 1 id = 139695908427520 tid = 2892 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7cff9700) at pthread_create.c:308 __res = pd = 0x7f0d7cff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695908427520, -1088326907459832651, 0, 139695908428224, 139695908427520, 1, 1080729283696751797, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 28 (Thread 0x7f0d6bfff700 (LWP 2894)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f28a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6bffeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6bffeae0 conn = 0x7f0d8853dd20 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f28a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f28a0 detached = 1 id = 139695623239424 tid = 2894 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6bfff700) at pthread_create.c:308 __res = pd = 0x7f0d6bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695623239424, -1088326907459832651, 0, 139695623240128, 139695623239424, 1, 1080771064064865461, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 27 (Thread 0x7f0d6b7fe700 (LWP 2895)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2b90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6b7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6b7fdae0 conn = 0x7f0d8853d2a0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2b90 detached = 1 id = 139695614846720 tid = 2895 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d6b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695614846720, -1088326907459832651, 0, 139695614847424, 139695614846720, 1, 1080769962942624949, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 26 (Thread 0x7f0d6affd700 (LWP 2896)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2e80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6affcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6affcae0 conn = 0x7f0d8853b470 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2e80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2e80 detached = 1 id = 139695606454016 tid = 2896 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6affd700) at pthread_create.c:308 __res = pd = 0x7f0d6affd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695606454016, -1088326907459832651, 0, 139695606454720, 139695606454016, 1, 1080768863967868085, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 25 (Thread 0x7f0d6a7fc700 (LWP 2897)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3170 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6a7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6a7fbae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3170) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3170 detached = 1 id = 139695598061312 tid = 2897 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6a7fc700) at pthread_create.c:308 __res = pd = 0x7f0d6a7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695598061312, -1088326907459832651, 0, 139695598062016, 139695598061312, 1, 1080767767140594869, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 24 (Thread 0x7f0d69ffb700 (LWP 2898)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3460 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d69ffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d69ffaae0 conn = 0x7f0d8853b470 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3460) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3460 detached = 1 id = 139695589668608 tid = 2898 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d69ffb700) at pthread_create.c:308 __res = pd = 0x7f0d69ffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695589668608, -1088326907459832651, 0, 139695589669312, 139695589668608, 1, 1080775464258860213, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 23 (Thread 0x7f0d697fa700 (LWP 2899)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3750 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d697f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d697f9ae0 conn = 0x7f0d8853b470 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3750) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3750 detached = 1 id = 139695581275904 tid = 2899 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d697fa700) at pthread_create.c:308 __res = pd = 0x7f0d697fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695581275904, -1088326907459832651, 0, 139695581276608, 139695581275904, 1, 1080774363136619701, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 22 (Thread 0x7f0d68ff9700 (LWP 2900)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3a40 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d68ff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d68ff8ae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3a40) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3a40 detached = 1 id = 139695572883200 tid = 2900 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d68ff9700) at pthread_create.c:308 __res = pd = 0x7f0d68ff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695572883200, -1088326907459832651, 0, 139695572883904, 139695572883200, 1, 1080773264161862837, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 21 (Thread 0x7f0d687f8700 (LWP 2901)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3d30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d687f7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d687f7ae0 conn = 0x7f0d8853dd20 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3d30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3d30 detached = 1 id = 139695564490496 tid = 2901 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d687f8700) at pthread_create.c:308 __res = pd = 0x7f0d687f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695564490496, -1088326907459832651, 0, 139695564491200, 139695564490496, 1, 1080772167334589621, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 20 (Thread 0x7f0d67ff7700 (LWP 2902)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4020 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d67ff6ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d67ff6ae0 conn = 0x7f0d8853b470 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4020) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4020 detached = 1 id = 139695556097792 tid = 2902 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d67ff7700) at pthread_create.c:308 __res = pd = 0x7f0d67ff7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695556097792, -1088326907459832651, 0, 139695556098496, 139695556097792, 1, 1080779864452854965, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 19 (Thread 0x7f0d677f6700 (LWP 2903)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4310 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d677f5ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d677f5ae0 conn = 0x7f0d8853b470 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4310) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4310 detached = 1 id = 139695547705088 tid = 2903 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d677f6700) at pthread_create.c:308 __res = pd = 0x7f0d677f6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695547705088, -1088326907459832651, 0, 139695547705792, 139695547705088, 1, 1080778763330614453, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 18 (Thread 0x7f0d66ff5700 (LWP 2904)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4600 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d66ff4ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d66ff4ae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4600) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4600 detached = 1 id = 139695539312384 tid = 2904 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d66ff5700) at pthread_create.c:308 __res = pd = 0x7f0d66ff5700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695539312384, -1088326907459832651, 0, 139695539313088, 139695539312384, 1, 1080777664355857589, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 17 (Thread 0x7f0d667f4700 (LWP 2905)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f48f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d667f3ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d667f3ae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f48f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f48f0 detached = 1 id = 139695530919680 tid = 2905 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d667f4700) at pthread_create.c:308 __res = pd = 0x7f0d667f4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695530919680, -1088326907459832651, 0, 139695530920384, 139695530919680, 1, 1080776567528584373, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 16 (Thread 0x7f0d65ff3700 (LWP 2906)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4be0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d65ff2ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d65ff2ae0 conn = 0x7f0d8853b470 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4be0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4be0 detached = 1 id = 139695522526976 tid = 2906 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d65ff3700) at pthread_create.c:308 __res = pd = 0x7f0d65ff3700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695522526976, -1088326907459832651, 0, 139695522527680, 139695522526976, 1, 1080784264646849717, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 15 (Thread 0x7f0d657f2700 (LWP 2907)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4ed0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d657f1ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d657f1ae0 conn = 0x7f0d8853ac90 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4ed0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4ed0 detached = 1 id = 139695514134272 tid = 2907 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d657f2700) at pthread_create.c:308 __res = pd = 0x7f0d657f2700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695514134272, -1088326907459832651, 0, 139695514134976, 139695514134272, 1, 1080783163524609205, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 14 (Thread 0x7f0d64ff1700 (LWP 2908)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f51c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d64ff0ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d64ff0ae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f51c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f51c0 detached = 1 id = 139695505741568 tid = 2908 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d64ff1700) at pthread_create.c:308 __res = pd = 0x7f0d64ff1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695505741568, -1088326907459832651, 0, 139695505742272, 139695505741568, 1, 1080782064549852341, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 13 (Thread 0x7f0d647f0700 (LWP 2909)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f54b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d647efae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d647efae0 conn = 0x7f0d8853f610 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f54b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f54b0 detached = 1 id = 139695497348864 tid = 2909 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d647f0700) at pthread_create.c:308 __res = pd = 0x7f0d647f0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695497348864, -1088326907459832651, 0, 139695497349568, 139695497348864, 1, 1080780950542709941, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 12 (Thread 0x7f0d63fef700 (LWP 2910)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f57a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d63feeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d63feeae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f57a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f57a0 detached = 1 id = 139695488956160 tid = 2910 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d63fef700) at pthread_create.c:308 __res = pd = 0x7f0d63fef700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695488956160, -1088326907459832651, 0, 139695488956864, 139695488956160, 1, 1080788647660975285, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 11 (Thread 0x7f0d637ee700 (LWP 2911)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5a90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d637edae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d637edae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5a90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5a90 detached = 1 id = 139695480563456 tid = 2911 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d637ee700) at pthread_create.c:308 __res = pd = 0x7f0d637ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695480563456, -1088326907459832651, 0, 139695480564160, 139695480563456, 1, 1080787546538734773, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 10 (Thread 0x7f0d62fed700 (LWP 2912)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5d80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d62fecae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d62fecae0 conn = 0x7f0d8853d2a0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5d80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5d80 detached = 1 id = 139695472170752 tid = 2912 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d62fed700) at pthread_create.c:308 __res = pd = 0x7f0d62fed700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695472170752, -1088326907459832651, 0, 139695472171456, 139695472170752, 1, 1080786447563977909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 9 (Thread 0x7f0d627ec700 (LWP 2913)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6070 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d627ebae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d627ebae0 conn = 0x7f0d8853b470 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6070) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6070 detached = 1 id = 139695463778048 tid = 2913 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d627ec700) at pthread_create.c:308 __res = pd = 0x7f0d627ec700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695463778048, -1088326907459832651, 0, 139695463778752, 139695463778048, 1, 1080785350736704693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 8 (Thread 0x7f0d61feb700 (LWP 2914)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6360 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d61feaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d61feaae0 conn = 0x7f0d8853ac90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6360) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6360 detached = 1 id = 139695455385344 tid = 2914 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d61feb700) at pthread_create.c:308 __res = pd = 0x7f0d61feb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695455385344, -1088326907459832651, 0, 139695455386048, 139695455385344, 1, 1080793047854970037, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 7 (Thread 0x7f0d617ea700 (LWP 2915)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6650 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d617e9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d617e9ae0 conn = 0x7f0d8853d2a0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6650) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6650 detached = 1 id = 139695446992640 tid = 2915 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d617ea700) at pthread_create.c:308 __res = pd = 0x7f0d617ea700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695446992640, -1088326907459832651, 0, 139695446993344, 139695446992640, 1, 1080791946732729525, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 6 (Thread 0x7f0d60fe9700 (LWP 2916)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6940 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d60fe8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d60fe8ae0 conn = 0x7f0d8853dd20 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6940) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6940 detached = 1 id = 139695438599936 tid = 2916 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d60fe9700) at pthread_create.c:308 __res = pd = 0x7f0d60fe9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695438599936, -1088326907459832651, 0, 139695438600640, 139695438599936, 1, 1080790847757972661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 5 (Thread 0x7f0d607e8700 (LWP 2917)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6c30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d607e7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d607e7ae0 conn = 0x7f0d8853f610 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6c30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6c30 detached = 1 id = 139695430207232 tid = 2917 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d607e8700) at pthread_create.c:308 __res = pd = 0x7f0d607e8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695430207232, -1088326907459832651, 0, 139695430207936, 139695430207232, 1, 1080789750930699445, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 4 (Thread 0x7f0d5ffe7700 (LWP 2918)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=1000) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 47488} #2 0x00007f0da31912d5 in time_thread (nothing=) at ldap/servers/slapd/daemon.c:474 interval = 1000 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6f20) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6f20 detached = 0 id = 139695421814528 tid = 2918 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5ffe7700) at pthread_create.c:308 __res = pd = 0x7f0d5ffe7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695421814528, -1088326907459832651, 0, 139695421815232, 139695421814528, 1, 1080797448048964789, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 3 (Thread 0x7f0d5f7e6700 (LWP 2965)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da6326eb8, ml=0x7f0da65009f0, timeout=timeout at entry=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436794080, tv_usec = 329798} tmo = {tv_sec = 1436794081, tv_nsec = 329798000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da6326eb0, timeout=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0cf0009ff0 #3 0x00007f0d992e6374 in sync_send_results (arg=) at ldap/servers/plugins/sync/sync_persist.c:602 req = 0x7f0cf00027b0 qnode = 0x0 qnodenext = conn_acq_flag = 0 conn = 0x7f0d885337c0 op = 0x7f0da62ed750 rc = connid = 18 opid = 0 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0cf0009ff0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0cf0009ff0 detached = 1 id = 139695413421824 tid = 2965 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5f7e6700) at pthread_create.c:308 __res = pd = 0x7f0d5f7e6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695413421824, -1088326907459832651, 0, 139695413422528, 139695413421824, 1, 1080796346926724277, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 2 (Thread 0x7f0d5dfe4700 (LWP 32409)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 850121} #2 0x00007f0d96b44787 in repl5_inc_result_threadmain (param=0x7f0d8000c6f0) at ldap/servers/plugins/replication/repl5_inc_protocol.c:312 operation_code = 0 ldap_error_string = 0x0 time_now = op = 0x0 csn_str = 0x0 replica_id = 0 connection_error = 0 uniqueid = 0x0 start_time = 1436793983 backoff_time = 1024 rd = 0x7f0d8000c6f0 conres = conn = 0x7f0da634db10 finished = 0 message_id = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0d8002e1c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0d8002e1c0 detached = 0 id = 139695388247808 tid = 32409 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5dfe4700) at pthread_create.c:308 __res = pd = 0x7f0d5dfe4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695388247808, -1088326907459832651, 0, 139695388248512, 139695388247808, 21, 1080801847706088629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 1 (Thread 0x7f0da315a840 (LWP 2870)): #0 __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135 No locals. #1 0x00007f0da0a59d68 in _L_lock_975 () from /lib64/libpthread.so.0 No symbol table info available. #2 0x00007f0da0a59d11 in __GI___pthread_mutex_lock (mutex=mutex at entry=0x7f0da5793a90) at pthread_mutex_lock.c:104 cnt = 101 max_cnt = -1 type = 3 id = 2870 #3 0x00007f0da10b0cb9 in PR_Lock (lock=0x7f0da5793a90) at ../../../nspr/pr/src/pthreads/ptsynch.c:177 No locals. #4 0x00007f0da31941f5 in handle_pr_read_ready (num_poll=, ct=0x7f0da4a2e6d0) at ldap/servers/slapd/daemon.c:1944 c = 0x7f0d8853d2a0 curtime = 1436794078 maxthreads = 5 #5 slapd_daemon (ports=ports at entry=0x7fffb03d7770) at ldap/servers/slapd/daemon.c:1208 select_return = prerr = n_tcps = 0x7f0da4840a60 s_tcps = 0x7f0da48409f0 i_unix = 0x7f0da48408f0 fdesp = 0x0 num_poll = pr_timeout = 250 time_thread_p = 0x7f0da65f6f20 threads = in_referral_mode = 0 n_listeners = 3 listener_idxs = 0x7f0da65f7210 #6 0x00007f0da318717c in main (argc=7, argv=0x7fffb03d7d98) at ldap/servers/slapd/main.c:1279 return_value = 0 slapdFrontendConfig = ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7f0da4840b70, s_listenaddr = 0x7f0da4840a10, n_socket = 0x7f0da4840a60, i_listenaddr = 0x7f0da4840b00, i_port = 1, i_socket = 0x7f0da48408f0, s_socket = 0x7f0da48409f0} m = Detaching from program: /usr/sbin/ns-slapd, process 2870 From lkrispen at redhat.com Mon Jul 13 15:29:13 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 13 Jul 2015 17:29:13 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150713150532.GD15499@dead.ccr.buffalo.edu> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> Message-ID: <55A3D949.5030303@redhat.com> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: > On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: >> can you get a pstack of the slapd process along with a top -H to find th >> ethread with high cpu usage > Attached is the full stacktrace of the running ns-slapd proccess. top -H > shows this thread (2879) with high cpu usage: > > 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd this thread is a replication thread sending updates, what is strange is that the current csn_str is quite old (july, 7th), I can't tell which agreeement this thread is handling, but looks like it is heavily reading the changeglog and sending updates. anything changed recently in replication setup ? > > > > > >> On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: >>> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and >>> 389-ds 1.3.3.1-16. >>> >>> Recently, the ns-slapd process on one of our replicas started showing higher >>> than normal CPU usage. ns-slapd is pegged at high CPU usage more or less >>> constantly. >>> >>> Seems very similar to this thread: >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html >>> >>> There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not >>> sure if these are related): >>> >>> >>> [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) >>> [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. >>> [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. >>> [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. >>> [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) >>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. >>> [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. >>> [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> >>> >>> access logs seem to be showing normal activity. Here's the number of open >>> connections: >>> >>> # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l >>> 62 >>> >>> Note: the other two replicas have much higher open connections (>250) and low >>> cpu load avgs. >>> >>> Here's some output of logconv.pl from our most recent access log on the replica >>> with high cpu load: >>> >>> Start of Logs: 13/Jul/2015:04:49:18 >>> End of Logs: 13/Jul/2015:10:06:11 >>> >>> Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds >>> >>> Restarts: 0 >>> Total Connections: 2343 >>> - LDAP Connections: 2120 >>> - LDAPI Connections: 223 >>> - LDAPS Connections: 0 >>> - StartTLS Extended Ops: 45 >>> Secure Protocol Versions: >>> - TLS1.2 128-bit AES - 45 >>> >>> Peak Concurrent Connections: 22 >>> Total Operations: 111865 >>> Total Results: 111034 >>> Overall Performance: 99.3% >>> >>> Searches: 95585 (5.03/sec) (301.64/min) >>> Modifications: 3369 (0.18/sec) (10.63/min) >>> Adds: 0 (0.00/sec) (0.00/min) >>> Deletes: 0 (0.00/sec) (0.00/min) >>> Mod RDNs: 0 (0.00/sec) (0.00/min) >>> Compares: 0 (0.00/sec) (0.00/min) >>> Binds: 7082 (0.37/sec) (22.35/min) >>> >>> Proxied Auth Operations: 0 >>> Persistent Searches: 0 >>> Internal Operations: 0 >>> Entry Operations: 0 >>> Extended Operations: 5317 >>> Abandoned Requests: 416 >>> Smart Referrals Received: 0 >>> >>> VLV Operations: 96 >>> VLV Unindexed Searches: 0 >>> VLV Unindexed Components: 32 >>> SORT Operations: 64 >>> >>> Entire Search Base Queries: 0 >>> Paged Searches: 3882 >>> Unindexed Searches: 0 >>> Unindexed Components: 5 >>> >>> FDs Taken: 2566 >>> FDs Returned: 2643 >>> Highest FD Taken: 249 >>> >>> Broken Pipes: 0 >>> Connections Reset By Peer: 0 >>> Resource Unavailable: 0 >>> Max BER Size Exceeded: 0 >>> >>> Binds: 7082 >>> Unbinds: 2443 >>> - LDAP v2 Binds: 0 >>> - LDAP v3 Binds: 6859 >>> - AUTOBINDs: 223 >>> - SSL Client Binds: 0 >>> - Failed SSL Client Binds: 0 >>> - SASL Binds: 6814 >>> GSSAPI - 6591 >>> EXTERNAL - 223 >>> - Directory Manager Binds: 0 >>> - Anonymous Binds: 6591 >>> - Other Binds: 491 >>> >>> >>> >>> >>> strace timing on the ns-slapd process: >>> >>> >>> % time seconds usecs/call calls errors syscall >>> ------ ----------- ----------- --------- --------- ---------------- >>> 94.40 0.346659 5977 58 poll >>> 4.10 0.015057 15057 1 restart_syscall >>> 0.91 0.003353 57 59 59 getpeername >>> 0.49 0.001796 150 12 futex >>> 0.10 0.000364 73 5 read >>> ------ ----------- ----------- --------- --------- ---------------- >>> 100.00 0.367229 135 59 total >>> >>> >>> top output (with threads 'H'): >>> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd >>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd >>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd >>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd >>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd >>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd >>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd >>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd >>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd >>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd >>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd >>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd >>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd >>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd >>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd >>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd >>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd >>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd >>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd >>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd >>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd >>> >>> >>> ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any >>> pointers on where else to look? >>> >>> Thanks in advance. >>> >>> --Andrew >>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> From lslebodn at redhat.com Mon Jul 13 15:57:39 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 13 Jul 2015 17:57:39 +0200 Subject: [Freeipa-users] ipa client on ubuntu and sudo rules In-Reply-To: References: <20150710151846.GE31272@mail.corp.redhat.com> Message-ID: <20150713155739.GH23022@mail.corp.redhat.com> On (13/07/15 14:49), Karl Forner wrote: >For reference: >I could not make the sudo rules on ubuntu 12.04, I tried many many things. > Ahh, Default version of sssd in ubuntu 12.04 is 1.8.2 http://packages.ubuntu.com/precise/sssd it's better to use newer version which contains fixes for sudo. I would suggest at least the latest 1.9. But there is another problem. The default version of sudo in ununtu 12.04 (1.8.3p1) does not contain sssd support. http://packages.ubuntu.com/precise/sudo. The support for sssd in sudo code was added in upstream sudo 1.8.6 http://www.sudo.ws/stable.html#1.8.6 LS From aebruno2 at buffalo.edu Mon Jul 13 16:36:20 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 13 Jul 2015 12:36:20 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A3D949.5030303@redhat.com> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> Message-ID: <20150713163620.GF15499@dead.ccr.buffalo.edu> On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: > > On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: > >On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: > >>can you get a pstack of the slapd process along with a top -H to find th > >>ethread with high cpu usage > >Attached is the full stacktrace of the running ns-slapd proccess. top -H > >shows this thread (2879) with high cpu usage: > > > >2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > this thread is a replication thread sending updates, what is strange is that > the current csn_str is quite old (july, 7th), I can't tell which agreeement > this thread is handling, but looks like it is heavily reading the changeglog > and sending updates. anything changed recently in replication setup ? Yes, we had one replica fail on (6/19) which we removed (not this one showing high CPU load). Had to perform some manual cleanup of the ipa-ca RUVs. Then we added the replica back in on 7/1. Since then, replication appears to have been running normally between the 3 replicas. We've been monitoring utilization since 7/1 and only recently seen this spike (past 24 hours or so). On a side note, we get hit with this bug often: https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html (rouge sssd_be processing hammering a replica). This causes high ns-slapd utilization on the replica and restarting sssd on the client host immediately fixes the issue. However, in this case, we're not seeing this behavior. > > > > > > > > > > > >>On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > >>>We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > >>>389-ds 1.3.3.1-16. > >>> > >>>Recently, the ns-slapd process on one of our replicas started showing higher > >>>than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > >>>constantly. > >>> > >>>Seems very similar to this thread: > >>>https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > >>> > >>>There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > >>>sure if these are related): > >>> > >>> > >>>[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > >>>[13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > >>>[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > >>>[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > >>>[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > >>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > >>>[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > >>>[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>> > >>> > >>>access logs seem to be showing normal activity. Here's the number of open > >>>connections: > >>> > >>># ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > >>>62 > >>> > >>>Note: the other two replicas have much higher open connections (>250) and low > >>>cpu load avgs. > >>> > >>>Here's some output of logconv.pl from our most recent access log on the replica > >>>with high cpu load: > >>> > >>>Start of Logs: 13/Jul/2015:04:49:18 > >>>End of Logs: 13/Jul/2015:10:06:11 > >>> > >>>Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > >>> > >>>Restarts: 0 > >>>Total Connections: 2343 > >>> - LDAP Connections: 2120 > >>> - LDAPI Connections: 223 > >>> - LDAPS Connections: 0 > >>> - StartTLS Extended Ops: 45 > >>> Secure Protocol Versions: > >>> - TLS1.2 128-bit AES - 45 > >>> > >>>Peak Concurrent Connections: 22 > >>>Total Operations: 111865 > >>>Total Results: 111034 > >>>Overall Performance: 99.3% > >>> > >>>Searches: 95585 (5.03/sec) (301.64/min) > >>>Modifications: 3369 (0.18/sec) (10.63/min) > >>>Adds: 0 (0.00/sec) (0.00/min) > >>>Deletes: 0 (0.00/sec) (0.00/min) > >>>Mod RDNs: 0 (0.00/sec) (0.00/min) > >>>Compares: 0 (0.00/sec) (0.00/min) > >>>Binds: 7082 (0.37/sec) (22.35/min) > >>> > >>>Proxied Auth Operations: 0 > >>>Persistent Searches: 0 > >>>Internal Operations: 0 > >>>Entry Operations: 0 > >>>Extended Operations: 5317 > >>>Abandoned Requests: 416 > >>>Smart Referrals Received: 0 > >>> > >>>VLV Operations: 96 > >>>VLV Unindexed Searches: 0 > >>>VLV Unindexed Components: 32 > >>>SORT Operations: 64 > >>> > >>>Entire Search Base Queries: 0 > >>>Paged Searches: 3882 > >>>Unindexed Searches: 0 > >>>Unindexed Components: 5 > >>> > >>>FDs Taken: 2566 > >>>FDs Returned: 2643 > >>>Highest FD Taken: 249 > >>> > >>>Broken Pipes: 0 > >>>Connections Reset By Peer: 0 > >>>Resource Unavailable: 0 > >>>Max BER Size Exceeded: 0 > >>> > >>>Binds: 7082 > >>>Unbinds: 2443 > >>> - LDAP v2 Binds: 0 > >>> - LDAP v3 Binds: 6859 > >>> - AUTOBINDs: 223 > >>> - SSL Client Binds: 0 > >>> - Failed SSL Client Binds: 0 > >>> - SASL Binds: 6814 > >>> GSSAPI - 6591 > >>> EXTERNAL - 223 > >>> - Directory Manager Binds: 0 > >>> - Anonymous Binds: 6591 > >>> - Other Binds: 491 > >>> > >>> > >>> > >>> > >>>strace timing on the ns-slapd process: > >>> > >>> > >>>% time seconds usecs/call calls errors syscall > >>>------ ----------- ----------- --------- --------- ---------------- > >>> 94.40 0.346659 5977 58 poll > >>> 4.10 0.015057 15057 1 restart_syscall > >>> 0.91 0.003353 57 59 59 getpeername > >>> 0.49 0.001796 150 12 futex > >>> 0.10 0.000364 73 5 read > >>>------ ----------- ----------- --------- --------- ---------------- > >>>100.00 0.367229 135 59 total > >>> > >>> > >>>top output (with threads 'H'): > >>> > >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > >>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > >>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > >>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > >>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > >>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > >>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > >>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > >>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > >>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > >>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > >>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > >>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > >>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > >>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > >>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > >>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > >>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > >>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > >>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > >>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > >>> > >>> > >>>ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > >>>pointers on where else to look? > >>> > >>>Thanks in advance. > >>> > >>>--Andrew > >>> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > >> > >> > > From notify.sina at gmail.com Mon Jul 13 17:58:15 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Mon, 13 Jul 2015 18:58:15 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: <55A390D5.4050104@redhat.com> References: <55A390D5.4050104@redhat.com> Message-ID: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: > On 12/07/15 10:05, Sina Owolabi wrote: >> >> Hi >> >> I have several dns zones defined in IPA. I noticed recently that the >> zone files are empty. I find this odd because I created them like the >> example below. >> Is it possible to force clients to auto-update reverse zones? >> >> Thanks in advance! >> >> How I created all the zones: >> >> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >> --allow-sync-ptr=TRUE --dynamic-update >> Zone name: 0.14.10.in-addr.arpa. >> Active zone: TRUE >> Authoritative nameserver: services.ourdomain.com. >> Administrator e-mail address: hostmaster >> SOA serial: 1436688202 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3000 >> BIND update policy: grant QRIOS.COM krb5-subdomain >> 0.14.10.in-addr.arpa. PTR; >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> Allow PTR sync: TRUE >> > Hello, > > do you have --allow-sync-ptr=True configured in zones where the particular > A/AAAA records are? > > SSSD is able to update records. > Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) > > -- > Martin Basti > From nathan at nathanpeters.com Tue Jul 14 01:07:11 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 13 Jul 2015 18:07:11 -0700 Subject: [Freeipa-users] Windows sync agreement becomes uninitialized and crashes directory server Message-ID: <66c2f0e787cb154dc6b43cb5ab61b3ff.squirrel@webmail.nathanpeters.com> 2 FreeIPA 4.1.4 servers running on CentOS 7. dc1 has a sync agreement to a windows server. It has been running fine since June 5 when I re-initialized a sync agreement that had somehow uninitialized itself. Original issue report here : https://www.redhat.com/archives/freeipa-users/2015-June/msg00147.html Bug report here : https://fedorahosted.org/freeipa/ticket/5054 It appears the same thing may have happened again, one month later, but this time randomly, as we have not made any changes to our sync agreement since the initial change in June. it appears to have unitialized itself without us changing it and managed to crash the directory server in doing so. Note that during the last week I could still login to the web ui, but around the time the log entries change, I became unable to. I tried to login to the web server today and it would not let me login, so I went to the shell on the server and noticed that ipactl command would freeze up again. I looked at the logs (which I will paste below) and restarted the directory server service. I then found that my sync agreement had become uninitialized. --- output --- [root at dc1 slapd-IPADOMAIN-NET]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAABoJPGME7jQAQAAAAAAAAAAYAEAAPc1qQAAAAAAAAAAAAAAA AD3NakAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbsz4HUgAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+/FcJAAAAAAA4qTQaC46/Ua4KXgP /ixNcbK4dgAAAAAAWowbgYD1akibZ+sCul5C4VNsMQAAAAAAxSO4iapVmEGQ6R23bgLQi/c1qQAAA AAAogC6jFcyFUmhBp4B7FkaBcRHwwEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA nsds50ruv: {replicageneration} 553fe9bb000000040000 nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 000000040000 557f49fb000200040000 nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c 4000000030000 557f3e4a000200030000 nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne t:389} 557f494a nsruvReplicaLastModified: {replica 3 ldap://dc2.ipadomain.n et:389} 557f3d95 oneWaySync: fromWindows nsds5ReplicaEnabled: on nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: -1 - LDAP error: Can't contact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 --- output --- Here are the error logs for the last month for the directory server. They are totally empty until July 2. ---output--- 389-Directory/1.3.3.8 B2015.040.128 dc1.ipadomain.net:636 (/etc/dirsrv/slapd-IPADOMAIN-NET) [02/Jul/2015:03:19:02 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [02/Jul/2015:06:10:29 +0000] - Entry "uid=jenkinsdev,cn=users,cn=accounts,dc=ipadomain,dc=net" missing attribute "sn" required by object class "person" [03/Jul/2015:02:04:02 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [03/Jul/2015:05:39:01 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [03/Jul/2015:17:09:00 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [03/Jul/2015:22:41:32 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress) [03/Jul/2015:22:41:32 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [03/Jul/2015:22:41:32 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) [03/Jul/2015:22:41:36 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth resumed [05/Jul/2015:19:24:00 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [06/Jul/2015:02:46:50 +0000] - Entry "uid=accounting,cn=users,cn=accounts,dc=ipadomain,dc=net" missing attribute "sn" required by object class "person" [06/Jul/2015:17:47:04 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [06/Jul/2015:17:47:04 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [06/Jul/2015:17:47:07 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [06/Jul/2015:17:47:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [06/Jul/2015:17:47:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) ... repeats for 7 days ... [13/Jul/2015:21:49:21 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:49:45 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:50:33 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:52:09 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:54:00 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:23:04:05 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [13/Jul/2015:23:04:05 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [13/Jul/2015:23:04:10 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [13/Jul/2015:23:04:10 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [13/Jul/2015:23:04:10 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [13/Jul/2015:23:04:10 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) ---output--- From ghilteras at gmail.com Mon Jul 13 22:14:31 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Mon, 13 Jul 2015 15:14:31 -0700 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group Message-ID: I added the external groups to map my Domain Admins AD group like the freeipa documentation suggests: # ipa group-add --desc='ad_domain admins external map' ad_admins_external --external # ipa group-add --desc='ad_domain admins' ad_admins # ipa group-add-member ad_admins_external --external 'ad_netbios\Domain Admins' # ipa group-add-member ad_admins --groups ad_admins_external But I dont see any user in the web interface under ad_admins or ad_admins_external. I thought that this would give us a view of the AD users in FreeIPA, but I dont see any difference.. Am I missing something here? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 14 02:10:50 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Jul 2015 20:10:50 -0600 Subject: [Freeipa-users] Windows sync agreement becomes uninitialized and crashes directory server In-Reply-To: <66c2f0e787cb154dc6b43cb5ab61b3ff.squirrel@webmail.nathanpeters.com> References: <66c2f0e787cb154dc6b43cb5ab61b3ff.squirrel@webmail.nathanpeters.com> Message-ID: <55A46FAA.5000809@redhat.com> On 07/13/2015 07:07 PM, nathan at nathanpeters.com wrote: > 2 FreeIPA 4.1.4 servers running on CentOS 7. > dc1 has a sync agreement to a windows server. > > > It has been running fine since June 5 when I re-initialized a sync > agreement that had somehow uninitialized itself. Original issue report > here : > https://www.redhat.com/archives/freeipa-users/2015-June/msg00147.html > Bug report here : https://fedorahosted.org/freeipa/ticket/5054 > > It appears the same thing may have happened again, one month later, but > this time randomly, as we have not made any changes to our sync agreement > since the initial change in June. it appears to have unitialized itself > without us changing it and managed to crash the directory server in doing > so. Crash? http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes # debuginfo-install 389-ds-base ipa-server slapi-nis > Note that during the last week I could still login to the web ui, but > around the time the log entries change, I became unable to. > > I tried to login to the web server today and it would not let me login, so > I went to the shell on the server and noticed that ipactl command would > freeze up again. I looked at the logs (which I will paste below) and > restarted the directory server service. > > I then found that my sync agreement had become uninitialized. > > --- output --- > [root at dc1 slapd-IPADOMAIN-NET]# ldapsearch -xLLL -D "cn=directory manager" > -W -b cn=config objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAABoJPGME7jQAQAAAAAAAAAAYAEAAPc1qQAAAAAAAAAAAAAAA > AD3NakAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbsz4HUgAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+/FcJAAAAAAA4qTQaC46/Ua4KXgP > /ixNcbK4dgAAAAAAWowbgYD1akibZ+sCul5C4VNsMQAAAAAAxSO4iapVmEGQ6R23bgLQi/c1qQAAA > AAAogC6jFcyFUmhBp4B7FkaBcRHwwEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > nsds50ruv: {replicageneration} 553fe9bb000000040000 > nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 > 000000040000 557f49fb000200040000 > nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c > 4000000030000 557f3e4a000200030000 > nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne > t:389} 557f494a > nsruvReplicaLastModified: {replica 3 ldap://dc2.ipadomain.n > et:389} 557f3d95 > oneWaySync: fromWindows > nsds5ReplicaEnabled: on > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 0 > nsds5replicaLastUpdateEnd: 0 > nsds5replicaChangesSentSinceStartup: > nsds5replicaLastUpdateStatus: -1 - LDAP error: Can't contact LDAP server > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > --- output --- > > Here are the error logs for the last month for the directory server. They > are totally empty until July 2. > > ---output--- > 389-Directory/1.3.3.8 B2015.040.128 > dc1.ipadomain.net:636 (/etc/dirsrv/slapd-IPADOMAIN-NET) > > [02/Jul/2015:03:19:02 +0000] NSMMReplicationPlugin - windows sync - failed > to send dirsync search request: 2 > [02/Jul/2015:06:10:29 +0000] - Entry > "uid=jenkinsdev,cn=users,cn=accounts,dc=ipadomain,dc=net" missing > attribute "sn" required by object class "person" > [03/Jul/2015:02:04:02 +0000] NSMMReplicationPlugin - windows sync - failed > to send dirsync search request: 2 > [03/Jul/2015:05:39:01 +0000] NSMMReplicationPlugin - windows sync - failed > to send dirsync search request: 2 > [03/Jul/2015:17:09:00 +0000] NSMMReplicationPlugin - windows sync - failed > to send dirsync search request: 2 > [03/Jul/2015:22:41:32 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Cannot contact any KDC > for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress) > [03/Jul/2015:22:41:32 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [03/Jul/2015:22:41:32 +0000] NSMMReplicationPlugin - > agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI > auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) > [03/Jul/2015:22:41:36 +0000] NSMMReplicationPlugin - > agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI > auth resumed > [05/Jul/2015:19:24:00 +0000] NSMMReplicationPlugin - windows sync - failed > to send dirsync search request: 2 > [06/Jul/2015:02:46:50 +0000] - Entry > "uid=accounting,cn=users,cn=accounts,dc=ipadomain,dc=net" missing > attribute "sn" required by object class "person" > [06/Jul/2015:17:47:04 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [06/Jul/2015:17:47:04 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replication > bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) > ((null)) > [06/Jul/2015:17:47:07 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [06/Jul/2015:17:47:13 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [06/Jul/2015:17:47:25 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > > ... repeats for 7 days ... > > [13/Jul/2015:21:49:21 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such > file or directory) > [13/Jul/2015:21:49:45 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such > file or directory) > [13/Jul/2015:21:50:33 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such > file or directory) > [13/Jul/2015:21:52:09 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such > file or directory) > [13/Jul/2015:21:54:00 +0000] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such > file or directory) > [13/Jul/2015:23:04:05 +0000] set_krb5_creds - Could not get initial > credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) > [13/Jul/2015:23:04:05 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Ticket expired)) errno > 2 (No such file or directory) > [13/Jul/2015:23:04:10 +0000] set_krb5_creds - Could not get initial > credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) > [13/Jul/2015:23:04:10 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Ticket expired)) errno > 2 (No such file or directory) > [13/Jul/2015:23:04:10 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [13/Jul/2015:23:04:10 +0000] NSMMReplicationPlugin - > agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI > auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired)) > > ---output--- > > From abokovoy at redhat.com Tue Jul 14 05:52:29 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 08:52:29 +0300 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: References: Message-ID: <20150714055229.GE21928@redhat.com> On Mon, 13 Jul 2015, Angelo Pantano wrote: >I added the external groups to map my Domain Admins AD group like the >freeipa documentation suggests: > ># ipa group-add --desc='ad_domain admins external map' ad_admins_external >--external ># ipa group-add --desc='ad_domain admins' ad_admins ># ipa group-add-member ad_admins_external --external 'ad_netbios\Domain >Admins' ># ipa group-add-member ad_admins --groups ad_admins_external > >But I dont see any user in the web interface under ad_admins or >ad_admins_external. I thought that this would give us a view of the AD >users in FreeIPA, but I dont see any difference.. >Am I missing something here? Where did you look them? External members for ad_admins_external group would be under 'external' tab, like in the attached screenshot. -- / Alexander Bokovoy -------------- next part -------------- A non-text attachment was scrubbed... Name: external-members-in-web-ui.png Type: image/png Size: 35443 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jul 14 06:46:00 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 09:46:00 +0300 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: References: <20150714055229.GE21928@redhat.com> Message-ID: <20150714064600.GF21928@redhat.com> On Mon, 13 Jul 2015, Angelo Pantano wrote: >I have the same entry there, my question is that I don't understand why it >doesn't it give me any visibility of the AD users mapped in that group, I >mean I just see that entry, but what's that supposed to do? It doesn't >really change anything with or without, I am missing the supposed value of >having the AD users mapped in a FreeIPA posix group. > >I was expecting to see the AD users in that group, but I got nothing.. I'm >a bit confused Read the documentation. Once you added AD user or group as external member of an external IPA group and then added this group as a member of IPA POSIX group, the user belonging to AD group would appear as a member of IPA POSIX group: # id administrator at adx.test uid=1878600500(administrator at adx.test) gid=1878600500(administrator at adx.test) groups=1878600500(administrator at adx.test),1878600520(group policy creator owners at adx.test),1878600519(enterprise admins at adx.test),1878600512(domain admins at adx.test),1878600518(schema admins at adx.test),1878600513(domain users at adx.test),1634400007(ad_admins) You wouldn't see this in the web UI because web UI is showing what is in the LDAP, not what is visible in the system when SSSD evaluates the group membership. -- / Alexander Bokovoy From mbasti at redhat.com Tue Jul 14 07:46:44 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jul 2015 09:46:44 +0200 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: <55A390D5.4050104@redhat.com> Message-ID: <55A4BE64.4030106@redhat.com> On 13/07/15 19:58, Sina Owolabi wrote: > Hi Martin > > Yes all my sssd configs are set ipa_dyndns_update = True > I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. > I've tried to set it in the very first zone (setup during > installation) but dnszone-mod complains: > > # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE > ipa: ERROR: no modifications to be performed > > But I don't see it in the show command: > > ipa dnszone-show mydom.com > Zone name: mydom.com. > Active zone: TRUE > Authoritative nameserver: services.mydom.com. > Administrator e-mail address: hostmaster.mydom.com. > SOA serial: 1436799166 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Allow query: any; > Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin > > On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >> On 12/07/15 10:05, Sina Owolabi wrote: >>> Hi >>> >>> I have several dns zones defined in IPA. I noticed recently that the >>> zone files are empty. I find this odd because I created them like the >>> example below. >>> Is it possible to force clients to auto-update reverse zones? >>> >>> Thanks in advance! >>> >>> How I created all the zones: >>> >>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>> --allow-sync-ptr=TRUE --dynamic-update >>> Zone name: 0.14.10.in-addr.arpa. >>> Active zone: TRUE >>> Authoritative nameserver: services.ourdomain.com. >>> Administrator e-mail address: hostmaster >>> SOA serial: 1436688202 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3000 >>> BIND update policy: grant QRIOS.COM krb5-subdomain >>> 0.14.10.in-addr.arpa. PTR; >>> Dynamic update: TRUE >>> Allow query: any; >>> Allow transfer: none; >>> Allow PTR sync: TRUE >>> >> Hello, >> >> do you have --allow-sync-ptr=True configured in zones where the particular >> A/AAAA records are? >> >> SSSD is able to update records. >> Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) >> >> -- >> Martin Basti >> -- Martin Basti From jpazdziora at redhat.com Tue Jul 14 08:00:27 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 14 Jul 2015 10:00:27 +0200 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: <20150714064600.GF21928@redhat.com> References: <20150714055229.GE21928@redhat.com> <20150714064600.GF21928@redhat.com> Message-ID: <20150714080027.GG4218@redhat.com> On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote: > admins at adx.test),1878600513(domain users at adx.test),1634400007(ad_admins) > > You wouldn't see this in the web UI because web UI is showing what is in > the LDAP, not what is visible in the system when SSSD evaluates the > group membership. Would it make sense to have a way of running the SSSD evaluation from the WebUI and showing the results there? Clearly distinguished from the LDAP data, yet exposed in the WebUI ... -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Tue Jul 14 08:06:20 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 11:06:20 +0300 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: <20150714080027.GG4218@redhat.com> References: <20150714055229.GE21928@redhat.com> <20150714064600.GF21928@redhat.com> <20150714080027.GG4218@redhat.com> Message-ID: <20150714080620.GG21928@redhat.com> On Tue, 14 Jul 2015, Jan Pazdziora wrote: >On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote: >> admins at adx.test),1878600513(domain users at adx.test),1634400007(ad_admins) >> >> You wouldn't see this in the web UI because web UI is showing what is in >> the LDAP, not what is visible in the system when SSSD evaluates the >> group membership. > >Would it make sense to have a way of running the SSSD evaluation from >the WebUI and showing the results there? Clearly distinguished from >the LDAP data, yet exposed in the WebUI ... Definitely not here. We have checks for HBAC rules with AD users that explicitly take external group membership into account already. Resolving AD group membership is time-consuming operation and adding it into a normal path is going to slow down everything. -- / Alexander Bokovoy From notify.sina at gmail.com Tue Jul 14 08:28:13 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 14 Jul 2015 09:28:13 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: <55A4BE64.4030106@redhat.com> References: <55A390D5.4050104@redhat.com> <55A4BE64.4030106@redhat.com> Message-ID: Thanks Martin The expanded command shows all the output. Curiously, I still don't see any reverse addresses yet except on the reverse domain for this primary zone. Ive restarted the IPA servers in hopes of a Windows-y solution but it didn't help :-) output: ipa dnszone-show mydom.com --all dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: dc.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436861122 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE arecord: pu.bl.ic.add mxrecord: 0 mail.mydom.com. nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. objectclass: idnszone, top, idnsrecord On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: > On 13/07/15 19:58, Sina Owolabi wrote: >> >> Hi Martin >> >> Yes all my sssd configs are set ipa_dyndns_update = True >> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >> them. >> I've tried to set it in the very first zone (setup during >> installation) but dnszone-mod complains: >> >> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >> ipa: ERROR: no modifications to be performed >> >> But I don't see it in the show command: >> >> ipa dnszone-show mydom.com >> Zone name: mydom.com. >> Active zone: TRUE >> Authoritative nameserver: services.mydom.com. >> Administrator e-mail address: hostmaster.mydom.com. >> SOA serial: 1436799166 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> Allow query: any; >> Allow transfer: none; > > You must use option --all > > ipa dnszone-show mydom.com --all > > > Martin > >> >> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>> >>> On 12/07/15 10:05, Sina Owolabi wrote: >>>> >>>> Hi >>>> >>>> I have several dns zones defined in IPA. I noticed recently that the >>>> zone files are empty. I find this odd because I created them like the >>>> example below. >>>> Is it possible to force clients to auto-update reverse zones? >>>> >>>> Thanks in advance! >>>> >>>> How I created all the zones: >>>> >>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>> --allow-sync-ptr=TRUE --dynamic-update >>>> Zone name: 0.14.10.in-addr.arpa. >>>> Active zone: TRUE >>>> Authoritative nameserver: services.ourdomain.com. >>>> Administrator e-mail address: hostmaster >>>> SOA serial: 1436688202 >>>> SOA refresh: 3600 >>>> SOA retry: 900 >>>> SOA expire: 1209600 >>>> SOA minimum: 3000 >>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>> 0.14.10.in-addr.arpa. PTR; >>>> Dynamic update: TRUE >>>> Allow query: any; >>>> Allow transfer: none; >>>> Allow PTR sync: TRUE >>>> >>> Hello, >>> >>> do you have --allow-sync-ptr=True configured in zones where the >>> particular >>> A/AAAA records are? >>> >>> SSSD is able to update records. >>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>> sssd-ipa) >>> >>> -- >>> Martin Basti >>> > > > -- > Martin Basti > From jhrozek at redhat.com Tue Jul 14 08:42:23 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Jul 2015 10:42:23 +0200 Subject: [Freeipa-users] freeipa and User Private Groups In-Reply-To: <4ED173A868981548967B4FCA2707222628165C1D@AACMBXP04.exchserver.com> References: <4ED173A868981548967B4FCA2707222628165C1D@AACMBXP04.exchserver.com> Message-ID: <20150714084223.GE4353@hendrix.arn.redhat.com> On Mon, Jul 13, 2015 at 09:11:09AM +0000, Les Stott wrote: > Hi All, > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > So, by default, when you create a user in freeipa, That user will be set to have a primary group that is hidden and not a POSIX group. > > This means that when the user logs in to a host, they will see something like... > > id: cannot find name for group ID It is not expected to not be able to return the name of the user group and I don't see that in my setup. I was suspecting rhbz#1165074 but your sssd should already have that bug fixed. Can you see if the packages from https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ also show that behaviour? If yes, can you get us sssd logs as described here: https://fedorahosted.org/sssd/wiki/Troubleshooting > > running the id command shows no name returned for this group. > > I understand you can disable private groups globally, however it is discouraged. I also realise you can simply create POSIX groups when creating users. > > In the spirit of trying to stick with the defaults.... > > Is there a way to avoid the login error where id can't retrieve the group name from a UPG? > > Thanks, > > Les > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Tue Jul 14 08:43:37 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Jul 2015 10:43:37 +0200 Subject: [Freeipa-users] ipa client on ubuntu and sudo rules In-Reply-To: <20150713155739.GH23022@mail.corp.redhat.com> References: <20150710151846.GE31272@mail.corp.redhat.com> <20150713155739.GH23022@mail.corp.redhat.com> Message-ID: <20150714084337.GF4353@hendrix.arn.redhat.com> On Mon, Jul 13, 2015 at 05:57:39PM +0200, Lukas Slebodnik wrote: > On (13/07/15 14:49), Karl Forner wrote: > >For reference: > >I could not make the sudo rules on ubuntu 12.04, I tried many many things. > > > Ahh, > Default version of sssd in ubuntu 12.04 is 1.8.2 > http://packages.ubuntu.com/precise/sssd > it's better to use newer version which contains fixes for sudo. When Lukas says "fixes" he means "completely rewritten from scratch" :-) > I would suggest at least the latest 1.9. Yes please, 1.8 is too old. > > But there is another problem. > The default version of sudo in ununtu 12.04 (1.8.3p1) does not contain sssd > support. > http://packages.ubuntu.com/precise/sudo. > > The support for sssd in sudo code was added in upstream sudo 1.8.6 > http://www.sudo.ws/stable.html#1.8.6 > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jpazdziora at redhat.com Tue Jul 14 08:52:18 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 14 Jul 2015 10:52:18 +0200 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: <20150714080620.GG21928@redhat.com> References: <20150714055229.GE21928@redhat.com> <20150714064600.GF21928@redhat.com> <20150714080027.GG4218@redhat.com> <20150714080620.GG21928@redhat.com> Message-ID: <20150714085218.GH4218@redhat.com> On Tue, Jul 14, 2015 at 11:06:20AM +0300, Alexander Bokovoy wrote: > On Tue, 14 Jul 2015, Jan Pazdziora wrote: > > > >Would it make sense to have a way of running the SSSD evaluation from > >the WebUI and showing the results there? Clearly distinguished from > >the LDAP data, yet exposed in the WebUI ... > Definitely not here. We have checks for HBAC rules with AD users that > explicitly take external group membership into account already. > > Resolving AD group membership is time-consuming operation and adding it > into a normal path is going to slow down everything. Sure. So how about separate tab, which could also ask for confirmation if the user wants to run the enumeration? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From Less at imagine-sw.com Tue Jul 14 09:01:54 2015 From: Less at imagine-sw.com (Les Stott) Date: Tue, 14 Jul 2015 09:01:54 +0000 Subject: [Freeipa-users] freeipa and User Private Groups In-Reply-To: <20150714084223.GE4353@hendrix.arn.redhat.com> References: <4ED173A868981548967B4FCA2707222628165C1D@AACMBXP04.exchserver.com> <20150714084223.GE4353@hendrix.arn.redhat.com> Message-ID: <4ED173A868981548967B4FCA270722262816828F@AACMBXP04.exchserver.com> Jakub, Thanks for the follow up. We try and stick to standard rhel/epel repo's (due to policy) so I am not able to install a non-standard version of sssd. I have decided to disable the User Private Group plugin and convert ipausers to a posix group. There was nothing I could see that required us to use UPG's. This setup is working for me now. Thanks, Les > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, 14 July 2015 6:42 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] freeipa and User Private Groups > > On Mon, Jul 13, 2015 at 09:11:09AM +0000, Les Stott wrote: > > Hi All, > > > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > > > So, by default, when you create a user in freeipa, That user will be set to > have a primary group that is hidden and not a POSIX group. > > > > This means that when the user logs in to a host, they will see something > like... > > > > id: cannot find name for group ID > > It is not expected to not be able to return the name of the user group and I > don't see that in my setup. I was suspecting rhbz#1165074 but your sssd > should already have that bug fixed. > > Can you see if the packages from > https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ > also show that behaviour? > > If yes, can you get us sssd logs as described here: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > running the id command shows no name returned for this group. > > > > I understand you can disable private groups globally, however it is > discouraged. I also realise you can simply create POSIX groups when creating > users. > > > > In the spirit of trying to stick with the defaults.... > > > > Is there a way to avoid the login error where id can't retrieve the group > name from a UPG? > > > > Thanks, > > > > Les > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Tue Jul 14 09:12:23 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Jul 2015 11:12:23 +0200 Subject: [Freeipa-users] freeipa and User Private Groups In-Reply-To: <4ED173A868981548967B4FCA270722262816828F@AACMBXP04.exchserver.com> References: <4ED173A868981548967B4FCA2707222628165C1D@AACMBXP04.exchserver.com> <20150714084223.GE4353@hendrix.arn.redhat.com> <4ED173A868981548967B4FCA270722262816828F@AACMBXP04.exchserver.com> Message-ID: <20150714091223.GH4353@hendrix.arn.redhat.com> On Tue, Jul 14, 2015 at 09:01:54AM +0000, Les Stott wrote: > Jakub, > > Thanks for the follow up. > > We try and stick to standard rhel/epel repo's (due to policy) so I am not able to install a non-standard version of sssd. OK, please note that pretty much the same version will come to 6.7 in a couple of days. > > I have decided to disable the User Private Group plugin and convert ipausers to a posix group. There was nothing I could see that required us to use UPG's. This setup is working for me now. The drawback might be that ipausers would get really large over time and resolving the large group including the members would take a long time. > > Thanks, > > Les > > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > > bounces at redhat.com] On Behalf Of Jakub Hrozek > > Sent: Tuesday, 14 July 2015 6:42 PM > > To: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] freeipa and User Private Groups > > > > On Mon, Jul 13, 2015 at 09:11:09AM +0000, Les Stott wrote: > > > Hi All, > > > > > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > > > > > So, by default, when you create a user in freeipa, That user will be set to > > have a primary group that is hidden and not a POSIX group. > > > > > > This means that when the user logs in to a host, they will see something > > like... > > > > > > id: cannot find name for group ID > > > > It is not expected to not be able to return the name of the user group and I > > don't see that in my setup. I was suspecting rhbz#1165074 but your sssd > > should already have that bug fixed. > > > > Can you see if the packages from > > https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ > > also show that behaviour? > > > > If yes, can you get us sssd logs as described here: > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > > > running the id command shows no name returned for this group. > > > > > > I understand you can disable private groups globally, however it is > > discouraged. I also realise you can simply create POSIX groups when creating > > users. > > > > > > In the spirit of trying to stick with the defaults.... > > > > > > Is there a way to avoid the login error where id can't retrieve the group > > name from a UPG? > > > > > > Thanks, > > > > > > Les > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project From dkupka at redhat.com Tue Jul 14 10:52:08 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 14 Jul 2015 12:52:08 +0200 Subject: [Freeipa-users] Primary certificates In-Reply-To: <55A3C5BC.9020501@gmail.com> References: <55A3C5BC.9020501@gmail.com> Message-ID: <55A4E9D8.2040503@redhat.com> On 13/07/15 16:05, Janelle wrote: > Good morning, > > I was wondering, I install my servers with the self-signed certs. Now my > management wants me to use official certificates. Is there an > easy/recommended way to swap out all the certificates on all the > servers? Especially with 16 servers, just trying to figure out if this > is something I could script with PSSH or similar in order to do them all > at once. Does it matter the order? > > Thank you > ~Janelle > Hello! Yes, there is an easy way: 1.Run "ipa-cacert-manage renew --external-ca" on one of CA masters (first ipa-server installed or any replica installed with --setup-ca). This will generate csr you need to get signed by your CA. 2. Then run "ipa-cacert-manage renew --external-cert-file --external-cert-file " This will update the IPA CA certificate in LDAP. 3. Then you need to run "ipa-certupdate" on all ipa servers and clients to distribute the new certificate. -- David Kupka From lkrispen at redhat.com Tue Jul 14 11:41:57 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 14 Jul 2015 13:41:57 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150713163620.GF15499@dead.ccr.buffalo.edu> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> Message-ID: <55A4F585.3040207@redhat.com> On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: > On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: >> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: >>> On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: >>>> can you get a pstack of the slapd process along with a top -H to find th >>>> ethread with high cpu usage >>> Attached is the full stacktrace of the running ns-slapd proccess. top -H >>> shows this thread (2879) with high cpu usage: >>> >>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >> this thread is a replication thread sending updates, what is strange is that >> the current csn_str is quite old (july, 7th), I can't tell which agreeement >> this thread is handling, but looks like it is heavily reading the changeglog >> and sending updates. anything changed recently in replication setup ? > > Yes, we had one replica fail on (6/19) which we removed (not this one > showing high CPU load). Had to perform some manual cleanup of the ipa-ca > RUVs. Then we added the replica back in on 7/1. Since then, replication > appears to have been running normally between the 3 replicas. We've been > monitoring utilization since 7/1 and only recently seen this spike (past > 24 hours or so). is it still in this state ? or was it a spike. if it still is high cpu consuming, could you - get a few pstack like the one before with some time in between, I would like to see if it is progressing with the csns or looping on the same one - check the consumer side. is there anything in the error log ? does the access log show replication activity from this server - eventually enable replication logging: nsslapd-errorlog-level: 8192 > > > On a side note, we get hit with this bug often: > > https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html > > (rouge sssd_be processing hammering a replica). > > This causes high ns-slapd utilization on the replica and restarting sssd > on the client host immediately fixes the issue. However, in this > case, we're not seeing this behavior. > > > > >>> >>> >>> >>> >>>> On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: >>>>> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and >>>>> 389-ds 1.3.3.1-16. >>>>> >>>>> Recently, the ns-slapd process on one of our replicas started showing higher >>>>> than normal CPU usage. ns-slapd is pegged at high CPU usage more or less >>>>> constantly. >>>>> >>>>> Seems very similar to this thread: >>>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html >>>>> >>>>> There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not >>>>> sure if these are related): >>>>> >>>>> >>>>> [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) >>>>> [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. >>>>> [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. >>>>> [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. >>>>> [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) >>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. >>>>> [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. >>>>> [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> >>>>> >>>>> access logs seem to be showing normal activity. Here's the number of open >>>>> connections: >>>>> >>>>> # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l >>>>> 62 >>>>> >>>>> Note: the other two replicas have much higher open connections (>250) and low >>>>> cpu load avgs. >>>>> >>>>> Here's some output of logconv.pl from our most recent access log on the replica >>>>> with high cpu load: >>>>> >>>>> Start of Logs: 13/Jul/2015:04:49:18 >>>>> End of Logs: 13/Jul/2015:10:06:11 >>>>> >>>>> Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds >>>>> >>>>> Restarts: 0 >>>>> Total Connections: 2343 >>>>> - LDAP Connections: 2120 >>>>> - LDAPI Connections: 223 >>>>> - LDAPS Connections: 0 >>>>> - StartTLS Extended Ops: 45 >>>>> Secure Protocol Versions: >>>>> - TLS1.2 128-bit AES - 45 >>>>> >>>>> Peak Concurrent Connections: 22 >>>>> Total Operations: 111865 >>>>> Total Results: 111034 >>>>> Overall Performance: 99.3% >>>>> >>>>> Searches: 95585 (5.03/sec) (301.64/min) >>>>> Modifications: 3369 (0.18/sec) (10.63/min) >>>>> Adds: 0 (0.00/sec) (0.00/min) >>>>> Deletes: 0 (0.00/sec) (0.00/min) >>>>> Mod RDNs: 0 (0.00/sec) (0.00/min) >>>>> Compares: 0 (0.00/sec) (0.00/min) >>>>> Binds: 7082 (0.37/sec) (22.35/min) >>>>> >>>>> Proxied Auth Operations: 0 >>>>> Persistent Searches: 0 >>>>> Internal Operations: 0 >>>>> Entry Operations: 0 >>>>> Extended Operations: 5317 >>>>> Abandoned Requests: 416 >>>>> Smart Referrals Received: 0 >>>>> >>>>> VLV Operations: 96 >>>>> VLV Unindexed Searches: 0 >>>>> VLV Unindexed Components: 32 >>>>> SORT Operations: 64 >>>>> >>>>> Entire Search Base Queries: 0 >>>>> Paged Searches: 3882 >>>>> Unindexed Searches: 0 >>>>> Unindexed Components: 5 >>>>> >>>>> FDs Taken: 2566 >>>>> FDs Returned: 2643 >>>>> Highest FD Taken: 249 >>>>> >>>>> Broken Pipes: 0 >>>>> Connections Reset By Peer: 0 >>>>> Resource Unavailable: 0 >>>>> Max BER Size Exceeded: 0 >>>>> >>>>> Binds: 7082 >>>>> Unbinds: 2443 >>>>> - LDAP v2 Binds: 0 >>>>> - LDAP v3 Binds: 6859 >>>>> - AUTOBINDs: 223 >>>>> - SSL Client Binds: 0 >>>>> - Failed SSL Client Binds: 0 >>>>> - SASL Binds: 6814 >>>>> GSSAPI - 6591 >>>>> EXTERNAL - 223 >>>>> - Directory Manager Binds: 0 >>>>> - Anonymous Binds: 6591 >>>>> - Other Binds: 491 >>>>> >>>>> >>>>> >>>>> >>>>> strace timing on the ns-slapd process: >>>>> >>>>> >>>>> % time seconds usecs/call calls errors syscall >>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>> 94.40 0.346659 5977 58 poll >>>>> 4.10 0.015057 15057 1 restart_syscall >>>>> 0.91 0.003353 57 59 59 getpeername >>>>> 0.49 0.001796 150 12 futex >>>>> 0.10 0.000364 73 5 read >>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>> 100.00 0.367229 135 59 total >>>>> >>>>> >>>>> top output (with threads 'H'): >>>>> >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd >>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd >>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd >>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd >>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd >>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd >>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd >>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd >>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd >>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd >>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd >>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd >>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd >>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd >>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd >>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd >>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd >>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd >>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd >>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd >>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd >>>>> >>>>> >>>>> ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any >>>>> pointers on where else to look? >>>>> >>>>> Thanks in advance. >>>>> >>>>> --Andrew >>>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >> From pspacek at redhat.com Tue Jul 14 12:10:39 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 14:10:39 +0200 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: <55A390D5.4050104@redhat.com> <55A4BE64.4030106@redhat.com> Message-ID: <55A4FC3F.2040908@redhat.com> On 14.7.2015 10:28, Sina Owolabi wrote: > Thanks Martin > > > The expanded command shows all the output. Curiously, I still don't > see any reverse addresses yet except on the reverse domain for this > primary zone. Ive restarted the IPA servers in hopes of a Windows-y > solution but it didn't help :-) SyncPTR does something only when the data change. I.e. it will do nothing if your A/AAAA records are up to date (even if clients send update). I'm afraid that there is no pre-made tool to do the mass update, sorry. You probably need to script something yourself. Petr^2 Spacek > output: > ipa dnszone-show mydom.com --all > dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com > Zone name: mydom.com. > Active zone: TRUE > Authoritative nameserver: dc.mydom.com. > Administrator e-mail address: hostmaster.mydom.com. > SOA serial: 1436861122 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM > krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Allow PTR sync: TRUE > arecord: pu.bl.ic.add > mxrecord: 0 mail.mydom.com. > nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. > objectclass: idnszone, top, idnsrecord > > On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: >> On 13/07/15 19:58, Sina Owolabi wrote: >>> >>> Hi Martin >>> >>> Yes all my sssd configs are set ipa_dyndns_update = True >>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>> them. >>> I've tried to set it in the very first zone (setup during >>> installation) but dnszone-mod complains: >>> >>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>> ipa: ERROR: no modifications to be performed >>> >>> But I don't see it in the show command: >>> >>> ipa dnszone-show mydom.com >>> Zone name: mydom.com. >>> Active zone: TRUE >>> Authoritative nameserver: services.mydom.com. >>> Administrator e-mail address: hostmaster.mydom.com. >>> SOA serial: 1436799166 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3600 >>> Allow query: any; >>> Allow transfer: none; >> >> You must use option --all >> >> ipa dnszone-show mydom.com --all >> >> >> Martin >> >>> >>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>>> >>>> On 12/07/15 10:05, Sina Owolabi wrote: >>>>> >>>>> Hi >>>>> >>>>> I have several dns zones defined in IPA. I noticed recently that the >>>>> zone files are empty. I find this odd because I created them like the >>>>> example below. >>>>> Is it possible to force clients to auto-update reverse zones? >>>>> >>>>> Thanks in advance! >>>>> >>>>> How I created all the zones: >>>>> >>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>>> --allow-sync-ptr=TRUE --dynamic-update >>>>> Zone name: 0.14.10.in-addr.arpa. >>>>> Active zone: TRUE >>>>> Authoritative nameserver: services.ourdomain.com. >>>>> Administrator e-mail address: hostmaster >>>>> SOA serial: 1436688202 >>>>> SOA refresh: 3600 >>>>> SOA retry: 900 >>>>> SOA expire: 1209600 >>>>> SOA minimum: 3000 >>>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>>> 0.14.10.in-addr.arpa. PTR; >>>>> Dynamic update: TRUE >>>>> Allow query: any; >>>>> Allow transfer: none; >>>>> Allow PTR sync: TRUE >>>>> >>>> Hello, >>>> >>>> do you have --allow-sync-ptr=True configured in zones where the >>>> particular >>>> A/AAAA records are? >>>> >>>> SSSD is able to update records. >>>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>>> sssd-ipa) From ghilteras at gmail.com Tue Jul 14 06:25:25 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Mon, 13 Jul 2015 23:25:25 -0700 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: <20150714055229.GE21928@redhat.com> References: <20150714055229.GE21928@redhat.com> Message-ID: I have the same entry there, my question is that I don't understand why it doesn't it give me any visibility of the AD users mapped in that group, I mean I just see that entry, but what's that supposed to do? It doesn't really change anything with or without, I am missing the supposed value of having the AD users mapped in a FreeIPA posix group. I was expecting to see the AD users in that group, but I got nothing.. I'm a bit confused On Mon, Jul 13, 2015 at 10:52 PM, Alexander Bokovoy wrote: > On Mon, 13 Jul 2015, Angelo Pantano wrote: > >> I added the external groups to map my Domain Admins AD group like the >> freeipa documentation suggests: >> >> # ipa group-add --desc='ad_domain admins external map' ad_admins_external >> --external >> # ipa group-add --desc='ad_domain admins' ad_admins >> # ipa group-add-member ad_admins_external --external 'ad_netbios\Domain >> Admins' >> # ipa group-add-member ad_admins --groups ad_admins_external >> >> But I dont see any user in the web interface under ad_admins or >> ad_admins_external. I thought that this would give us a view of the AD >> users in FreeIPA, but I dont see any difference.. >> Am I missing something here? >> > Where did you look them? > > External members for ad_admins_external group would be under 'external' > tab, like in the attached screenshot. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Tue Jul 14 12:35:07 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Tue, 14 Jul 2015 08:35:07 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A4F585.3040207@redhat.com> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> Message-ID: <20150714123507.GB8394@dead.ccr.buffalo.edu> On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: > > On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: > >On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: > >>On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: > >>>On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: > >>>>can you get a pstack of the slapd process along with a top -H to find th > >>>>ethread with high cpu usage > >>>Attached is the full stacktrace of the running ns-slapd proccess. top -H > >>>shows this thread (2879) with high cpu usage: > >>> > >>>2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>this thread is a replication thread sending updates, what is strange is that > >>the current csn_str is quite old (july, 7th), I can't tell which agreeement > >>this thread is handling, but looks like it is heavily reading the changeglog > >>and sending updates. anything changed recently in replication setup ? > > > >Yes, we had one replica fail on (6/19) which we removed (not this one > >showing high CPU load). Had to perform some manual cleanup of the ipa-ca > >RUVs. Then we added the replica back in on 7/1. Since then, replication > >appears to have been running normally between the 3 replicas. We've been > >monitoring utilization since 7/1 and only recently seen this spike (past > >24 hours or so). > is it still in this state ? or was it a spike. Yes same state. > > if it still is high cpu consuming, could you > - get a few pstack like the one before with some time in between, I would > like to see if it is progressing with the csns or looping on the same one Attached are a few stacktraces. The thread pegging the cpu is: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd > - check the consumer side. is there anything in the error log ? does the > access log show replication activity from this server Here's some errors showing up on the first master server rep1 (rep2 is the server with pegged cpu): [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. Here's some snips from the access log of the rep2: [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" .. [14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 .. [14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 and here's some from the error log: [13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. [13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) [13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. [13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. [13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) [14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. [14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. [14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > - eventually enable replication logging: nsslapd-errorlog-level: 8192 > > > >On a side note, we get hit with this bug often: > > > >https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html > > > >(rouge sssd_be processing hammering a replica). > > > >This causes high ns-slapd utilization on the replica and restarting sssd > >on the client host immediately fixes the issue. However, in this > >case, we're not seeing this behavior. > > > > > > > > > >>> > >>> > >>> > >>> > >>>>On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > >>>>>We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > >>>>>389-ds 1.3.3.1-16. > >>>>> > >>>>>Recently, the ns-slapd process on one of our replicas started showing higher > >>>>>than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > >>>>>constantly. > >>>>> > >>>>>Seems very similar to this thread: > >>>>>https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > >>>>> > >>>>>There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > >>>>>sure if these are related): > >>>>> > >>>>> > >>>>>[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > >>>>>[13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > >>>>>[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > >>>>>[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > >>>>>[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > >>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > >>>>>[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > >>>>>[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>> > >>>>> > >>>>>access logs seem to be showing normal activity. Here's the number of open > >>>>>connections: > >>>>> > >>>>># ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > >>>>>62 > >>>>> > >>>>>Note: the other two replicas have much higher open connections (>250) and low > >>>>>cpu load avgs. > >>>>> > >>>>>Here's some output of logconv.pl from our most recent access log on the replica > >>>>>with high cpu load: > >>>>> > >>>>>Start of Logs: 13/Jul/2015:04:49:18 > >>>>>End of Logs: 13/Jul/2015:10:06:11 > >>>>> > >>>>>Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > >>>>> > >>>>>Restarts: 0 > >>>>>Total Connections: 2343 > >>>>> - LDAP Connections: 2120 > >>>>> - LDAPI Connections: 223 > >>>>> - LDAPS Connections: 0 > >>>>> - StartTLS Extended Ops: 45 > >>>>> Secure Protocol Versions: > >>>>> - TLS1.2 128-bit AES - 45 > >>>>> > >>>>>Peak Concurrent Connections: 22 > >>>>>Total Operations: 111865 > >>>>>Total Results: 111034 > >>>>>Overall Performance: 99.3% > >>>>> > >>>>>Searches: 95585 (5.03/sec) (301.64/min) > >>>>>Modifications: 3369 (0.18/sec) (10.63/min) > >>>>>Adds: 0 (0.00/sec) (0.00/min) > >>>>>Deletes: 0 (0.00/sec) (0.00/min) > >>>>>Mod RDNs: 0 (0.00/sec) (0.00/min) > >>>>>Compares: 0 (0.00/sec) (0.00/min) > >>>>>Binds: 7082 (0.37/sec) (22.35/min) > >>>>> > >>>>>Proxied Auth Operations: 0 > >>>>>Persistent Searches: 0 > >>>>>Internal Operations: 0 > >>>>>Entry Operations: 0 > >>>>>Extended Operations: 5317 > >>>>>Abandoned Requests: 416 > >>>>>Smart Referrals Received: 0 > >>>>> > >>>>>VLV Operations: 96 > >>>>>VLV Unindexed Searches: 0 > >>>>>VLV Unindexed Components: 32 > >>>>>SORT Operations: 64 > >>>>> > >>>>>Entire Search Base Queries: 0 > >>>>>Paged Searches: 3882 > >>>>>Unindexed Searches: 0 > >>>>>Unindexed Components: 5 > >>>>> > >>>>>FDs Taken: 2566 > >>>>>FDs Returned: 2643 > >>>>>Highest FD Taken: 249 > >>>>> > >>>>>Broken Pipes: 0 > >>>>>Connections Reset By Peer: 0 > >>>>>Resource Unavailable: 0 > >>>>>Max BER Size Exceeded: 0 > >>>>> > >>>>>Binds: 7082 > >>>>>Unbinds: 2443 > >>>>> - LDAP v2 Binds: 0 > >>>>> - LDAP v3 Binds: 6859 > >>>>> - AUTOBINDs: 223 > >>>>> - SSL Client Binds: 0 > >>>>> - Failed SSL Client Binds: 0 > >>>>> - SASL Binds: 6814 > >>>>> GSSAPI - 6591 > >>>>> EXTERNAL - 223 > >>>>> - Directory Manager Binds: 0 > >>>>> - Anonymous Binds: 6591 > >>>>> - Other Binds: 491 > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>strace timing on the ns-slapd process: > >>>>> > >>>>> > >>>>>% time seconds usecs/call calls errors syscall > >>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>> 94.40 0.346659 5977 58 poll > >>>>> 4.10 0.015057 15057 1 restart_syscall > >>>>> 0.91 0.003353 57 59 59 getpeername > >>>>> 0.49 0.001796 150 12 futex > >>>>> 0.10 0.000364 73 5 read > >>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>100.00 0.367229 135 59 total > >>>>> > >>>>> > >>>>>top output (with threads 'H'): > >>>>> > >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > >>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > >>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > >>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > >>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > >>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > >>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > >>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > >>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > >>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > >>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > >>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > >>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > >>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > >>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > >>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > >>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > >>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > >>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > >>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > >>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > >>>>> > >>>>> > >>>>>ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > >>>>>pointers on where else to look? > >>>>> > >>>>>Thanks in advance. > >>>>> > >>>>>--Andrew > >>>>> > >>>>-- > >>>>Manage your subscription for the Freeipa-users mailing list: > >>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>Go to http://freeipa.org for more info on the project > >>>> > >>>> > >> > > -------------- next part -------------- GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done. done. Attaching to program: /usr/sbin/ns-slapd, process 2870 Reading symbols from /usr/lib64/dirsrv/libslapd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libslapd.so.0 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5.so.3.3.debug...done. done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libk5crypto.so.3.1.debug...done. done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libcom_err.so.2.1.debug...done. done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libpcre.so.1...Reading symbols from /usr/lib/debug/usr/lib64/libpcre.so.1.2.0.debug...done. done. Loaded symbols for /lib64/libpcre.so.1 Reading symbols from /lib64/libldap_r-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libldap_r-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/libldap_r-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/liblber-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /lib64/libssl3.so...Reading symbols from /usr/lib/debug/usr/lib64/libssl3.so.debug...done. done. Loaded symbols for /lib64/libssl3.so Reading symbols from /lib64/libnss3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnss3.so.debug...done. done. Loaded symbols for /lib64/libnss3.so Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.17.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplc4.so.debug...done. done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplds4.so.debug...done. done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/usr/lib64/libnspr4.so.debug...done. done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /lib64/libsasl2.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.3.0.0.debug...done. done. Loaded symbols for /lib64/libsasl2.so.3 Reading symbols from /lib64/libsvrcore.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libsvrcore.so.0.0.0.debug...done. done. Loaded symbols for /lib64/libsvrcore.so.0 Reading symbols from /lib64/libpthread.so.0...Reading symbols from /usr/lib/debug/lib64/libpthread-2.17.so.debug...done. done. [New LWP 32282] [New LWP 2965] [New LWP 2918] [New LWP 2917] [New LWP 2916] [New LWP 2915] [New LWP 2914] [New LWP 2913] [New LWP 2912] [New LWP 2911] [New LWP 2910] [New LWP 2909] [New LWP 2908] [New LWP 2907] [New LWP 2906] [New LWP 2905] [New LWP 2904] [New LWP 2903] [New LWP 2902] [New LWP 2901] [New LWP 2900] [New LWP 2899] [New LWP 2898] [New LWP 2897] [New LWP 2896] [New LWP 2895] [New LWP 2894] [New LWP 2892] [New LWP 2891] [New LWP 2890] [New LWP 2889] [New LWP 2888] [New LWP 2887] [New LWP 2885] [New LWP 2884] [New LWP 2883] [New LWP 2882] [New LWP 2881] [New LWP 2880] [New LWP 2879] [New LWP 2878] [New LWP 2877] [New LWP 2875] [New LWP 2874] [New LWP 2873] [New LWP 2872] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.17.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5support.so.0.1.debug...done. done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libresolv.so.2...Reading symbols from /usr/lib/debug/lib64/libresolv-2.17.so.debug...done. done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.17.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libsmime3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsmime3.so.debug...done. done. Loaded symbols for /lib64/libsmime3.so Reading symbols from /lib64/libnssutil3.so...Reading symbols from /lib64/libnssutil3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssutil3.so Reading symbols from /lib64/libz.so.1...Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/librt.so.1...Reading symbols from /usr/lib/debug/lib64/librt-2.17.so.debug...done. done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.17.so.debug...done. done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/liblzma.so.5...Reading symbols from /lib64/liblzma.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblzma.so.5 Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/dirsrv/plugins/libsyntax-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libsyntax-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libbitwise-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libbitwise-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcollation-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcollation-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcollation-plugin.so Reading symbols from /lib64/libicui18n.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicui18n.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicui18n.so.50 Reading symbols from /lib64/libicuuc.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicuuc.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicuuc.so.50 Reading symbols from /lib64/libicudata.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicudata.so.50.1.2.debug...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicudata.so.50 Reading symbols from /lib64/libstdc++.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libstdc++.so.6.0.19.debug...done. done. Loaded symbols for /lib64/libstdc++.so.6 Reading symbols from /lib64/libm.so.6...Reading symbols from /usr/lib/debug/lib64/libm-2.17.so.debug...done. done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.8.3-20140911.so.1.debug...done. done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdes-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdes-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdes-plugin.so Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-5.3.so...Reading symbols from /usr/lib/debug/usr/lib64/libdb-5.3.so.debug...done. done. Loaded symbols for /lib64/libdb-5.3.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libdigestmd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /lib64/libcrypto.so.10...Reading symbols from /usr/lib/debug/usr/lib64/libcrypto.so.1.0.1e.debug...done. done. Loaded symbols for /lib64/libcrypto.so.10 Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libcrammd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libplain.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libplain.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libplain.so Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libgssapiv2.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libgssapi_krb5.so.2.2.debug...done. done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/liblogin.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/liblogin.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/liblogin.so Reading symbols from /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libattr-unique-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctusability-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctusability-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctusability-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacl-plugin.so Reading symbols from /usr/lib64/dirsrv/libns-dshttpd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libns-dshttpd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libns-dshttpd.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libautomember-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libautomember-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libautomember-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libchainingdb-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcos-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcos-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcos-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcontentsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libderef-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libderef-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libderef-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdna-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdna-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdna-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libhttp-client-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_dns.so Reading symbols from /lib64/libkrad.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrad.so.0.0.debug...done. done. Loaded symbols for /lib64/libkrad.so.0 Reading symbols from /lib64/libverto.so.1...Reading symbols from /lib64/libverto.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libverto.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_lockout.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_modrdn.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_counter.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_range_check.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_uuid.so Reading symbols from /lib64/libuuid.so.1...Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_repl_version.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_winsync.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libback-ldbm.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libback-ldbm.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libback-ldbm.so Reading symbols from /usr/lib64/dirsrv/plugins/libreplication-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreplication-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreplication-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmemberof-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmemberof-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmemberof-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so Reading symbols from /lib64/libpam.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libpam.so.0.83.1.debug...done. done. Loaded symbols for /lib64/libpam.so.0 Reading symbols from /lib64/libaudit.so.1...Reading symbols from /lib64/libaudit.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libaudit.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpassthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpassthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpassthru-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libreferint-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreferint-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreferint-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libretrocl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libretrocl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libretrocl-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libroles-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libroles-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libroles-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/librootdn-access-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/schemacompat-plugin.so Reading symbols from /lib64/libsss_nss_idmap.so.0...Reading symbols from /lib64/libsss_nss_idmap.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsss_nss_idmap.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libschemareload-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libschemareload-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libschemareload-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libstatechange-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libstatechange-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libstatechange-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libusn-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libusn-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libusn-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libviews-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libviews-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libviews-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libwhoami-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libwhoami-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libwhoami-plugin.so Reading symbols from /lib64/libsoftokn3.so...Reading symbols from /lib64/libsoftokn3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsoftokn3.so Reading symbols from /lib64/libsqlite3.so.0...Reading symbols from /lib64/libsqlite3.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsqlite3.so.0 Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnssdbm3.so...Reading symbols from /lib64/libnssdbm3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssdbm3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 Reading symbols from /usr/lib64/krb5/plugins/preauth/pkinit.so...Reading symbols from /usr/lib/debug/usr/lib64/krb5/plugins/preauth/pkinit.so.debug...done. done. Loaded symbols for /usr/lib64/krb5/plugins/preauth/pkinit.so Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so Reading symbols from /lib64/libnss_dns.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libnss_myhostname.so.2...Reading symbols from /lib64/libnss_myhostname.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_myhostname.so.2 Reading symbols from /usr/lib64/gssproxy/proxymech.so...Reading symbols from /usr/lib64/gssproxy/proxymech.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/gssproxy/proxymech.so Reading symbols from /lib64/libgssrpc.so.4...Reading symbols from /usr/lib/debug/usr/lib64/libgssrpc.so.4.2.debug...done. done. Loaded symbols for /lib64/libgssrpc.so.4 Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so 0x00007f0da077ab7d in poll () at ../sysdeps/unix/syscall-template.S:81 81 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) Thread 47 (Thread 0x7f0d92bfb700 (LWP 2872)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=100) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 82908} #2 0x00007f0d96dd0507 in deadlock_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4511 rval = priv = 0x7f0da487d410 li = interval = #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0d230) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0d230 detached = 1 id = 139696273340160 tid = 2872 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d92bfb700) at pthread_create.c:308 __res = pd = 0x7f0d92bfb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696273340160, -1088326907459832651, 0, 139696273340864, 139696273340160, 1, 1080398881526346933, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 46 (Thread 0x7f0d923fa700 (LWP 2873)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 193922} #2 0x00007f0d96dd45d6 in checkpoint_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4720 time_of_last_checkpoint_completion = 1436876203 interval = rval = priv = li = debug_checkpointing = 0 checkpoint_interval = home_dir = list = 0x0 listp = penv = 0x7f0da4a7b730 time_of_last_comapctdb_completion = 1434571369 compactdb_interval = 2592000 txn = {back_txn_txn = 0x0} #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0ce70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0ce70 detached = 1 id = 139696264947456 tid = 2873 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d923fa700) at pthread_create.c:308 __res = pd = 0x7f0d923fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696264947456, -1088326907459832651, 0, 139696264948160, 139696264947456, 1, 1080397780404106421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 45 (Thread 0x7f0d91bf9700 (LWP 2874)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 49853} #2 0x00007f0d96dd077f in trickle_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4937 interval = 250 rval = priv = 0x7f0da487d410 li = debug_checkpointing = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4acec10) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4acec10 detached = 1 id = 139696256554752 tid = 2874 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d91bf9700) at pthread_create.c:308 __res = pd = 0x7f0d91bf9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696256554752, -1088326907459832651, 0, 139696256555456, 139696256554752, 1, 1080405477522371765, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 44 (Thread 0x7f0d913f8700 (LWP 2875)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 830673} #2 0x00007f0d96e22d54 in perfctrs_wait (milliseconds=milliseconds at entry=1000, priv=, db_env=) at ldap/servers/slapd/back-ldbm/perfctrs.c:277 interval = #3 0x00007f0d96dcb437 in perf_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4011 priv = 0x7f0da487d410 li = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4ad0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4ad0e60 detached = 1 id = 139696248162048 tid = 2875 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d913f8700) at pthread_create.c:308 __res = pd = 0x7f0d913f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696248162048, -1088326907459832651, 0, 139696248162752, 139696248162048, 1, 1080404380695098549, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 43 (Thread 0x7f0d909ee700 (LWP 2877)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65bf0d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f0e60 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65bf0d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d994f164e in cos_cache_wait_on_change (arg=) at ldap/servers/plugins/cos/cos_cache.c:436 No locals. #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f0e60 detached = 1 id = 139696237635328 tid = 2877 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d909ee700) at pthread_create.c:308 __res = pd = 0x7f0d909ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696237635328, -1088326907459832651, 0, 139696237636032, 139696237635328, 1, 1080403542102734005, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 42 (Thread 0x7f0da3004700 (LWP 2878)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a26558, ml=0x7f0da6324e70, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436875976, tv_usec = 571444} tmo = {tv_sec = 1436876276, tv_nsec = 571444000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a26550, timeout=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6513050 #3 0x00007f0d96b2df74 in _cl5TrimMain (param=) at ldap/servers/plugins/replication/cl5_api.c:3466 timePrev = 1436875976 timeCompactPrev = 1434571375 timeNow = 1436875976 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6513050) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6513050 detached = 1 id = 139696546006784 tid = 2878 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0da3004700) at pthread_create.c:308 __res = pd = 0x7f0da3004700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696546006784, -1088326907459832651, 0, 139696546007488, 139696546006784, 1, 1080365221330777269, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 41 (Thread 0x7f0d8bfff700 (LWP 2879)): #0 0x00007f0da070f170 in __GI___libc_malloc (bytes=16) at malloc.c:2866 No locals. #1 0x00007f0da1e452e5 in ber_memalloc_x (s=s at entry=16, ctx=ctx at entry=0x0) at memory.c:228 new = #2 0x00007f0da1e4569d in ber_dupbv_x (dst=dst at entry=0x0, src=src at entry=0x7f0d8bffe9d0, ctx=ctx at entry=0x0) at memory.c:495 new = #3 0x00007f0da1e456fc in ber_bvdup (src=src at entry=0x7f0d8bffe9d0) at memory.c:530 No locals. #4 0x00007f0da2cf54fd in bervalarray_add_berval_fast (vals=0x7f0d8000c6b0, addval=0x7f0d8bffe9d0, nvals=, maxvals=maxvals at entry=0x7f0d8bffea08) at ldap/servers/slapd/valueset.c:84 need = #5 0x00007f0da2cb28c7 in slapi_mod_add_value (smod=smod at entry=0x7f0d8bffea00, val=) at ldap/servers/slapd/modutil.c:704 No locals. #6 0x00007f0d96b288f9 in _cl5ReadMod (buff=, smod=0x7f0d8bffea00) at ldap/servers/plugins/replication/cl5_api.c:2711 i = 0 val_count = 1 type = 0x0 bv = {bv_len = 15, bv_val = 0x7f0d8002e670 "20150708010009ZulAuth"} pos = 0x7f0d800d7ea1 "\202modifiersname" op = decbv = 0x0 bv_to_use = rc = #7 _cl5ReadMods (mods=mods at entry=0x7f0d8bffed00, buff=buff at entry=0x7f0d8bffeb00) at ldap/servers/plugins/replication/cl5_api.c:2633 pos = i = 0 mod_count = 4 smods = {mods = 0x7f0d8000c720, num_elements = 5, num_mods = 0, iterator = 0, free_mods = 1} smod = {mod = 0x7f0d8000c6a0, num_elements = 2, num_values = 0, iterator = 0, free_mod = 1} #8 0x00007f0d96b29e15 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7f0d8bffecc0) at ldap/servers/plugins/replication/cl5_api.c:2368 rc = version = pos = 0x7f0d800d7e6f "" strCSN = 0x0 op = 0x7f0d8bffecd0 add_mods = 0x7f0d96b85a48 rawDN = 0x7f0d8002e610 "fqdn=k10n41s02.ccr.buffalo.edu,cn=computers,cn=accounts,dc=ccr,dc=buffalo,dc=edu" s = " \307\000\200\r\177\000\000\000\312+=Q\247?\000\020\000\000" #9 0x00007f0d96b2a27d in cl5GetNextOperationToReplay (iterator=0x7f0d8002b5f0, entry=entry at entry=0x7f0d8bffecc0) at ldap/servers/plugins/replication/cl5_api.c:1718 csn = 0x7f0d80012650 key = 0x7f0d800d7f1f "559c763b000100050000" data = 0x7f0d800d7ddf "\005\bU\234v\031\065\065\071c763b000100050000" keylen = 21 datalen = 317 agmt_name = 0x7f0da633db40 "agmt=\"cn=meTosrv-m14-24.ccr.buffalo.edu\" (srv-m14-24:389)" rc = #10 0x00007f0d96b46218 in send_updates (num_changes_sent=0x7f0d8bffec60, remote_update_vector=, prp=0x7f0da651a450) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1723 finished = 0 replay_crc = csn_str = "559c763b000000050000" return_value = 203 rd = 0x7f0d80028960 entry = {op = 0x7f0d8bffecd0, time = 1436317209} op = {operation_type = 8, target_address = {udn = 0x0, uniqueid = 0x7f0d8002b4b0 "436bf5a7-150011e5-a351aa45-2e06257b", sdn = 0x7f0d8000c5a0}, csn = 0x7f0d8002e3c0, request_controls = 0x0, p = {p_add = {target_entry = 0x0, parentuniqueid = 0x0}, p_bind = {bind_method = 0, bind_creds = 0x0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x0, ava_value = {bv_len = 0, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x0}, p_modrdn = {modrdn_newrdn = 0x0, modrdn_deloldrdn = 0, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = 0, search_deref = 0, search_sizelimit = 0, search_timelimit = 0, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = {abandon_targetmsgid = 0}, p_extended = {exop_oid = 0x0, exop_value = 0x0}}} rc = changelog_iterator = 0x7f0d8002b5f0 message_id = 0 #11 repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1073 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d8002e9c0 ruv = 0x7f0d8002b500 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1436865642 busywaittime = 3 pausetime = 0 loops = wait_change_timer_set = current_state = next_state = optype = 5 ldaprc = 0 done = 0 e1 = #12 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da6338a90) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da6338a90 done = 0 agmt = 0x7f0da65a5de0 #13 0x00007f0da10b67bb in _pt_root (arg=0x7f0da63261b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da63261b0 detached = 0 id = 139696160110336 tid = 2879 #14 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8bfff700) at pthread_create.c:308 __res = pd = 0x7f0d8bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696160110336, -1088326907459832651, 0, 139696160111040, 139696160110336, 1, 1080419220343977141, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #15 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 40 (Thread 0x7f0d8b7fe700 (LWP 2880)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da64fc9f8, ml=0x7f0da64dcc50, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876210, tv_usec = 509987} tmo = {tv_sec = 1436876510, tv_nsec = 509987000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da64fc9f0, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da65c0980 #3 0x00007f0d96b44324 in protocol_sleep (prp=prp at entry=0x7f0da64dc920, duration=300000) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1236 No locals. #4 0x00007f0d96b47526 in repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:797 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d78052730 ruv = 0x0 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1435778665 busywaittime = 0 pausetime = 0 loops = wait_change_timer_set = 1 current_state = 2 next_state = 2 optype = 5 ldaprc = 0 done = 0 e1 = #5 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da64fcb00) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da64fcb00 done = 0 agmt = 0x7f0da64ee990 #6 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65c0980) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65c0980 detached = 0 id = 139696151717632 tid = 2880 #7 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d8b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696151717632, -1088326907459832651, 0, 139696151718336, 139696151717632, 1, 1080418119221736629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #8 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 39 (Thread 0x7f0d8a7d1700 (LWP 2881)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64db1d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f4490 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64db1d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da64dbd40) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da64dbd40 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f4490) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f4490 detached = 1 id = 139696134756096 tid = 2881 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8a7d1700) at pthread_create.c:308 __res = pd = 0x7f0d8a7d1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696134756096, -1088326907459832651, 0, 139696134756800, 139696134756096, 1, 1080415909997933749, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 38 (Thread 0x7f0d89fd0700 (LWP 2882)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64fb090, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65b0b90 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64fb090, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61dab80) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61dab80 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65b0b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65b0b90 detached = 1 id = 139696126363392 tid = 2882 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d89fd0700) at pthread_create.c:308 __res = pd = 0x7f0d89fd0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696126363392, -1088326907459832651, 0, 139696126364096, 139696126363392, 1, 1080423592083813557, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 37 (Thread 0x7f0d897cf700 (LWP 2883)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65b0690, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da6337330 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65b0690, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61daa70) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61daa70 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6337330) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6337330 detached = 1 id = 139696117970688 tid = 2883 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d897cf700) at pthread_create.c:308 __res = pd = 0x7f0d897cf700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696117970688, -1088326907459832651, 0, 139696117971392, 139696117970688, 1, 1080422493109056693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 36 (Thread 0x7f0d88fce700 (LWP 2884)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a27518, ml=0x7f0da634af80, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876212, tv_usec = 808023} tmo = {tv_sec = 1436876242, tv_nsec = 808023000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a27510, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da629ef70 #3 0x00007f0da3197aa3 in housecleaning (cur_time=) at ldap/servers/slapd/house.c:77 interval = 30000 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da629ef70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da629ef70 detached = 0 id = 139696109577984 tid = 2884 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d88fce700) at pthread_create.c:308 __res = pd = 0x7f0d88fce700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696109577984, -1088326907459832651, 0, 139696109578688, 139696109577984, 1, 1080421391986816181, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 35 (Thread 0x7f0d7ffff700 (LWP 2885)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da49f80b8, ml=0x7f0da4a06530, timeout=timeout at entry=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876229, tv_usec = 362384} tmo = {tv_sec = 1436876239, tv_nsec = 362384000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da49f80b0, timeout=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6336ca0 #3 0x00007f0da2c8a0e8 in eq_loop (arg=) at ldap/servers/slapd/eventq.c:355 timeout = until = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6336ca0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6336ca0 detached = 0 id = 139695958783744 tid = 2885 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7ffff700) at pthread_create.c:308 __res = pd = 0x7f0d7ffff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695958783744, -1088326907459832651, 0, 139695958784448, 139695958783744, 1, 1080727083599754421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 34 (Thread 0x7f0d7f7fe700 (LWP 2887)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1700 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7f7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7f7fdae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1700) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1700 detached = 1 id = 139695950391040 tid = 2887 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7f7fe700) at pthread_create.c:308 __res = pd = 0x7f0d7f7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695950391040, -1088326907459832651, 0, 139695950391744, 139695950391040, 1, 1080725982477513909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 33 (Thread 0x7f0d7effd700 (LWP 2888)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f19f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7effcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7effcae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f19f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f19f0 detached = 1 id = 139695941998336 tid = 2888 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7effd700) at pthread_create.c:308 __res = pd = 0x7f0d7effd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695941998336, -1088326907459832651, 0, 139695941999040, 139695941998336, 1, 1080724883502757045, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 32 (Thread 0x7f0d7e7fc700 (LWP 2889)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1ce0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7e7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7e7fbae0 conn = 0x7f0d8853ceb0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1ce0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1ce0 detached = 1 id = 139695933605632 tid = 2889 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7e7fc700) at pthread_create.c:308 __res = pd = 0x7f0d7e7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695933605632, -1088326907459832651, 0, 139695933606336, 139695933605632, 1, 1080723786675483829, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 31 (Thread 0x7f0d7dffb700 (LWP 2890)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1fd0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7dffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7dffaae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1fd0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1fd0 detached = 1 id = 139695925212928 tid = 2890 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7dffb700) at pthread_create.c:308 __res = pd = 0x7f0d7dffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695925212928, -1088326907459832651, 0, 139695925213632, 139695925212928, 1, 1080731483793749173, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 30 (Thread 0x7f0d7d7fa700 (LWP 2891)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f22c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7d7f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7d7f9ae0 conn = 0x7f0d8853ceb0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f22c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f22c0 detached = 1 id = 139695916820224 tid = 2891 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7d7fa700) at pthread_create.c:308 __res = pd = 0x7f0d7d7fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695916820224, -1088326907459832651, 0, 139695916820928, 139695916820224, 1, 1080730382671508661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 29 (Thread 0x7f0d7cff9700 (LWP 2892)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f25b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7cff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7cff8ae0 conn = 0x7f0d8853d7e0 op = tag = 66 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f25b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f25b0 detached = 1 id = 139695908427520 tid = 2892 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7cff9700) at pthread_create.c:308 __res = pd = 0x7f0d7cff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695908427520, -1088326907459832651, 0, 139695908428224, 139695908427520, 1, 1080729283696751797, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 28 (Thread 0x7f0d6bfff700 (LWP 2894)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f28a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6bffeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6bffeae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f28a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f28a0 detached = 1 id = 139695623239424 tid = 2894 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6bfff700) at pthread_create.c:308 __res = pd = 0x7f0d6bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695623239424, -1088326907459832651, 0, 139695623240128, 139695623239424, 1, 1080771064064865461, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 27 (Thread 0x7f0d6b7fe700 (LWP 2895)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2b90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6b7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6b7fdae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2b90 detached = 1 id = 139695614846720 tid = 2895 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d6b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695614846720, -1088326907459832651, 0, 139695614847424, 139695614846720, 1, 1080769962942624949, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 26 (Thread 0x7f0d6affd700 (LWP 2896)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2e80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6affcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6affcae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2e80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2e80 detached = 1 id = 139695606454016 tid = 2896 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6affd700) at pthread_create.c:308 __res = pd = 0x7f0d6affd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695606454016, -1088326907459832651, 0, 139695606454720, 139695606454016, 1, 1080768863967868085, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 25 (Thread 0x7f0d6a7fc700 (LWP 2897)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3170 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6a7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6a7fbae0 conn = 0x7f0d88538530 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3170) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3170 detached = 1 id = 139695598061312 tid = 2897 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6a7fc700) at pthread_create.c:308 __res = pd = 0x7f0d6a7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695598061312, -1088326907459832651, 0, 139695598062016, 139695598061312, 1, 1080767767140594869, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 24 (Thread 0x7f0d69ffb700 (LWP 2898)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3460 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d69ffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d69ffaae0 conn = 0x7f0d88537ff0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3460) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3460 detached = 1 id = 139695589668608 tid = 2898 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d69ffb700) at pthread_create.c:308 __res = pd = 0x7f0d69ffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695589668608, -1088326907459832651, 0, 139695589669312, 139695589668608, 1, 1080775464258860213, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 23 (Thread 0x7f0d697fa700 (LWP 2899)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3750 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d697f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d697f9ae0 conn = 0x7f0d8853ceb0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3750) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3750 detached = 1 id = 139695581275904 tid = 2899 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d697fa700) at pthread_create.c:308 __res = pd = 0x7f0d697fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695581275904, -1088326907459832651, 0, 139695581276608, 139695581275904, 1, 1080774363136619701, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 22 (Thread 0x7f0d68ff9700 (LWP 2900)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3a40 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d68ff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d68ff8ae0 conn = 0x7f0d8853eb90 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3a40) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3a40 detached = 1 id = 139695572883200 tid = 2900 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d68ff9700) at pthread_create.c:308 __res = pd = 0x7f0d68ff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695572883200, -1088326907459832651, 0, 139695572883904, 139695572883200, 1, 1080773264161862837, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 21 (Thread 0x7f0d687f8700 (LWP 2901)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3d30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d687f7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d687f7ae0 conn = 0x7f0d88539640 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3d30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3d30 detached = 1 id = 139695564490496 tid = 2901 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d687f8700) at pthread_create.c:308 __res = pd = 0x7f0d687f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695564490496, -1088326907459832651, 0, 139695564491200, 139695564490496, 1, 1080772167334589621, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 20 (Thread 0x7f0d67ff7700 (LWP 2902)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4020 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d67ff6ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d67ff6ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4020) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4020 detached = 1 id = 139695556097792 tid = 2902 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d67ff7700) at pthread_create.c:308 __res = pd = 0x7f0d67ff7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695556097792, -1088326907459832651, 0, 139695556098496, 139695556097792, 1, 1080779864452854965, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 19 (Thread 0x7f0d677f6700 (LWP 2903)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4310 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d677f5ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d677f5ae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4310) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4310 detached = 1 id = 139695547705088 tid = 2903 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d677f6700) at pthread_create.c:308 __res = pd = 0x7f0d677f6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695547705088, -1088326907459832651, 0, 139695547705792, 139695547705088, 1, 1080778763330614453, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 18 (Thread 0x7f0d66ff5700 (LWP 2904)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4600 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d66ff4ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d66ff4ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4600) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4600 detached = 1 id = 139695539312384 tid = 2904 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d66ff5700) at pthread_create.c:308 __res = pd = 0x7f0d66ff5700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695539312384, -1088326907459832651, 0, 139695539313088, 139695539312384, 1, 1080777664355857589, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 17 (Thread 0x7f0d667f4700 (LWP 2905)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f48f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d667f3ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d667f3ae0 conn = 0x7f0d8853ceb0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f48f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f48f0 detached = 1 id = 139695530919680 tid = 2905 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d667f4700) at pthread_create.c:308 __res = pd = 0x7f0d667f4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695530919680, -1088326907459832651, 0, 139695530920384, 139695530919680, 1, 1080776567528584373, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 16 (Thread 0x7f0d65ff3700 (LWP 2906)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4be0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d65ff2ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d65ff2ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4be0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4be0 detached = 1 id = 139695522526976 tid = 2906 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d65ff3700) at pthread_create.c:308 __res = pd = 0x7f0d65ff3700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695522526976, -1088326907459832651, 0, 139695522527680, 139695522526976, 1, 1080784264646849717, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 15 (Thread 0x7f0d657f2700 (LWP 2907)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4ed0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d657f1ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d657f1ae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4ed0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4ed0 detached = 1 id = 139695514134272 tid = 2907 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d657f2700) at pthread_create.c:308 __res = pd = 0x7f0d657f2700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695514134272, -1088326907459832651, 0, 139695514134976, 139695514134272, 1, 1080783163524609205, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 14 (Thread 0x7f0d64ff1700 (LWP 2908)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f51c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d64ff0ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d64ff0ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f51c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f51c0 detached = 1 id = 139695505741568 tid = 2908 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d64ff1700) at pthread_create.c:308 __res = pd = 0x7f0d64ff1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695505741568, -1088326907459832651, 0, 139695505742272, 139695505741568, 1, 1080782064549852341, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 13 (Thread 0x7f0d647f0700 (LWP 2909)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f54b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d647efae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d647efae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f54b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f54b0 detached = 1 id = 139695497348864 tid = 2909 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d647f0700) at pthread_create.c:308 __res = pd = 0x7f0d647f0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695497348864, -1088326907459832651, 0, 139695497349568, 139695497348864, 1, 1080780950542709941, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 12 (Thread 0x7f0d63fef700 (LWP 2910)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f57a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d63feeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d63feeae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f57a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f57a0 detached = 1 id = 139695488956160 tid = 2910 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d63fef700) at pthread_create.c:308 __res = pd = 0x7f0d63fef700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695488956160, -1088326907459832651, 0, 139695488956864, 139695488956160, 1, 1080788647660975285, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 11 (Thread 0x7f0d637ee700 (LWP 2911)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5a90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d637edae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d637edae0 conn = 0x7f0d8853ceb0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5a90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5a90 detached = 1 id = 139695480563456 tid = 2911 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d637ee700) at pthread_create.c:308 __res = pd = 0x7f0d637ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695480563456, -1088326907459832651, 0, 139695480564160, 139695480563456, 1, 1080787546538734773, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 10 (Thread 0x7f0d62fed700 (LWP 2912)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5d80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d62fecae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d62fecae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5d80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5d80 detached = 1 id = 139695472170752 tid = 2912 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d62fed700) at pthread_create.c:308 __res = pd = 0x7f0d62fed700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695472170752, -1088326907459832651, 0, 139695472171456, 139695472170752, 1, 1080786447563977909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 9 (Thread 0x7f0d627ec700 (LWP 2913)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6070 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d627ebae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d627ebae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6070) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6070 detached = 1 id = 139695463778048 tid = 2913 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d627ec700) at pthread_create.c:308 __res = pd = 0x7f0d627ec700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695463778048, -1088326907459832651, 0, 139695463778752, 139695463778048, 1, 1080785350736704693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 8 (Thread 0x7f0d61feb700 (LWP 2914)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6360 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d61feaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d61feaae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6360) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6360 detached = 1 id = 139695455385344 tid = 2914 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d61feb700) at pthread_create.c:308 __res = pd = 0x7f0d61feb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695455385344, -1088326907459832651, 0, 139695455386048, 139695455385344, 1, 1080793047854970037, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 7 (Thread 0x7f0d617ea700 (LWP 2915)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6650 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d617e9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d617e9ae0 conn = 0x7f0d885387d0 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6650) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6650 detached = 1 id = 139695446992640 tid = 2915 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d617ea700) at pthread_create.c:308 __res = pd = 0x7f0d617ea700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695446992640, -1088326907459832651, 0, 139695446993344, 139695446992640, 1, 1080791946732729525, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 6 (Thread 0x7f0d60fe9700 (LWP 2916)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6940 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d60fe8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d60fe8ae0 conn = 0x7f0d8853b860 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6940) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6940 detached = 1 id = 139695438599936 tid = 2916 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d60fe9700) at pthread_create.c:308 __res = pd = 0x7f0d60fe9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695438599936, -1088326907459832651, 0, 139695438600640, 139695438599936, 1, 1080790847757972661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 5 (Thread 0x7f0d607e8700 (LWP 2917)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6c30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d607e7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d607e7ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6c30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6c30 detached = 1 id = 139695430207232 tid = 2917 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d607e8700) at pthread_create.c:308 __res = pd = 0x7f0d607e8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695430207232, -1088326907459832651, 0, 139695430207936, 139695430207232, 1, 1080789750930699445, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 4 (Thread 0x7f0d5ffe7700 (LWP 2918)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=1000) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 919829} #2 0x00007f0da31912d5 in time_thread (nothing=) at ldap/servers/slapd/daemon.c:474 interval = 1000 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6f20) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6f20 detached = 0 id = 139695421814528 tid = 2918 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5ffe7700) at pthread_create.c:308 __res = pd = 0x7f0d5ffe7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695421814528, -1088326907459832651, 0, 139695421815232, 139695421814528, 1, 1080797448048964789, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 3 (Thread 0x7f0d5f7e6700 (LWP 2965)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da6326eb8, ml=0x7f0da65009f0, timeout=timeout at entry=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876236, tv_usec = 183460} tmo = {tv_sec = 1436876237, tv_nsec = 183460000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da6326eb0, timeout=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0cf0009ff0 #3 0x00007f0d992e6374 in sync_send_results (arg=) at ldap/servers/plugins/sync/sync_persist.c:602 req = 0x7f0cf00027b0 qnode = 0x0 qnodenext = conn_acq_flag = 0 conn = 0x7f0d885337c0 op = 0x7f0da62ed750 rc = connid = 18 opid = 0 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0cf0009ff0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0cf0009ff0 detached = 1 id = 139695413421824 tid = 2965 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5f7e6700) at pthread_create.c:308 __res = pd = 0x7f0d5f7e6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695413421824, -1088326907459832651, 0, 139695413422528, 139695413421824, 1, 1080796346926724277, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 2 (Thread 0x7f0d5dfe4700 (LWP 32282)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 825802} #2 0x00007f0d96b44787 in repl5_inc_result_threadmain (param=0x7f0d80028960) at ldap/servers/plugins/replication/repl5_inc_protocol.c:312 operation_code = 0 ldap_error_string = 0x0 time_now = op = 0x0 csn_str = 0x0 replica_id = 0 connection_error = 0 uniqueid = 0x0 start_time = 1436876134 backoff_time = 1024 rd = 0x7f0d80028960 conres = conn = 0x7f0da634db10 finished = 0 message_id = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0d8002e240) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0d8002e240 detached = 0 id = 139695388247808 tid = 32282 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5dfe4700) at pthread_create.c:308 __res = pd = 0x7f0d5dfe4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695388247808, -1088326907459832651, 0, 139695388248512, 139695388247808, 21, 1080801847706088629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 1 (Thread 0x7f0da315a840 (LWP 2870)): #0 0x00007f0da077ab7d in poll () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da10b2967 in poll (__timeout=250, __nfds=138, __fds=0x7f0da70c2da0) at /usr/include/bits/poll2.h:46 No locals. #2 _pr_poll_with_poll (pds=0x7f0da65c4d30, npds=npds at entry=138, timeout=timeout at entry=250) at ../../../nspr/pr/src/pthreads/ptio.c:3922 stack_syspoll = {{fd = 0, events = 0, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = 1073899376, events = 32525, revents = 0}, {fd = -1566823484, events = 32525, revents = 0}, {fd = -1337348464, events = 32524, revents = 0}, {fd = 1006633072, events = 32525, revents = 0}, {fd = 1338150209, events = -32768, revents = -1}, {fd = -1338150208, events = 32767, revents = 0}, {fd = -1338150209, events = 32767, revents = 0}, {fd = 5, events = 0, revents = 0}, {fd = -1561059948, events = 32525, revents = 0}, {fd = -1566823082, events = 32525, revents = 0}, {fd = 16, events = 0, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = -1522785280, events = 32525, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = 24, events = 0, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = 96, events = 0, revents = 0}, {fd = 1036834688, events = 32525, revents = 0}, {fd = 319792, events = 0, revents = 0}, {fd = 1006632992, events = 32525, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 1037154192, events = 32525, revents = 0}, {fd = 288, events = 0, revents = 0}, {fd = -1603223321, events = 32525, revents = 0}, {fd = -1494947776, events = 32525, revents = 0}, {fd = 32, events = 0, revents = 0}, {fd = 131072, events = 0, revents = 0}, {fd = 4096, events = 0, revents = 0}, {fd = -1341906608, events = 32524, revents = 0}, {fd = -1593256640, events = 32525, revents = 0}, {fd = -1494947776, events = 32525, revents = 0}, {fd = -1599826080, events = 32525, revents = 0}, {fd = 16910608, events = 0, revents = 0}, {fd = 16, events = 0, revents = 0}, {fd = -1499286304, events = 32525, revents = 0}, {fd = -1599826080, events = 32525, revents = 0}, {fd = 16910608, events = 0, revents = 0}, {fd = 24, events = 0, revents = 0}, {fd = -1499286304, events = 32525, revents = 0}, {fd = -1490295056, events = 32525, revents = 0}, {fd = 48, events = 0, revents = 0}, {fd = -1593110920, events = 32525, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = -1503718352, events = 32525, revents = 0}, {fd = -1, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0} , {fd = -1507059128, events = 32525, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = -1499286304, events = 32525, revents = 0}, {fd = -1503718160, events = 32525, revents = 0}, {fd = -1503608800, events = 32525, revents = 0}, {fd = -1509477856, events = 32525, revents = 0}} syspoll = index = msecs = 250 ready = start = 2304878728 elapsed = remaining = #3 0x00007f0da10b54a5 in PR_Poll (pds=, npds=npds at entry=138, timeout=timeout at entry=250) at ../../../nspr/pr/src/pthreads/ptio.c:4324 No locals. #4 0x00007f0da3193f69 in slapd_daemon (ports=ports at entry=0x7fffb03d7770) at ldap/servers/slapd/daemon.c:1170 select_return = 0 prerr = n_tcps = 0x7f0da4840a60 s_tcps = 0x7f0da48409f0 i_unix = 0x7f0da48408f0 fdesp = 0x0 num_poll = 138 pr_timeout = 250 time_thread_p = 0x7f0da65f6f20 threads = in_referral_mode = 0 n_listeners = 3 listener_idxs = 0x7f0da65f7210 #5 0x00007f0da318717c in main (argc=7, argv=0x7fffb03d7d98) at ldap/servers/slapd/main.c:1279 return_value = 0 slapdFrontendConfig = ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7f0da4840b70, s_listenaddr = 0x7f0da4840a10, n_socket = 0x7f0da4840a60, i_listenaddr = 0x7f0da4840b00, i_port = 1, i_socket = 0x7f0da48408f0, s_socket = 0x7f0da48409f0} m = Detaching from program: /usr/sbin/ns-slapd, process 2870 -------------- next part -------------- GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done. done. Attaching to program: /usr/sbin/ns-slapd, process 2870 Reading symbols from /usr/lib64/dirsrv/libslapd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libslapd.so.0 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5.so.3.3.debug...done. done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libk5crypto.so.3.1.debug...done. done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libcom_err.so.2.1.debug...done. done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libpcre.so.1...Reading symbols from /usr/lib/debug/usr/lib64/libpcre.so.1.2.0.debug...done. done. Loaded symbols for /lib64/libpcre.so.1 Reading symbols from /lib64/libldap_r-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libldap_r-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/libldap_r-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/liblber-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /lib64/libssl3.so...Reading symbols from /usr/lib/debug/usr/lib64/libssl3.so.debug...done. done. Loaded symbols for /lib64/libssl3.so Reading symbols from /lib64/libnss3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnss3.so.debug...done. done. Loaded symbols for /lib64/libnss3.so Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.17.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplc4.so.debug...done. done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplds4.so.debug...done. done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/usr/lib64/libnspr4.so.debug...done. done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /lib64/libsasl2.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.3.0.0.debug...done. done. Loaded symbols for /lib64/libsasl2.so.3 Reading symbols from /lib64/libsvrcore.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libsvrcore.so.0.0.0.debug...done. done. Loaded symbols for /lib64/libsvrcore.so.0 Reading symbols from /lib64/libpthread.so.0...Reading symbols from /usr/lib/debug/lib64/libpthread-2.17.so.debug...done. done. [New LWP 32719] [New LWP 2965] [New LWP 2918] [New LWP 2917] [New LWP 2916] [New LWP 2915] [New LWP 2914] [New LWP 2913] [New LWP 2912] [New LWP 2911] [New LWP 2910] [New LWP 2909] [New LWP 2908] [New LWP 2907] [New LWP 2906] [New LWP 2905] [New LWP 2904] [New LWP 2903] [New LWP 2902] [New LWP 2901] [New LWP 2900] [New LWP 2899] [New LWP 2898] [New LWP 2897] [New LWP 2896] [New LWP 2895] [New LWP 2894] [New LWP 2892] [New LWP 2891] [New LWP 2890] [New LWP 2889] [New LWP 2888] [New LWP 2887] [New LWP 2885] [New LWP 2884] [New LWP 2883] [New LWP 2882] [New LWP 2881] [New LWP 2880] [New LWP 2879] [New LWP 2878] [New LWP 2877] [New LWP 2875] [New LWP 2874] [New LWP 2873] [New LWP 2872] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.17.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5support.so.0.1.debug...done. done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libresolv.so.2...Reading symbols from /usr/lib/debug/lib64/libresolv-2.17.so.debug...done. done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.17.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libsmime3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsmime3.so.debug...done. done. Loaded symbols for /lib64/libsmime3.so Reading symbols from /lib64/libnssutil3.so...Reading symbols from /lib64/libnssutil3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssutil3.so Reading symbols from /lib64/libz.so.1...Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/librt.so.1...Reading symbols from /usr/lib/debug/lib64/librt-2.17.so.debug...done. done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.17.so.debug...done. done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/liblzma.so.5...Reading symbols from /lib64/liblzma.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblzma.so.5 Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/dirsrv/plugins/libsyntax-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libsyntax-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libbitwise-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libbitwise-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcollation-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcollation-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcollation-plugin.so Reading symbols from /lib64/libicui18n.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicui18n.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicui18n.so.50 Reading symbols from /lib64/libicuuc.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicuuc.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicuuc.so.50 Reading symbols from /lib64/libicudata.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicudata.so.50.1.2.debug...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicudata.so.50 Reading symbols from /lib64/libstdc++.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libstdc++.so.6.0.19.debug...done. done. Loaded symbols for /lib64/libstdc++.so.6 Reading symbols from /lib64/libm.so.6...Reading symbols from /usr/lib/debug/lib64/libm-2.17.so.debug...done. done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.8.3-20140911.so.1.debug...done. done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdes-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdes-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdes-plugin.so Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-5.3.so...Reading symbols from /usr/lib/debug/usr/lib64/libdb-5.3.so.debug...done. done. Loaded symbols for /lib64/libdb-5.3.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libdigestmd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /lib64/libcrypto.so.10...Reading symbols from /usr/lib/debug/usr/lib64/libcrypto.so.1.0.1e.debug...done. done. Loaded symbols for /lib64/libcrypto.so.10 Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libcrammd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libplain.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libplain.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libplain.so Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libgssapiv2.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libgssapi_krb5.so.2.2.debug...done. done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/liblogin.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/liblogin.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/liblogin.so Reading symbols from /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libattr-unique-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctusability-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctusability-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctusability-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacl-plugin.so Reading symbols from /usr/lib64/dirsrv/libns-dshttpd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libns-dshttpd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libns-dshttpd.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libautomember-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libautomember-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libautomember-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libchainingdb-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcos-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcos-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcos-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcontentsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libderef-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libderef-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libderef-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdna-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdna-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdna-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libhttp-client-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_dns.so Reading symbols from /lib64/libkrad.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrad.so.0.0.debug...done. done. Loaded symbols for /lib64/libkrad.so.0 Reading symbols from /lib64/libverto.so.1...Reading symbols from /lib64/libverto.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libverto.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_lockout.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_modrdn.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_counter.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_range_check.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_uuid.so Reading symbols from /lib64/libuuid.so.1...Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_repl_version.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_winsync.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libback-ldbm.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libback-ldbm.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libback-ldbm.so Reading symbols from /usr/lib64/dirsrv/plugins/libreplication-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreplication-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreplication-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmemberof-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmemberof-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmemberof-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so Reading symbols from /lib64/libpam.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libpam.so.0.83.1.debug...done. done. Loaded symbols for /lib64/libpam.so.0 Reading symbols from /lib64/libaudit.so.1...Reading symbols from /lib64/libaudit.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libaudit.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpassthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpassthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpassthru-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libreferint-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreferint-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreferint-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libretrocl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libretrocl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libretrocl-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libroles-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libroles-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libroles-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/librootdn-access-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/schemacompat-plugin.so Reading symbols from /lib64/libsss_nss_idmap.so.0...Reading symbols from /lib64/libsss_nss_idmap.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsss_nss_idmap.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libschemareload-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libschemareload-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libschemareload-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libstatechange-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libstatechange-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libstatechange-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libusn-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libusn-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libusn-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libviews-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libviews-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libviews-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libwhoami-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libwhoami-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libwhoami-plugin.so Reading symbols from /lib64/libsoftokn3.so...Reading symbols from /lib64/libsoftokn3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsoftokn3.so Reading symbols from /lib64/libsqlite3.so.0...Reading symbols from /lib64/libsqlite3.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsqlite3.so.0 Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnssdbm3.so...Reading symbols from /lib64/libnssdbm3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssdbm3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 Reading symbols from /usr/lib64/krb5/plugins/preauth/pkinit.so...Reading symbols from /usr/lib/debug/usr/lib64/krb5/plugins/preauth/pkinit.so.debug...done. done. Loaded symbols for /usr/lib64/krb5/plugins/preauth/pkinit.so Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so Reading symbols from /lib64/libnss_dns.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libnss_myhostname.so.2...Reading symbols from /lib64/libnss_myhostname.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_myhostname.so.2 Reading symbols from /usr/lib64/gssproxy/proxymech.so...Reading symbols from /usr/lib64/gssproxy/proxymech.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/gssproxy/proxymech.so Reading symbols from /lib64/libgssrpc.so.4...Reading symbols from /usr/lib/debug/usr/lib64/libgssrpc.so.4.2.debug...done. done. Loaded symbols for /lib64/libgssrpc.so.4 Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135 135 2: movl %edx, %eax Thread 47 (Thread 0x7f0d92bfb700 (LWP 2872)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=100) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 71975} #2 0x00007f0d96dd0507 in deadlock_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4511 rval = priv = 0x7f0da487d410 li = interval = #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0d230) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0d230 detached = 1 id = 139696273340160 tid = 2872 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d92bfb700) at pthread_create.c:308 __res = pd = 0x7f0d92bfb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696273340160, -1088326907459832651, 0, 139696273340864, 139696273340160, 1, 1080398881526346933, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 46 (Thread 0x7f0d923fa700 (LWP 2873)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 68347} #2 0x00007f0d96dd45d6 in checkpoint_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4720 time_of_last_checkpoint_completion = 1436876803 interval = rval = priv = li = debug_checkpointing = 0 checkpoint_interval = home_dir = list = 0x0 listp = penv = 0x7f0da4a7b730 time_of_last_comapctdb_completion = 1434571369 compactdb_interval = 2592000 txn = {back_txn_txn = 0x0} #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0ce70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0ce70 detached = 1 id = 139696264947456 tid = 2873 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d923fa700) at pthread_create.c:308 __res = pd = 0x7f0d923fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696264947456, -1088326907459832651, 0, 139696264948160, 139696264947456, 1, 1080397780404106421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 45 (Thread 0x7f0d91bf9700 (LWP 2874)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 148535} #2 0x00007f0d96dd077f in trickle_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4937 interval = 250 rval = priv = 0x7f0da487d410 li = debug_checkpointing = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4acec10) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4acec10 detached = 1 id = 139696256554752 tid = 2874 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d91bf9700) at pthread_create.c:308 __res = pd = 0x7f0d91bf9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696256554752, -1088326907459832651, 0, 139696256555456, 139696256554752, 1, 1080405477522371765, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 44 (Thread 0x7f0d913f8700 (LWP 2875)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 46390} #2 0x00007f0d96e22d54 in perfctrs_wait (milliseconds=milliseconds at entry=1000, priv=, db_env=) at ldap/servers/slapd/back-ldbm/perfctrs.c:277 interval = #3 0x00007f0d96dcb437 in perf_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4011 priv = 0x7f0da487d410 li = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4ad0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4ad0e60 detached = 1 id = 139696248162048 tid = 2875 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d913f8700) at pthread_create.c:308 __res = pd = 0x7f0d913f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696248162048, -1088326907459832651, 0, 139696248162752, 139696248162048, 1, 1080404380695098549, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 43 (Thread 0x7f0d909ee700 (LWP 2877)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65bf0d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f0e60 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65bf0d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d994f164e in cos_cache_wait_on_change (arg=) at ldap/servers/plugins/cos/cos_cache.c:436 No locals. #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f0e60 detached = 1 id = 139696237635328 tid = 2877 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d909ee700) at pthread_create.c:308 __res = pd = 0x7f0d909ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696237635328, -1088326907459832651, 0, 139696237636032, 139696237635328, 1, 1080403542102734005, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 42 (Thread 0x7f0da3004700 (LWP 2878)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a26558, ml=0x7f0da6324e70, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876576, tv_usec = 572702} tmo = {tv_sec = 1436876876, tv_nsec = 572702000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a26550, timeout=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6513050 #3 0x00007f0d96b2df74 in _cl5TrimMain (param=) at ldap/servers/plugins/replication/cl5_api.c:3466 timePrev = 1436876576 timeCompactPrev = 1434571375 timeNow = 1436876576 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6513050) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6513050 detached = 1 id = 139696546006784 tid = 2878 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0da3004700) at pthread_create.c:308 __res = pd = 0x7f0da3004700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696546006784, -1088326907459832651, 0, 139696546007488, 139696546006784, 1, 1080365221330777269, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 41 (Thread 0x7f0d8bfff700 (LWP 2879)): #0 0x00007f0da070f1a0 in __GI___libc_malloc (bytes=36) at malloc.c:2878 No locals. #1 0x00007f0da071552a in __GI___strdup (s=0x7f0d800d83ba "4dc0bd41-143411e5-a351aa45-2e06257b") at strdup.c:42 len = 36 new = #2 0x00007f0da2c726d3 in slapi_ch_strdup (s1=s1 at entry=0x7f0d800d83ba "4dc0bd41-143411e5-a351aa45-2e06257b") at ldap/servers/slapd/ch_malloc.c:277 newmem = #3 0x00007f0d96b2877b in _cl5ReadString (str=0x7f0d8bffece0, buff=0x7f0d8bffeb00) at ldap/servers/plugins/replication/cl5_api.c:2470 len = #4 0x00007f0d96b29d23 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7f0d8bffecc0) at ldap/servers/plugins/replication/cl5_api.c:2351 rc = version = pos = 0x7f0d800d83ba "4dc0bd41-143411e5-a351aa45-2e06257b" strCSN = 0x0 op = 0x7f0d8bffecd0 add_mods = 0x7f0d96b85a48 rawDN = 0x0 s = " \307\000\200\r\177\000\000\000\312+=Q\247?\000\020\000\000" #5 0x00007f0d96b2a27d in cl5GetNextOperationToReplay (iterator=0x7f0d8002b5f0, entry=entry at entry=0x7f0d8bffecc0) at ldap/servers/plugins/replication/cl5_api.c:1718 csn = 0x7f0d80012650 key = 0x7f0d800d84d3 "5597d90a000100050000" data = 0x7f0d800d839f "\005\bU\227\330\350\065\065\071\067d90a000100050000" keylen = 21 datalen = 302 agmt_name = 0x7f0da633db40 "agmt=\"cn=meTosrv-m14-24.ccr.buffalo.edu\" (srv-m14-24:389)" rc = #6 0x00007f0d96b46218 in send_updates (num_changes_sent=0x7f0d8bffec60, remote_update_vector=, prp=0x7f0da651a450) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1723 finished = 0 replay_crc = csn_str = "5597d90a000000050000" return_value = 203 rd = 0x7f0d80028960 entry = {op = 0x7f0d8bffecd0, time = 1436014824} op = {operation_type = 8, target_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, csn = 0x7f0d8002e610, request_controls = 0x0, p = {p_add = {target_entry = 0x0, parentuniqueid = 0x0}, p_bind = {bind_method = 0, bind_creds = 0x0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x0, ava_value = {bv_len = 0, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x0}, p_modrdn = {modrdn_newrdn = 0x0, modrdn_deloldrdn = 0, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = 0, search_deref = 0, search_sizelimit = 0, search_timelimit = 0, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = {abandon_targetmsgid = 0}, p_extended = {exop_oid = 0x0, exop_value = 0x0}}} rc = changelog_iterator = 0x7f0d8002b5f0 message_id = 0 #7 repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1073 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d8002e9c0 ruv = 0x7f0d8002b500 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1436865642 busywaittime = 3 pausetime = 0 loops = wait_change_timer_set = current_state = next_state = optype = 5 ldaprc = 0 done = 0 e1 = #8 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da6338a90) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da6338a90 done = 0 agmt = 0x7f0da65a5de0 #9 0x00007f0da10b67bb in _pt_root (arg=0x7f0da63261b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da63261b0 detached = 0 id = 139696160110336 tid = 2879 #10 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8bfff700) at pthread_create.c:308 __res = pd = 0x7f0d8bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696160110336, -1088326907459832651, 0, 139696160111040, 139696160110336, 1, 1080419220343977141, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #11 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 40 (Thread 0x7f0d8b7fe700 (LWP 2880)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da64fc9f8, ml=0x7f0da64dcc50, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876809, tv_usec = 416562} tmo = {tv_sec = 1436877109, tv_nsec = 416562000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da64fc9f0, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da65c0980 #3 0x00007f0d96b44324 in protocol_sleep (prp=prp at entry=0x7f0da64dc920, duration=300000) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1236 No locals. #4 0x00007f0d96b47526 in repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:797 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d78052730 ruv = 0x0 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1435778665 busywaittime = 0 pausetime = 0 loops = wait_change_timer_set = 1 current_state = 2 next_state = 2 optype = 5 ldaprc = 0 done = 0 e1 = #5 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da64fcb00) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da64fcb00 done = 0 agmt = 0x7f0da64ee990 #6 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65c0980) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65c0980 detached = 0 id = 139696151717632 tid = 2880 #7 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d8b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696151717632, -1088326907459832651, 0, 139696151718336, 139696151717632, 1, 1080418119221736629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #8 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 39 (Thread 0x7f0d8a7d1700 (LWP 2881)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64db1d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f4490 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64db1d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da64dbd40) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da64dbd40 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f4490) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f4490 detached = 1 id = 139696134756096 tid = 2881 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8a7d1700) at pthread_create.c:308 __res = pd = 0x7f0d8a7d1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696134756096, -1088326907459832651, 0, 139696134756800, 139696134756096, 1, 1080415909997933749, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 38 (Thread 0x7f0d89fd0700 (LWP 2882)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64fb090, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65b0b90 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64fb090, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61dab80) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61dab80 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65b0b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65b0b90 detached = 1 id = 139696126363392 tid = 2882 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d89fd0700) at pthread_create.c:308 __res = pd = 0x7f0d89fd0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696126363392, -1088326907459832651, 0, 139696126364096, 139696126363392, 1, 1080423592083813557, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 37 (Thread 0x7f0d897cf700 (LWP 2883)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65b0690, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da6337330 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65b0690, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61daa70) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61daa70 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6337330) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6337330 detached = 1 id = 139696117970688 tid = 2883 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d897cf700) at pthread_create.c:308 __res = pd = 0x7f0d897cf700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696117970688, -1088326907459832651, 0, 139696117971392, 139696117970688, 1, 1080422493109056693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 36 (Thread 0x7f0d88fce700 (LWP 2884)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a27518, ml=0x7f0da634af80, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876833, tv_usec = 23495} tmo = {tv_sec = 1436876863, tv_nsec = 23495000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a27510, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da629ef70 #3 0x00007f0da3197aa3 in housecleaning (cur_time=) at ldap/servers/slapd/house.c:77 interval = 30000 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da629ef70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da629ef70 detached = 0 id = 139696109577984 tid = 2884 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d88fce700) at pthread_create.c:308 __res = pd = 0x7f0d88fce700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696109577984, -1088326907459832651, 0, 139696109578688, 139696109577984, 1, 1080421391986816181, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 35 (Thread 0x7f0d7ffff700 (LWP 2885)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da49f80b8, ml=0x7f0da4a06530, timeout=timeout at entry=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876849, tv_usec = 917806} tmo = {tv_sec = 1436876859, tv_nsec = 917806000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da49f80b0, timeout=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6336ca0 #3 0x00007f0da2c8a0e8 in eq_loop (arg=) at ldap/servers/slapd/eventq.c:355 timeout = until = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6336ca0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6336ca0 detached = 0 id = 139695958783744 tid = 2885 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7ffff700) at pthread_create.c:308 __res = pd = 0x7f0d7ffff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695958783744, -1088326907459832651, 0, 139695958784448, 139695958783744, 1, 1080727083599754421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 34 (Thread 0x7f0d7f7fe700 (LWP 2887)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1700 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7f7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7f7fdae0 conn = 0x7f0d8853bda0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1700) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1700 detached = 1 id = 139695950391040 tid = 2887 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7f7fe700) at pthread_create.c:308 __res = pd = 0x7f0d7f7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695950391040, -1088326907459832651, 0, 139695950391744, 139695950391040, 1, 1080725982477513909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 33 (Thread 0x7f0d7effd700 (LWP 2888)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f19f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7effcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7effcae0 conn = 0x7f0d8853bda0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f19f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f19f0 detached = 1 id = 139695941998336 tid = 2888 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7effd700) at pthread_create.c:308 __res = pd = 0x7f0d7effd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695941998336, -1088326907459832651, 0, 139695941999040, 139695941998336, 1, 1080724883502757045, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 32 (Thread 0x7f0d7e7fc700 (LWP 2889)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1ce0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7e7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7e7fbae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1ce0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1ce0 detached = 1 id = 139695933605632 tid = 2889 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7e7fc700) at pthread_create.c:308 __res = pd = 0x7f0d7e7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695933605632, -1088326907459832651, 0, 139695933606336, 139695933605632, 1, 1080723786675483829, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 31 (Thread 0x7f0d7dffb700 (LWP 2890)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1fd0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7dffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7dffaae0 conn = 0x7f0d8853c040 op = tag = 66 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1fd0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1fd0 detached = 1 id = 139695925212928 tid = 2890 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7dffb700) at pthread_create.c:308 __res = pd = 0x7f0d7dffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695925212928, -1088326907459832651, 0, 139695925213632, 139695925212928, 1, 1080731483793749173, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 30 (Thread 0x7f0d7d7fa700 (LWP 2891)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f22c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7d7f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7d7f9ae0 conn = 0x7f0d8853d540 op = tag = 66 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f22c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f22c0 detached = 1 id = 139695916820224 tid = 2891 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7d7fa700) at pthread_create.c:308 __res = pd = 0x7f0d7d7fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695916820224, -1088326907459832651, 0, 139695916820928, 139695916820224, 1, 1080730382671508661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 29 (Thread 0x7f0d7cff9700 (LWP 2892)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f25b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7cff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7cff8ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f25b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f25b0 detached = 1 id = 139695908427520 tid = 2892 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7cff9700) at pthread_create.c:308 __res = pd = 0x7f0d7cff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695908427520, -1088326907459832651, 0, 139695908428224, 139695908427520, 1, 1080729283696751797, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 28 (Thread 0x7f0d6bfff700 (LWP 2894)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f28a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6bffeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6bffeae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f28a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f28a0 detached = 1 id = 139695623239424 tid = 2894 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6bfff700) at pthread_create.c:308 __res = pd = 0x7f0d6bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695623239424, -1088326907459832651, 0, 139695623240128, 139695623239424, 1, 1080771064064865461, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 27 (Thread 0x7f0d6b7fe700 (LWP 2895)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2b90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6b7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6b7fdae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2b90 detached = 1 id = 139695614846720 tid = 2895 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d6b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695614846720, -1088326907459832651, 0, 139695614847424, 139695614846720, 1, 1080769962942624949, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 26 (Thread 0x7f0d6affd700 (LWP 2896)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2e80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6affcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6affcae0 conn = 0x7f0d88539790 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2e80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2e80 detached = 1 id = 139695606454016 tid = 2896 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6affd700) at pthread_create.c:308 __res = pd = 0x7f0d6affd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695606454016, -1088326907459832651, 0, 139695606454720, 139695606454016, 1, 1080768863967868085, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 25 (Thread 0x7f0d6a7fc700 (LWP 2897)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3170 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6a7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6a7fbae0 conn = 0x7f0d8853c040 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3170) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3170 detached = 1 id = 139695598061312 tid = 2897 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6a7fc700) at pthread_create.c:308 __res = pd = 0x7f0d6a7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695598061312, -1088326907459832651, 0, 139695598062016, 139695598061312, 1, 1080767767140594869, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 24 (Thread 0x7f0d69ffb700 (LWP 2898)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3460 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d69ffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d69ffaae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3460) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3460 detached = 1 id = 139695589668608 tid = 2898 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d69ffb700) at pthread_create.c:308 __res = pd = 0x7f0d69ffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695589668608, -1088326907459832651, 0, 139695589669312, 139695589668608, 1, 1080775464258860213, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 23 (Thread 0x7f0d697fa700 (LWP 2899)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3750 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d697f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d697f9ae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3750) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3750 detached = 1 id = 139695581275904 tid = 2899 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d697fa700) at pthread_create.c:308 __res = pd = 0x7f0d697fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695581275904, -1088326907459832651, 0, 139695581276608, 139695581275904, 1, 1080774363136619701, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 22 (Thread 0x7f0d68ff9700 (LWP 2900)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3a40 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d68ff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d68ff8ae0 conn = 0x7f0d8853de70 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3a40) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3a40 detached = 1 id = 139695572883200 tid = 2900 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d68ff9700) at pthread_create.c:308 __res = pd = 0x7f0d68ff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695572883200, -1088326907459832651, 0, 139695572883904, 139695572883200, 1, 1080773264161862837, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 21 (Thread 0x7f0d687f8700 (LWP 2901)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3d30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d687f7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d687f7ae0 conn = 0x7f0d8853de70 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3d30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3d30 detached = 1 id = 139695564490496 tid = 2901 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d687f8700) at pthread_create.c:308 __res = pd = 0x7f0d687f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695564490496, -1088326907459832651, 0, 139695564491200, 139695564490496, 1, 1080772167334589621, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 20 (Thread 0x7f0d67ff7700 (LWP 2902)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4020 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d67ff6ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d67ff6ae0 conn = 0x7f0d8853de70 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4020) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4020 detached = 1 id = 139695556097792 tid = 2902 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d67ff7700) at pthread_create.c:308 __res = pd = 0x7f0d67ff7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695556097792, -1088326907459832651, 0, 139695556098496, 139695556097792, 1, 1080779864452854965, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 19 (Thread 0x7f0d677f6700 (LWP 2903)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4310 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d677f5ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d677f5ae0 conn = 0x7f0d8853de70 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4310) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4310 detached = 1 id = 139695547705088 tid = 2903 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d677f6700) at pthread_create.c:308 __res = pd = 0x7f0d677f6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695547705088, -1088326907459832651, 0, 139695547705792, 139695547705088, 1, 1080778763330614453, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 18 (Thread 0x7f0d66ff5700 (LWP 2904)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4600 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d66ff4ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d66ff4ae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4600) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4600 detached = 1 id = 139695539312384 tid = 2904 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d66ff5700) at pthread_create.c:308 __res = pd = 0x7f0d66ff5700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695539312384, -1088326907459832651, 0, 139695539313088, 139695539312384, 1, 1080777664355857589, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 17 (Thread 0x7f0d667f4700 (LWP 2905)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f48f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d667f3ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d667f3ae0 conn = 0x7f0d8853de70 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f48f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f48f0 detached = 1 id = 139695530919680 tid = 2905 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d667f4700) at pthread_create.c:308 __res = pd = 0x7f0d667f4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695530919680, -1088326907459832651, 0, 139695530920384, 139695530919680, 1, 1080776567528584373, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 16 (Thread 0x7f0d65ff3700 (LWP 2906)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4be0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d65ff2ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d65ff2ae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4be0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4be0 detached = 1 id = 139695522526976 tid = 2906 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d65ff3700) at pthread_create.c:308 __res = pd = 0x7f0d65ff3700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695522526976, -1088326907459832651, 0, 139695522527680, 139695522526976, 1, 1080784264646849717, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 15 (Thread 0x7f0d657f2700 (LWP 2907)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4ed0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d657f1ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d657f1ae0 conn = 0x7f0d8853bda0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4ed0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4ed0 detached = 1 id = 139695514134272 tid = 2907 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d657f2700) at pthread_create.c:308 __res = pd = 0x7f0d657f2700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695514134272, -1088326907459832651, 0, 139695514134976, 139695514134272, 1, 1080783163524609205, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 14 (Thread 0x7f0d64ff1700 (LWP 2908)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f51c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d64ff0ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d64ff0ae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f51c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f51c0 detached = 1 id = 139695505741568 tid = 2908 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d64ff1700) at pthread_create.c:308 __res = pd = 0x7f0d64ff1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695505741568, -1088326907459832651, 0, 139695505742272, 139695505741568, 1, 1080782064549852341, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 13 (Thread 0x7f0d647f0700 (LWP 2909)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f54b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d647efae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d647efae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f54b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f54b0 detached = 1 id = 139695497348864 tid = 2909 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d647f0700) at pthread_create.c:308 __res = pd = 0x7f0d647f0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695497348864, -1088326907459832651, 0, 139695497349568, 139695497348864, 1, 1080780950542709941, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 12 (Thread 0x7f0d63fef700 (LWP 2910)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f57a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d63feeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d63feeae0 conn = 0x7f0d8853bda0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f57a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f57a0 detached = 1 id = 139695488956160 tid = 2910 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d63fef700) at pthread_create.c:308 __res = pd = 0x7f0d63fef700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695488956160, -1088326907459832651, 0, 139695488956864, 139695488956160, 1, 1080788647660975285, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 11 (Thread 0x7f0d637ee700 (LWP 2911)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5a90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d637edae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d637edae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5a90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5a90 detached = 1 id = 139695480563456 tid = 2911 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d637ee700) at pthread_create.c:308 __res = pd = 0x7f0d637ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695480563456, -1088326907459832651, 0, 139695480564160, 139695480563456, 1, 1080787546538734773, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 10 (Thread 0x7f0d62fed700 (LWP 2912)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5d80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d62fecae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d62fecae0 conn = 0x7f0d8853de70 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5d80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5d80 detached = 1 id = 139695472170752 tid = 2912 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d62fed700) at pthread_create.c:308 __res = pd = 0x7f0d62fed700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695472170752, -1088326907459832651, 0, 139695472171456, 139695472170752, 1, 1080786447563977909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 9 (Thread 0x7f0d627ec700 (LWP 2913)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6070 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d627ebae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d627ebae0 conn = 0x7f0d8853de70 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6070) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6070 detached = 1 id = 139695463778048 tid = 2913 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d627ec700) at pthread_create.c:308 __res = pd = 0x7f0d627ec700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695463778048, -1088326907459832651, 0, 139695463778752, 139695463778048, 1, 1080785350736704693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 8 (Thread 0x7f0d61feb700 (LWP 2914)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6360 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d61feaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d61feaae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6360) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6360 detached = 1 id = 139695455385344 tid = 2914 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d61feb700) at pthread_create.c:308 __res = pd = 0x7f0d61feb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695455385344, -1088326907459832651, 0, 139695455386048, 139695455385344, 1, 1080793047854970037, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 7 (Thread 0x7f0d617ea700 (LWP 2915)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6650 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d617e9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d617e9ae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6650) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6650 detached = 1 id = 139695446992640 tid = 2915 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d617ea700) at pthread_create.c:308 __res = pd = 0x7f0d617ea700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695446992640, -1088326907459832651, 0, 139695446993344, 139695446992640, 1, 1080791946732729525, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 6 (Thread 0x7f0d60fe9700 (LWP 2916)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6940 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d60fe8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d60fe8ae0 conn = 0x7f0d885387d0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6940) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6940 detached = 1 id = 139695438599936 tid = 2916 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d60fe9700) at pthread_create.c:308 __res = pd = 0x7f0d60fe9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695438599936, -1088326907459832651, 0, 139695438600640, 139695438599936, 1, 1080790847757972661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 5 (Thread 0x7f0d607e8700 (LWP 2917)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6c30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d607e7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d607e7ae0 conn = 0x7f0d8853c040 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6c30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6c30 detached = 1 id = 139695430207232 tid = 2917 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d607e8700) at pthread_create.c:308 __res = pd = 0x7f0d607e8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695430207232, -1088326907459832651, 0, 139695430207936, 139695430207232, 1, 1080789750930699445, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 4 (Thread 0x7f0d5ffe7700 (LWP 2918)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=1000) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 233502} #2 0x00007f0da31912d5 in time_thread (nothing=) at ldap/servers/slapd/daemon.c:474 interval = 1000 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6f20) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6f20 detached = 0 id = 139695421814528 tid = 2918 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5ffe7700) at pthread_create.c:308 __res = pd = 0x7f0d5ffe7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695421814528, -1088326907459832651, 0, 139695421815232, 139695421814528, 1, 1080797448048964789, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 3 (Thread 0x7f0d5f7e6700 (LWP 2965)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da6326eb8, ml=0x7f0da65009f0, timeout=timeout at entry=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876853, tv_usec = 61495} tmo = {tv_sec = 1436876854, tv_nsec = 61495000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da6326eb0, timeout=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0cf0009ff0 #3 0x00007f0d992e6374 in sync_send_results (arg=) at ldap/servers/plugins/sync/sync_persist.c:602 req = 0x7f0cf00027b0 qnode = 0x0 qnodenext = conn_acq_flag = 0 conn = 0x7f0d885337c0 op = 0x7f0da62ed750 rc = connid = 18 opid = 0 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0cf0009ff0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0cf0009ff0 detached = 1 id = 139695413421824 tid = 2965 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5f7e6700) at pthread_create.c:308 __res = pd = 0x7f0d5f7e6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695413421824, -1088326907459832651, 0, 139695413422528, 139695413421824, 1, 1080796346926724277, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 2 (Thread 0x7f0d5dfe4700 (LWP 32719)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 141496} #2 0x00007f0d96b44787 in repl5_inc_result_threadmain (param=0x7f0d80028960) at ldap/servers/plugins/replication/repl5_inc_protocol.c:312 operation_code = 0 ldap_error_string = 0x0 time_now = op = 0x0 csn_str = 0x0 replica_id = 0 connection_error = 0 uniqueid = 0x0 start_time = 1436876790 backoff_time = 1024 rd = 0x7f0d80028960 conres = conn = 0x7f0da634db10 finished = 0 message_id = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0d8002e240) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0d8002e240 detached = 0 id = 139695388247808 tid = 32719 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5dfe4700) at pthread_create.c:308 __res = pd = 0x7f0d5dfe4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695388247808, -1088326907459832651, 0, 139695388248512, 139695388247808, 21, 1080801847706088629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 1 (Thread 0x7f0da315a840 (LWP 2870)): #0 __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135 No locals. #1 0x00007f0da0a59d68 in _L_lock_975 () from /lib64/libpthread.so.0 No symbol table info available. #2 0x00007f0da0a59d11 in __GI___pthread_mutex_lock (mutex=mutex at entry=0x7f0da4f82d10) at pthread_mutex_lock.c:104 cnt = 101 max_cnt = -1 type = 3 id = 2870 #3 0x00007f0da10b0cb9 in PR_Lock (lock=0x7f0da4f82d10) at ../../../nspr/pr/src/pthreads/ptsynch.c:177 No locals. #4 0x00007f0da31941f5 in handle_pr_read_ready (num_poll=, ct=0x7f0da4a2e6d0) at ldap/servers/slapd/daemon.c:1944 c = 0x7f0d8853c040 curtime = 1436876851 maxthreads = 5 #5 slapd_daemon (ports=ports at entry=0x7fffb03d7770) at ldap/servers/slapd/daemon.c:1208 select_return = prerr = n_tcps = 0x7f0da4840a60 s_tcps = 0x7f0da48409f0 i_unix = 0x7f0da48408f0 fdesp = 0x0 num_poll = pr_timeout = 250 time_thread_p = 0x7f0da65f6f20 threads = in_referral_mode = 0 n_listeners = 3 listener_idxs = 0x7f0da65f7210 #6 0x00007f0da318717c in main (argc=7, argv=0x7fffb03d7d98) at ldap/servers/slapd/main.c:1279 return_value = 0 slapdFrontendConfig = ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7f0da4840b70, s_listenaddr = 0x7f0da4840a10, n_socket = 0x7f0da4840a60, i_listenaddr = 0x7f0da4840b00, i_port = 1, i_socket = 0x7f0da48408f0, s_socket = 0x7f0da48409f0} m = Detaching from program: /usr/sbin/ns-slapd, process 2870 -------------- next part -------------- GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done. done. Attaching to program: /usr/sbin/ns-slapd, process 2870 Reading symbols from /usr/lib64/dirsrv/libslapd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libslapd.so.0 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5.so.3.3.debug...done. done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libk5crypto.so.3.1.debug...done. done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libcom_err.so.2.1.debug...done. done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libpcre.so.1...Reading symbols from /usr/lib/debug/usr/lib64/libpcre.so.1.2.0.debug...done. done. Loaded symbols for /lib64/libpcre.so.1 Reading symbols from /lib64/libldap_r-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libldap_r-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/libldap_r-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...Reading symbols from /usr/lib/debug/usr/lib64/liblber-2.4.so.2.10.2.debug...done. done. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /lib64/libssl3.so...Reading symbols from /usr/lib/debug/usr/lib64/libssl3.so.debug...done. done. Loaded symbols for /lib64/libssl3.so Reading symbols from /lib64/libnss3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnss3.so.debug...done. done. Loaded symbols for /lib64/libnss3.so Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.17.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplc4.so.debug...done. done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/usr/lib64/libplds4.so.debug...done. done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/usr/lib64/libnspr4.so.debug...done. done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /lib64/libsasl2.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.3.0.0.debug...done. done. Loaded symbols for /lib64/libsasl2.so.3 Reading symbols from /lib64/libsvrcore.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libsvrcore.so.0.0.0.debug...done. done. Loaded symbols for /lib64/libsvrcore.so.0 Reading symbols from /lib64/libpthread.so.0...Reading symbols from /usr/lib/debug/lib64/libpthread-2.17.so.debug...done. done. [New LWP 33335] [New LWP 2965] [New LWP 2918] [New LWP 2917] [New LWP 2916] [New LWP 2915] [New LWP 2914] [New LWP 2913] [New LWP 2912] [New LWP 2911] [New LWP 2910] [New LWP 2909] [New LWP 2908] [New LWP 2907] [New LWP 2906] [New LWP 2905] [New LWP 2904] [New LWP 2903] [New LWP 2902] [New LWP 2901] [New LWP 2900] [New LWP 2899] [New LWP 2898] [New LWP 2897] [New LWP 2896] [New LWP 2895] [New LWP 2894] [New LWP 2892] [New LWP 2891] [New LWP 2890] [New LWP 2889] [New LWP 2888] [New LWP 2887] [New LWP 2885] [New LWP 2884] [New LWP 2883] [New LWP 2882] [New LWP 2881] [New LWP 2880] [New LWP 2879] [New LWP 2878] [New LWP 2877] [New LWP 2875] [New LWP 2874] [New LWP 2873] [New LWP 2872] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.17.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5support.so.0.1.debug...done. done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libresolv.so.2...Reading symbols from /usr/lib/debug/lib64/libresolv-2.17.so.debug...done. done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.17.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libsmime3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsmime3.so.debug...done. done. Loaded symbols for /lib64/libsmime3.so Reading symbols from /lib64/libnssutil3.so...Reading symbols from /lib64/libnssutil3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssutil3.so Reading symbols from /lib64/libz.so.1...Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/librt.so.1...Reading symbols from /usr/lib/debug/lib64/librt-2.17.so.debug...done. done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.17.so.debug...done. done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/liblzma.so.5...Reading symbols from /lib64/liblzma.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblzma.so.5 Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/dirsrv/plugins/libsyntax-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libsyntax-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libbitwise-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libbitwise-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcollation-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcollation-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcollation-plugin.so Reading symbols from /lib64/libicui18n.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicui18n.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicui18n.so.50 Reading symbols from /lib64/libicuuc.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicuuc.so.50.1.2.debug...done. done. Loaded symbols for /lib64/libicuuc.so.50 Reading symbols from /lib64/libicudata.so.50...Reading symbols from /usr/lib/debug/usr/lib64/libicudata.so.50.1.2.debug...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicudata.so.50 Reading symbols from /lib64/libstdc++.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libstdc++.so.6.0.19.debug...done. done. Loaded symbols for /lib64/libstdc++.so.6 Reading symbols from /lib64/libm.so.6...Reading symbols from /usr/lib/debug/lib64/libm-2.17.so.debug...done. done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.8.3-20140911.so.1.debug...done. done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdes-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdes-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdes-plugin.so Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-5.3.so...Reading symbols from /usr/lib/debug/usr/lib64/libdb-5.3.so.debug...done. done. Loaded symbols for /lib64/libdb-5.3.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libdigestmd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /lib64/libcrypto.so.10...Reading symbols from /usr/lib/debug/usr/lib64/libcrypto.so.1.0.1e.debug...done. done. Loaded symbols for /lib64/libcrypto.so.10 Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libcrammd5.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libplain.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libplain.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libplain.so Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libgssapiv2.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libgssapi_krb5.so.2.2.debug...done. done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/liblogin.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/liblogin.so.3.0.0.debug...done. done. Loaded symbols for /usr/lib64/sasl2/liblogin.so Reading symbols from /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libattr-unique-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctusability-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctusability-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctusability-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacl-plugin.so Reading symbols from /usr/lib64/dirsrv/libns-dshttpd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libns-dshttpd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libns-dshttpd.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libautomember-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libautomember-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libautomember-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libchainingdb-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcos-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcos-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcos-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcontentsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libderef-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libderef-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libderef-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdna-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdna-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdna-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libhttp-client-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_dns.so Reading symbols from /lib64/libkrad.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrad.so.0.0.debug...done. done. Loaded symbols for /lib64/libkrad.so.0 Reading symbols from /lib64/libverto.so.1...Reading symbols from /lib64/libverto.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libverto.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_lockout.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_modrdn.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_counter.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_range_check.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_uuid.so Reading symbols from /lib64/libuuid.so.1...Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_repl_version.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_winsync.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libback-ldbm.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libback-ldbm.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libback-ldbm.so Reading symbols from /usr/lib64/dirsrv/plugins/libreplication-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreplication-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreplication-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmemberof-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmemberof-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmemberof-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so Reading symbols from /lib64/libpam.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libpam.so.0.83.1.debug...done. done. Loaded symbols for /lib64/libpam.so.0 Reading symbols from /lib64/libaudit.so.1...Reading symbols from /lib64/libaudit.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libaudit.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpassthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpassthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpassthru-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libreferint-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreferint-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreferint-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libretrocl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libretrocl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libretrocl-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libroles-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libroles-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libroles-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/librootdn-access-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/schemacompat-plugin.so Reading symbols from /lib64/libsss_nss_idmap.so.0...Reading symbols from /lib64/libsss_nss_idmap.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsss_nss_idmap.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libschemareload-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libschemareload-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libschemareload-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libstatechange-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libstatechange-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libstatechange-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libusn-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libusn-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libusn-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libviews-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libviews-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libviews-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libwhoami-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libwhoami-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libwhoami-plugin.so Reading symbols from /lib64/libsoftokn3.so...Reading symbols from /lib64/libsoftokn3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsoftokn3.so Reading symbols from /lib64/libsqlite3.so.0...Reading symbols from /lib64/libsqlite3.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsqlite3.so.0 Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnssdbm3.so...Reading symbols from /lib64/libnssdbm3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssdbm3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 Reading symbols from /usr/lib64/krb5/plugins/preauth/pkinit.so...Reading symbols from /usr/lib/debug/usr/lib64/krb5/plugins/preauth/pkinit.so.debug...done. done. Loaded symbols for /usr/lib64/krb5/plugins/preauth/pkinit.so Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so Reading symbols from /lib64/libnss_dns.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.17.so.debug...done. done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libnss_myhostname.so.2...Reading symbols from /lib64/libnss_myhostname.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_myhostname.so.2 Reading symbols from /usr/lib64/gssproxy/proxymech.so...Reading symbols from /usr/lib64/gssproxy/proxymech.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/gssproxy/proxymech.so Reading symbols from /lib64/libgssrpc.so.4...Reading symbols from /usr/lib/debug/usr/lib64/libgssrpc.so.4.2.debug...done. done. Loaded symbols for /lib64/libgssrpc.so.4 Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so 0x00007f0da077ab7d in poll () at ../sysdeps/unix/syscall-template.S:81 81 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) Thread 47 (Thread 0x7f0d92bfb700 (LWP 2872)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=100) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 9575} #2 0x00007f0d96dd0507 in deadlock_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4511 rval = priv = 0x7f0da487d410 li = interval = #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0d230) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0d230 detached = 1 id = 139696273340160 tid = 2872 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d92bfb700) at pthread_create.c:308 __res = pd = 0x7f0d92bfb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696273340160, -1088326907459832651, 0, 139696273340864, 139696273340160, 1, 1080398881526346933, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 46 (Thread 0x7f0d923fa700 (LWP 2873)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 144227} #2 0x00007f0d96dd45d6 in checkpoint_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4720 time_of_last_checkpoint_completion = 1436877058 interval = rval = priv = li = debug_checkpointing = 0 checkpoint_interval = home_dir = list = 0x0 listp = penv = 0x7f0da4a7b730 time_of_last_comapctdb_completion = 1434571369 compactdb_interval = 2592000 txn = {back_txn_txn = 0x0} #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4b0ce70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4b0ce70 detached = 1 id = 139696264947456 tid = 2873 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d923fa700) at pthread_create.c:308 __res = pd = 0x7f0d923fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696264947456, -1088326907459832651, 0, 139696264948160, 139696264947456, 1, 1080397780404106421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 45 (Thread 0x7f0d91bf9700 (LWP 2874)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 121974} #2 0x00007f0d96dd077f in trickle_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4937 interval = 250 rval = priv = 0x7f0da487d410 li = debug_checkpointing = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4acec10) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4acec10 detached = 1 id = 139696256554752 tid = 2874 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d91bf9700) at pthread_create.c:308 __res = pd = 0x7f0d91bf9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696256554752, -1088326907459832651, 0, 139696256555456, 139696256554752, 1, 1080405477522371765, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 44 (Thread 0x7f0d913f8700 (LWP 2875)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 824131} #2 0x00007f0d96e22d54 in perfctrs_wait (milliseconds=milliseconds at entry=1000, priv=, db_env=) at ldap/servers/slapd/back-ldbm/perfctrs.c:277 interval = #3 0x00007f0d96dcb437 in perf_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4011 priv = 0x7f0da487d410 li = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da4ad0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da4ad0e60 detached = 1 id = 139696248162048 tid = 2875 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d913f8700) at pthread_create.c:308 __res = pd = 0x7f0d913f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696248162048, -1088326907459832651, 0, 139696248162752, 139696248162048, 1, 1080404380695098549, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 43 (Thread 0x7f0d909ee700 (LWP 2877)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65bf0d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f0e60 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65bf0d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d994f164e in cos_cache_wait_on_change (arg=) at ldap/servers/plugins/cos/cos_cache.c:436 No locals. #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f0e60) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f0e60 detached = 1 id = 139696237635328 tid = 2877 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d909ee700) at pthread_create.c:308 __res = pd = 0x7f0d909ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696237635328, -1088326907459832651, 0, 139696237636032, 139696237635328, 1, 1080403542102734005, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 42 (Thread 0x7f0da3004700 (LWP 2878)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a26558, ml=0x7f0da6324e70, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876878, tv_usec = 740355} tmo = {tv_sec = 1436877178, tv_nsec = 740355000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a26550, timeout=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6513050 #3 0x00007f0d96b2df74 in _cl5TrimMain (param=) at ldap/servers/plugins/replication/cl5_api.c:3466 timePrev = 1436876576 timeCompactPrev = 1434571375 timeNow = 1436876852 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6513050) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6513050 detached = 1 id = 139696546006784 tid = 2878 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0da3004700) at pthread_create.c:308 __res = pd = 0x7f0da3004700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696546006784, -1088326907459832651, 0, 139696546007488, 139696546006784, 1, 1080365221330777269, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 41 (Thread 0x7f0d8bfff700 (LWP 2879)): #0 send_updates (num_changes_sent=0x7f0d8bffec60, remote_update_vector=, prp=0x7f0da651a450) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1723 finished = 0 replay_crc = csn_str = "559b3fa9003300050000" return_value = 203 rd = 0x7f0d8002ec80 entry = {op = 0x7f0d8bffecd0, time = 1436237702} op = {operation_type = 8, target_address = {udn = 0x0, uniqueid = 0x7f0d8002e710 "d822236f-14ff11e5-a351aa45-2e06257b", sdn = 0x7f0d8002e420}, csn = 0x7f0d8002b490, request_controls = 0x0, p = {p_add = {target_entry = 0x7f0d8000c5a0, parentuniqueid = 0x0}, p_bind = {bind_method = -2147433056, bind_creds = 0x0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x7f0d8000c5a0 "?\002\200\r\177", ava_value = {bv_len = 0, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x7f0d8000c5a0}, p_modrdn = {modrdn_newrdn = 0x7f0d8000c5a0 "?\002\200\r\177", modrdn_deloldrdn = 0, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = -2147433056, search_deref = 32525, search_sizelimit = 0, search_timelimit = 0, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = {abandon_targetmsgid = -2147433056}, p_extended = {exop_oid = 0x7f0d8000c5a0 "?\002\200\r\177", exop_value = 0x0}}} rc = changelog_iterator = 0x7f0d8002b5f0 message_id = 0 #1 repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1073 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d8002e9c0 ruv = 0x7f0d8002b500 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1436865642 busywaittime = 3 pausetime = 0 loops = wait_change_timer_set = current_state = next_state = optype = 5 ldaprc = 0 done = 0 e1 = #2 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da6338a90) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da6338a90 done = 0 agmt = 0x7f0da65a5de0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da63261b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da63261b0 detached = 0 id = 139696160110336 tid = 2879 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8bfff700) at pthread_create.c:308 __res = pd = 0x7f0d8bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696160110336, -1088326907459832651, 0, 139696160111040, 139696160110336, 1, 1080419220343977141, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 40 (Thread 0x7f0d8b7fe700 (LWP 2880)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da64fc9f8, ml=0x7f0da64dcc50, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436876809, tv_usec = 416562} tmo = {tv_sec = 1436877109, tv_nsec = 416562000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da64fc9f0, timeout=timeout at entry=300000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da65c0980 #3 0x00007f0d96b44324 in protocol_sleep (prp=prp at entry=0x7f0da64dc920, duration=300000) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1236 No locals. #4 0x00007f0d96b47526 in repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:797 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f0d78052730 ruv = 0x0 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1435778665 busywaittime = 0 pausetime = 0 loops = wait_change_timer_set = 1 current_state = 2 next_state = 2 optype = 5 ldaprc = 0 done = 0 e1 = #5 0x00007f0d96b4b3bc in prot_thread_main (arg=0x7f0da64fcb00) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f0da64fcb00 done = 0 agmt = 0x7f0da64ee990 #6 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65c0980) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65c0980 detached = 0 id = 139696151717632 tid = 2880 #7 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d8b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696151717632, -1088326907459832651, 0, 139696151718336, 139696151717632, 1, 1080418119221736629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #8 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 39 (Thread 0x7f0d8a7d1700 (LWP 2881)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64db1d0, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da64f4490 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64db1d0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da64dbd40) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da64dbd40 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da64f4490) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da64f4490 detached = 1 id = 139696134756096 tid = 2881 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d8a7d1700) at pthread_create.c:308 __res = pd = 0x7f0d8a7d1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696134756096, -1088326907459832651, 0, 139696134756800, 139696134756096, 1, 1080415909997933749, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 38 (Thread 0x7f0d89fd0700 (LWP 2882)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da64fb090, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65b0b90 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da64fb090, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61dab80) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61dab80 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65b0b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65b0b90 detached = 1 id = 139696126363392 tid = 2882 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d89fd0700) at pthread_create.c:308 __res = pd = 0x7f0d89fd0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696126363392, -1088326907459832651, 0, 139696126364096, 139696126363392, 1, 1080423592083813557, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 37 (Thread 0x7f0d897cf700 (LWP 2883)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=cvar at entry=0x7f0da65b0690, timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da6337330 #2 0x00007f0da2ce2fa8 in slapi_wait_condvar (cvar=0x7f0da65b0690, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f0d95472edd in roles_cache_wait_on_change (arg=0x7f0da61daa70) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f0da61daa70 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6337330) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6337330 detached = 1 id = 139696117970688 tid = 2883 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d897cf700) at pthread_create.c:308 __res = pd = 0x7f0d897cf700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696117970688, -1088326907459832651, 0, 139696117971392, 139696117970688, 1, 1080422493109056693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 36 (Thread 0x7f0d88fce700 (LWP 2884)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da4a27518, ml=0x7f0da634af80, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436877058, tv_usec = 841316} tmo = {tv_sec = 1436877088, tv_nsec = 841316000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da4a27510, timeout=timeout at entry=30000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da629ef70 #3 0x00007f0da3197aa3 in housecleaning (cur_time=) at ldap/servers/slapd/house.c:77 interval = 30000 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da629ef70) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da629ef70 detached = 0 id = 139696109577984 tid = 2884 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d88fce700) at pthread_create.c:308 __res = pd = 0x7f0d88fce700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139696109577984, -1088326907459832651, 0, 139696109578688, 139696109577984, 1, 1080421391986816181, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 35 (Thread 0x7f0d7ffff700 (LWP 2885)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da49f80b8, ml=0x7f0da4a06530, timeout=timeout at entry=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436877059, tv_usec = 869463} tmo = {tv_sec = 1436877069, tv_nsec = 869463000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da49f80b0, timeout=10000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0da6336ca0 #3 0x00007f0da2c8a0e8 in eq_loop (arg=) at ldap/servers/slapd/eventq.c:355 timeout = until = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da6336ca0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da6336ca0 detached = 0 id = 139695958783744 tid = 2885 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7ffff700) at pthread_create.c:308 __res = pd = 0x7f0d7ffff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695958783744, -1088326907459832651, 0, 139695958784448, 139695958783744, 1, 1080727083599754421, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 34 (Thread 0x7f0d7f7fe700 (LWP 2887)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1700 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7f7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7f7fdae0 conn = 0x7f0d885405d0 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1700) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1700 detached = 1 id = 139695950391040 tid = 2887 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7f7fe700) at pthread_create.c:308 __res = pd = 0x7f0d7f7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695950391040, -1088326907459832651, 0, 139695950391744, 139695950391040, 1, 1080725982477513909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 33 (Thread 0x7f0d7effd700 (LWP 2888)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f19f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7effcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7effcae0 conn = 0x7f0d8853de70 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f19f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f19f0 detached = 1 id = 139695941998336 tid = 2888 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7effd700) at pthread_create.c:308 __res = pd = 0x7f0d7effd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695941998336, -1088326907459832651, 0, 139695941999040, 139695941998336, 1, 1080724883502757045, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 32 (Thread 0x7f0d7e7fc700 (LWP 2889)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1ce0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7e7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7e7fbae0 conn = 0x7f0d88537570 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1ce0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1ce0 detached = 1 id = 139695933605632 tid = 2889 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7e7fc700) at pthread_create.c:308 __res = pd = 0x7f0d7e7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695933605632, -1088326907459832651, 0, 139695933606336, 139695933605632, 1, 1080723786675483829, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 31 (Thread 0x7f0d7dffb700 (LWP 2890)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f1fd0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7dffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7dffaae0 conn = 0x7f0d8853a8a0 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f1fd0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f1fd0 detached = 1 id = 139695925212928 tid = 2890 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7dffb700) at pthread_create.c:308 __res = pd = 0x7f0d7dffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695925212928, -1088326907459832651, 0, 139695925213632, 139695925212928, 1, 1080731483793749173, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 30 (Thread 0x7f0d7d7fa700 (LWP 2891)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f22c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7d7f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7d7f9ae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f22c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f22c0 detached = 1 id = 139695916820224 tid = 2891 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7d7fa700) at pthread_create.c:308 __res = pd = 0x7f0d7d7fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695916820224, -1088326907459832651, 0, 139695916820928, 139695916820224, 1, 1080730382671508661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 29 (Thread 0x7f0d7cff9700 (LWP 2892)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f25b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d7cff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d7cff8ae0 conn = 0x7f0d88537570 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f25b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f25b0 detached = 1 id = 139695908427520 tid = 2892 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d7cff9700) at pthread_create.c:308 __res = pd = 0x7f0d7cff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695908427520, -1088326907459832651, 0, 139695908428224, 139695908427520, 1, 1080729283696751797, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 28 (Thread 0x7f0d6bfff700 (LWP 2894)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f28a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6bffeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6bffeae0 conn = 0x7f0d885376c0 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f28a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f28a0 detached = 1 id = 139695623239424 tid = 2894 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6bfff700) at pthread_create.c:308 __res = pd = 0x7f0d6bfff700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695623239424, -1088326907459832651, 0, 139695623240128, 139695623239424, 1, 1080771064064865461, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 27 (Thread 0x7f0d6b7fe700 (LWP 2895)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2b90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6b7fdae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6b7fdae0 conn = 0x7f0d885401e0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2b90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2b90 detached = 1 id = 139695614846720 tid = 2895 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6b7fe700) at pthread_create.c:308 __res = pd = 0x7f0d6b7fe700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695614846720, -1088326907459832651, 0, 139695614847424, 139695614846720, 1, 1080769962942624949, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 26 (Thread 0x7f0d6affd700 (LWP 2896)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f2e80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6affcae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6affcae0 conn = 0x7f0d88532fe0 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f2e80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f2e80 detached = 1 id = 139695606454016 tid = 2896 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6affd700) at pthread_create.c:308 __res = pd = 0x7f0d6affd700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695606454016, -1088326907459832651, 0, 139695606454720, 139695606454016, 1, 1080768863967868085, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 25 (Thread 0x7f0d6a7fc700 (LWP 2897)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3170 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d6a7fbae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d6a7fbae0 conn = 0x7f0d885376c0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3170) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3170 detached = 1 id = 139695598061312 tid = 2897 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d6a7fc700) at pthread_create.c:308 __res = pd = 0x7f0d6a7fc700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695598061312, -1088326907459832651, 0, 139695598062016, 139695598061312, 1, 1080767767140594869, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 24 (Thread 0x7f0d69ffb700 (LWP 2898)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3460 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d69ffaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d69ffaae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3460) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3460 detached = 1 id = 139695589668608 tid = 2898 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d69ffb700) at pthread_create.c:308 __res = pd = 0x7f0d69ffb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695589668608, -1088326907459832651, 0, 139695589669312, 139695589668608, 1, 1080775464258860213, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 23 (Thread 0x7f0d697fa700 (LWP 2899)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3750 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d697f9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d697f9ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3750) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3750 detached = 1 id = 139695581275904 tid = 2899 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d697fa700) at pthread_create.c:308 __res = pd = 0x7f0d697fa700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695581275904, -1088326907459832651, 0, 139695581276608, 139695581275904, 1, 1080774363136619701, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 22 (Thread 0x7f0d68ff9700 (LWP 2900)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3a40 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d68ff8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d68ff8ae0 conn = 0x7f0d885401e0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3a40) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3a40 detached = 1 id = 139695572883200 tid = 2900 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d68ff9700) at pthread_create.c:308 __res = pd = 0x7f0d68ff9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695572883200, -1088326907459832651, 0, 139695572883904, 139695572883200, 1, 1080773264161862837, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 21 (Thread 0x7f0d687f8700 (LWP 2901)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f3d30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d687f7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d687f7ae0 conn = 0x7f0d88537030 op = tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f3d30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f3d30 detached = 1 id = 139695564490496 tid = 2901 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d687f8700) at pthread_create.c:308 __res = pd = 0x7f0d687f8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695564490496, -1088326907459832651, 0, 139695564491200, 139695564490496, 1, 1080772167334589621, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 20 (Thread 0x7f0d67ff7700 (LWP 2902)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4020 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d67ff6ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d67ff6ae0 conn = 0x7f0d885387d0 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4020) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4020 detached = 1 id = 139695556097792 tid = 2902 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d67ff7700) at pthread_create.c:308 __res = pd = 0x7f0d67ff7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695556097792, -1088326907459832651, 0, 139695556098496, 139695556097792, 1, 1080779864452854965, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 19 (Thread 0x7f0d677f6700 (LWP 2903)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4310 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d677f5ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d677f5ae0 conn = 0x7f0d88537570 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4310) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4310 detached = 1 id = 139695547705088 tid = 2903 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d677f6700) at pthread_create.c:308 __res = pd = 0x7f0d677f6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695547705088, -1088326907459832651, 0, 139695547705792, 139695547705088, 1, 1080778763330614453, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 18 (Thread 0x7f0d66ff5700 (LWP 2904)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4600 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d66ff4ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d66ff4ae0 conn = 0x7f0d8853e110 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4600) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4600 detached = 1 id = 139695539312384 tid = 2904 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d66ff5700) at pthread_create.c:308 __res = pd = 0x7f0d66ff5700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695539312384, -1088326907459832651, 0, 139695539313088, 139695539312384, 1, 1080777664355857589, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 17 (Thread 0x7f0d667f4700 (LWP 2905)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f48f0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d667f3ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d667f3ae0 conn = 0x7f0d885401e0 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f48f0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f48f0 detached = 1 id = 139695530919680 tid = 2905 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d667f4700) at pthread_create.c:308 __res = pd = 0x7f0d667f4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695530919680, -1088326907459832651, 0, 139695530920384, 139695530919680, 1, 1080776567528584373, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 16 (Thread 0x7f0d65ff3700 (LWP 2906)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4be0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d65ff2ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d65ff2ae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4be0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4be0 detached = 1 id = 139695522526976 tid = 2906 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d65ff3700) at pthread_create.c:308 __res = pd = 0x7f0d65ff3700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695522526976, -1088326907459832651, 0, 139695522527680, 139695522526976, 1, 1080784264646849717, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 15 (Thread 0x7f0d657f2700 (LWP 2907)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f4ed0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d657f1ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d657f1ae0 conn = 0x7f0d88537570 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f4ed0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f4ed0 detached = 1 id = 139695514134272 tid = 2907 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d657f2700) at pthread_create.c:308 __res = pd = 0x7f0d657f2700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695514134272, -1088326907459832651, 0, 139695514134976, 139695514134272, 1, 1080783163524609205, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 14 (Thread 0x7f0d64ff1700 (LWP 2908)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f51c0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d64ff0ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d64ff0ae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f51c0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f51c0 detached = 1 id = 139695505741568 tid = 2908 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d64ff1700) at pthread_create.c:308 __res = pd = 0x7f0d64ff1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695505741568, -1088326907459832651, 0, 139695505742272, 139695505741568, 1, 1080782064549852341, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 13 (Thread 0x7f0d647f0700 (LWP 2909)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f54b0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d647efae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d647efae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f54b0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f54b0 detached = 1 id = 139695497348864 tid = 2909 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d647f0700) at pthread_create.c:308 __res = pd = 0x7f0d647f0700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695497348864, -1088326907459832651, 0, 139695497349568, 139695497348864, 1, 1080780950542709941, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 12 (Thread 0x7f0d63fef700 (LWP 2910)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f57a0 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d63feeae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d63feeae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f57a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f57a0 detached = 1 id = 139695488956160 tid = 2910 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d63fef700) at pthread_create.c:308 __res = pd = 0x7f0d63fef700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695488956160, -1088326907459832651, 0, 139695488956864, 139695488956160, 1, 1080788647660975285, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 11 (Thread 0x7f0d637ee700 (LWP 2911)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5a90 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d637edae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d637edae0 conn = 0x7f0d88537570 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5a90) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5a90 detached = 1 id = 139695480563456 tid = 2911 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d637ee700) at pthread_create.c:308 __res = pd = 0x7f0d637ee700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695480563456, -1088326907459832651, 0, 139695480564160, 139695480563456, 1, 1080787546538734773, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 10 (Thread 0x7f0d62fed700 (LWP 2912)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f5d80 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d62fecae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d62fecae0 conn = 0x7f0d8853c820 op = tag = 102 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f5d80) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f5d80 detached = 1 id = 139695472170752 tid = 2912 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d62fed700) at pthread_create.c:308 __res = pd = 0x7f0d62fed700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695472170752, -1088326907459832651, 0, 139695472171456, 139695472170752, 1, 1080786447563977909, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 9 (Thread 0x7f0d627ec700 (LWP 2913)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6070 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d627ebae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d627ebae0 conn = 0x7f0d885401e0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6070) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6070 detached = 1 id = 139695463778048 tid = 2913 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d627ec700) at pthread_create.c:308 __res = pd = 0x7f0d627ec700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695463778048, -1088326907459832651, 0, 139695463778752, 139695463778048, 1, 1080785350736704693, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 8 (Thread 0x7f0d61feb700 (LWP 2914)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6360 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d61feaae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d61feaae0 conn = 0x7f0d8853c820 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6360) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6360 detached = 1 id = 139695455385344 tid = 2914 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d61feb700) at pthread_create.c:308 __res = pd = 0x7f0d61feb700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695455385344, -1088326907459832651, 0, 139695455386048, 139695455385344, 1, 1080793047854970037, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 7 (Thread 0x7f0d617ea700 (LWP 2915)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6650 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d617e9ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d617e9ae0 conn = 0x7f0d88532410 op = tag = 119 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6650) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6650 detached = 1 id = 139695446992640 tid = 2915 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d617ea700) at pthread_create.c:308 __res = pd = 0x7f0d617ea700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695446992640, -1088326907459832651, 0, 139695446993344, 139695446992640, 1, 1080791946732729525, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 6 (Thread 0x7f0d60fe9700 (LWP 2916)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6940 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d60fe8ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d60fe8ae0 conn = 0x7f0d8853a8a0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6940) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6940 detached = 1 id = 139695438599936 tid = 2916 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d60fe9700) at pthread_create.c:308 __res = pd = 0x7f0d60fe9700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695438599936, -1088326907459832651, 0, 139695438600640, 139695438599936, 1, 1080790847757972661, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 5 (Thread 0x7f0d607e8700 (LWP 2917)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 No locals. #1 0x00007f0da10b1050 in PR_WaitCondVar (cvar=0x7f0da65f1430, timeout=timeout at entry=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:385 rv = thred = 0x7f0da65f6c30 #2 0x00007f0da318e66e in connection_wait_for_new_work (pb=pb at entry=0x7f0d607e7ae0, interval=interval at entry=4294967295) at ldap/servers/slapd/connection.c:1799 ret = 0 wqitem = 0x0 op_stack_obj = 0x0 #3 0x00007f0da318f89d in connection_threadmain () at ldap/servers/slapd/connection.c:2344 is_timedout = 0 curtime = 0 local_pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} pb = 0x7f0d607e7ae0 conn = 0x7f0d885401e0 op = tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = doshutdown = 0 maxthreads = bypasspollcnt = #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6c30) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6c30 detached = 1 id = 139695430207232 tid = 2917 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d607e8700) at pthread_create.c:308 __res = pd = 0x7f0d607e8700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695430207232, -1088326907459832651, 0, 139695430207936, 139695430207232, 1, 1080789750930699445, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 4 (Thread 0x7f0d5ffe7700 (LWP 2918)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=ticks at entry=1000) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 100117} #2 0x00007f0da31912d5 in time_thread (nothing=) at ldap/servers/slapd/daemon.c:474 interval = 1000 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0da65f6f20) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0da65f6f20 detached = 0 id = 139695421814528 tid = 2918 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5ffe7700) at pthread_create.c:308 __res = pd = 0x7f0d5ffe7700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695421814528, -1088326907459832651, 0, 139695421815232, 139695421814528, 1, 1080797448048964789, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 3 (Thread 0x7f0d5f7e6700 (LWP 2965)): #0 pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238 No locals. #1 0x00007f0da10b0b07 in pt_TimedWait (cv=cv at entry=0x7f0da6326eb8, ml=0x7f0da65009f0, timeout=timeout at entry=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:264 rv = now = {tv_sec = 1436877068, tv_usec = 808916} tmo = {tv_sec = 1436877069, tv_nsec = 808916000} ticks = #2 0x00007f0da10b0fce in PR_WaitCondVar (cvar=0x7f0da6326eb0, timeout=1000) at ../../../nspr/pr/src/pthreads/ptsynch.c:387 rv = thred = 0x7f0cf0009ff0 #3 0x00007f0d992e6374 in sync_send_results (arg=) at ldap/servers/plugins/sync/sync_persist.c:602 req = 0x7f0cf00027b0 qnode = 0x0 qnodenext = conn_acq_flag = 0 conn = 0x7f0d885337c0 op = 0x7f0da62ed750 rc = connid = 18 opid = 0 #4 0x00007f0da10b67bb in _pt_root (arg=0x7f0cf0009ff0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0cf0009ff0 detached = 1 id = 139695413421824 tid = 2965 #5 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5f7e6700) at pthread_create.c:308 __res = pd = 0x7f0d5f7e6700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695413421824, -1088326907459832651, 0, 139695413422528, 139695413421824, 1, 1080796346926724277, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #6 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 2 (Thread 0x7f0d5dfe4700 (LWP 33335)): #0 0x00007f0da077c8f3 in select () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da2cf2f79 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 531445} #2 0x00007f0d96b44787 in repl5_inc_result_threadmain (param=0x7f0d8002ec80) at ldap/servers/plugins/replication/repl5_inc_protocol.c:312 operation_code = 0 ldap_error_string = 0x0 time_now = op = 0x0 csn_str = 0x0 replica_id = 0 connection_error = 0 uniqueid = 0x0 start_time = 1436876975 backoff_time = 1024 rd = 0x7f0d8002ec80 conres = conn = 0x7f0da634db10 finished = 0 message_id = 0 #3 0x00007f0da10b67bb in _pt_root (arg=0x7f0d8002e240) at ../../../nspr/pr/src/pthreads/ptthread.c:212 rv = thred = 0x7f0d8002e240 detached = 0 id = 139695388247808 tid = 33335 #4 0x00007f0da0a57df5 in start_thread (arg=0x7f0d5dfe4700) at pthread_create.c:308 __res = pd = 0x7f0d5dfe4700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139695388247808, -1088326907459832651, 0, 139695388248512, 139695388247808, 21, 1080801847706088629, 1080368285740004533}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #5 0x00007f0da07851ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Thread 1 (Thread 0x7f0da315a840 (LWP 2870)): #0 0x00007f0da077ab7d in poll () at ../sysdeps/unix/syscall-template.S:81 No locals. #1 0x00007f0da10b2967 in poll (__timeout=250, __nfds=129, __fds=0x7f0da70c2da0) at /usr/include/bits/poll2.h:46 No locals. #2 _pr_poll_with_poll (pds=0x7f0da65c4d30, npds=npds at entry=129, timeout=timeout at entry=250) at ../../../nspr/pr/src/pthreads/ptio.c:3922 stack_syspoll = {{fd = 825110577, events = 13105, revents = 12846}, {fd = 825306677, events = 57, revents = -30504}, {fd = 1073899376, events = 32525, revents = 0}, {fd = -1566823484, events = 32525, revents = 0}, {fd = 335141088, events = 32525, revents = 0}, {fd = 1342177392, events = 32525, revents = 0}, {fd = 1338150209, events = -32768, revents = -1}, {fd = -1338150208, events = 32767, revents = 0}, {fd = -1338150209, events = 32767, revents = 0}, {fd = 5, events = 0, revents = 0}, {fd = -1561059948, events = 32525, revents = 0}, {fd = -1566823082, events = 32525, revents = 0}, {fd = 16, events = 0, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = -1528903056, events = 32525, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = 24, events = 0, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = 96, events = 0, revents = 0}, {fd = 1344041728, events = 32525, revents = 0}, {fd = 5, events = 0, revents = 0}, {fd = 1342177312, events = 32525, revents = 0}, {fd = 800, events = 0, revents = 0}, {fd = 1338150017, events = -32768, revents = -1}, {fd = 32, events = 0, revents = 0}, {fd = 12, events = 0, revents = 0}, {fd = 168, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = -1338150016, events = 32767, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 92, events = 110, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 512, events = 0, revents = 0}, {fd = -1599826080, events = 32525, revents = 0}, {fd = 16910608, events = 0, revents = 0}, {fd = 16, events = 0, revents = 0}, {fd = -1504264064, events = 32525, revents = 0}, {fd = -1599826080, events = 32525, revents = 0}, {fd = 16910608, events = 0, revents = 0}, {fd = 24, events = 0, revents = 0}, {fd = -1504264064, events = 32525, revents = 0}, {fd = -1490295056, events = 32525, revents = 0}, {fd = 48, events = 0, revents = 0}, {fd = -1593110920, events = 32525, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = -1503718352, events = 32525, revents = 0}, {fd = -1, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0} , {fd = -1534881584, events = 32525, revents = 0}, {fd = 1026279936, events = -22703, revents = -30504}, {fd = -1504264064, events = 32525, revents = 0}, {fd = -1503718160, events = 32525, revents = 0}, {fd = -1509907472, events = 32525, revents = 0}, {fd = -1508012976, events = 32525, revents = 0}} syspoll = index = msecs = 250 ready = start = 2305711615 elapsed = remaining = #3 0x00007f0da10b54a5 in PR_Poll (pds=, npds=npds at entry=129, timeout=timeout at entry=250) at ../../../nspr/pr/src/pthreads/ptio.c:4324 No locals. #4 0x00007f0da3193f69 in slapd_daemon (ports=ports at entry=0x7fffb03d7770) at ldap/servers/slapd/daemon.c:1170 select_return = 0 prerr = n_tcps = 0x7f0da4840a60 s_tcps = 0x7f0da48409f0 i_unix = 0x7f0da48408f0 fdesp = 0x0 num_poll = 129 pr_timeout = 250 time_thread_p = 0x7f0da65f6f20 threads = in_referral_mode = 0 n_listeners = 3 listener_idxs = 0x7f0da65f7210 #5 0x00007f0da318717c in main (argc=7, argv=0x7fffb03d7d98) at ldap/servers/slapd/main.c:1279 return_value = 0 slapdFrontendConfig = ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7f0da4840b70, s_listenaddr = 0x7f0da4840a10, n_socket = 0x7f0da4840a60, i_listenaddr = 0x7f0da4840b00, i_port = 1, i_socket = 0x7f0da48408f0, s_socket = 0x7f0da48409f0} m = Detaching from program: /usr/sbin/ns-slapd, process 2870 From notify.sina at gmail.com Tue Jul 14 12:44:36 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 14 Jul 2015 13:44:36 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: <55A4FC3F.2040908@redhat.com> References: <55A390D5.4050104@redhat.com> <55A4BE64.4030106@redhat.com> <55A4FC3F.2040908@redhat.com> Message-ID: Thanks Petr. Can I assume that any fresh clients added to the IDM domain, is going to have both its forward and reverse records populated? On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek wrote: > On 14.7.2015 10:28, Sina Owolabi wrote: >> Thanks Martin >> >> >> The expanded command shows all the output. Curiously, I still don't >> see any reverse addresses yet except on the reverse domain for this >> primary zone. Ive restarted the IPA servers in hopes of a Windows-y >> solution but it didn't help :-) > > SyncPTR does something only when the data change. I.e. it will do nothing if > your A/AAAA records are up to date (even if clients send update). > > I'm afraid that there is no pre-made tool to do the mass update, sorry. You > probably need to script something yourself. > > Petr^2 Spacek > >> output: >> ipa dnszone-show mydom.com --all >> dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com >> Zone name: mydom.com. >> Active zone: TRUE >> Authoritative nameserver: dc.mydom.com. >> Administrator e-mail address: hostmaster.mydom.com. >> SOA serial: 1436861122 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM >> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP; >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> Allow PTR sync: TRUE >> arecord: pu.bl.ic.add >> mxrecord: 0 mail.mydom.com. >> nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. >> objectclass: idnszone, top, idnsrecord >> >> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: >>> On 13/07/15 19:58, Sina Owolabi wrote: >>>> >>>> Hi Martin >>>> >>>> Yes all my sssd configs are set ipa_dyndns_update = True >>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>>> them. >>>> I've tried to set it in the very first zone (setup during >>>> installation) but dnszone-mod complains: >>>> >>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>>> ipa: ERROR: no modifications to be performed >>>> >>>> But I don't see it in the show command: >>>> >>>> ipa dnszone-show mydom.com >>>> Zone name: mydom.com. >>>> Active zone: TRUE >>>> Authoritative nameserver: services.mydom.com. >>>> Administrator e-mail address: hostmaster.mydom.com. >>>> SOA serial: 1436799166 >>>> SOA refresh: 3600 >>>> SOA retry: 900 >>>> SOA expire: 1209600 >>>> SOA minimum: 3600 >>>> Allow query: any; >>>> Allow transfer: none; >>> >>> You must use option --all >>> >>> ipa dnszone-show mydom.com --all >>> >>> >>> Martin >>> >>>> >>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>>>> >>>>> On 12/07/15 10:05, Sina Owolabi wrote: >>>>>> >>>>>> Hi >>>>>> >>>>>> I have several dns zones defined in IPA. I noticed recently that the >>>>>> zone files are empty. I find this odd because I created them like the >>>>>> example below. >>>>>> Is it possible to force clients to auto-update reverse zones? >>>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> How I created all the zones: >>>>>> >>>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>>>> --allow-sync-ptr=TRUE --dynamic-update >>>>>> Zone name: 0.14.10.in-addr.arpa. >>>>>> Active zone: TRUE >>>>>> Authoritative nameserver: services.ourdomain.com. >>>>>> Administrator e-mail address: hostmaster >>>>>> SOA serial: 1436688202 >>>>>> SOA refresh: 3600 >>>>>> SOA retry: 900 >>>>>> SOA expire: 1209600 >>>>>> SOA minimum: 3000 >>>>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>>>> 0.14.10.in-addr.arpa. PTR; >>>>>> Dynamic update: TRUE >>>>>> Allow query: any; >>>>>> Allow transfer: none; >>>>>> Allow PTR sync: TRUE >>>>>> >>>>> Hello, >>>>> >>>>> do you have --allow-sync-ptr=True configured in zones where the >>>>> particular >>>>> A/AAAA records are? >>>>> >>>>> SSSD is able to update records. >>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>>>> sssd-ipa) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Tue Jul 14 12:47:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 14:47:18 +0200 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: <55A390D5.4050104@redhat.com> <55A4BE64.4030106@redhat.com> <55A4FC3F.2040908@redhat.com> Message-ID: <55A504D6.4070502@redhat.com> On 14.7.2015 14:44, Sina Owolabi wrote: > Thanks Petr. > > Can I assume that any fresh clients added to the IDM domain, is going > to have both its forward and reverse records populated? Yes, as long as your configuration conforms with https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR Please let us know if you encounter any problems. Petr^2 Spacek > On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek wrote: >> On 14.7.2015 10:28, Sina Owolabi wrote: >>> Thanks Martin >>> >>> >>> The expanded command shows all the output. Curiously, I still don't >>> see any reverse addresses yet except on the reverse domain for this >>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y >>> solution but it didn't help :-) >> >> SyncPTR does something only when the data change. I.e. it will do nothing if >> your A/AAAA records are up to date (even if clients send update). >> >> I'm afraid that there is no pre-made tool to do the mass update, sorry. You >> probably need to script something yourself. >> >> Petr^2 Spacek >> >>> output: >>> ipa dnszone-show mydom.com --all >>> dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com >>> Zone name: mydom.com. >>> Active zone: TRUE >>> Authoritative nameserver: dc.mydom.com. >>> Administrator e-mail address: hostmaster.mydom.com. >>> SOA serial: 1436861122 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3600 >>> BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM >>> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP; >>> Dynamic update: TRUE >>> Allow query: any; >>> Allow transfer: none; >>> Allow PTR sync: TRUE >>> arecord: pu.bl.ic.add >>> mxrecord: 0 mail.mydom.com. >>> nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. >>> objectclass: idnszone, top, idnsrecord >>> >>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: >>>> On 13/07/15 19:58, Sina Owolabi wrote: >>>>> >>>>> Hi Martin >>>>> >>>>> Yes all my sssd configs are set ipa_dyndns_update = True >>>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>>>> them. >>>>> I've tried to set it in the very first zone (setup during >>>>> installation) but dnszone-mod complains: >>>>> >>>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>>>> ipa: ERROR: no modifications to be performed >>>>> >>>>> But I don't see it in the show command: >>>>> >>>>> ipa dnszone-show mydom.com >>>>> Zone name: mydom.com. >>>>> Active zone: TRUE >>>>> Authoritative nameserver: services.mydom.com. >>>>> Administrator e-mail address: hostmaster.mydom.com. >>>>> SOA serial: 1436799166 >>>>> SOA refresh: 3600 >>>>> SOA retry: 900 >>>>> SOA expire: 1209600 >>>>> SOA minimum: 3600 >>>>> Allow query: any; >>>>> Allow transfer: none; >>>> >>>> You must use option --all >>>> >>>> ipa dnszone-show mydom.com --all >>>> >>>> >>>> Martin >>>> >>>>> >>>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>>>>> >>>>>> On 12/07/15 10:05, Sina Owolabi wrote: >>>>>>> >>>>>>> Hi >>>>>>> >>>>>>> I have several dns zones defined in IPA. I noticed recently that the >>>>>>> zone files are empty. I find this odd because I created them like the >>>>>>> example below. >>>>>>> Is it possible to force clients to auto-update reverse zones? >>>>>>> >>>>>>> Thanks in advance! >>>>>>> >>>>>>> How I created all the zones: >>>>>>> >>>>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>>>>> --allow-sync-ptr=TRUE --dynamic-update >>>>>>> Zone name: 0.14.10.in-addr.arpa. >>>>>>> Active zone: TRUE >>>>>>> Authoritative nameserver: services.ourdomain.com. >>>>>>> Administrator e-mail address: hostmaster >>>>>>> SOA serial: 1436688202 >>>>>>> SOA refresh: 3600 >>>>>>> SOA retry: 900 >>>>>>> SOA expire: 1209600 >>>>>>> SOA minimum: 3000 >>>>>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>>>>> 0.14.10.in-addr.arpa. PTR; >>>>>>> Dynamic update: TRUE >>>>>>> Allow query: any; >>>>>>> Allow transfer: none; >>>>>>> Allow PTR sync: TRUE >>>>>>> >>>>>> Hello, >>>>>> >>>>>> do you have --allow-sync-ptr=True configured in zones where the >>>>>> particular >>>>>> A/AAAA records are? >>>>>> >>>>>> SSSD is able to update records. >>>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>>>>> sssd-ipa) From notify.sina at gmail.com Tue Jul 14 12:47:27 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 14 Jul 2015 13:47:27 +0100 Subject: [Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart Message-ID: Hi Please, I would really need some help in troubleshooting one of my domain servers which I restarted the IPA services. Its an CentOS 7.1 server running ipa-4.1.0 [root at dc01 ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Failed to get list of dc to probe status! Configured hostname 'dc01.mydom.com' does not match any master server in LDAP: dc.mydom.com dc02.mydom.com dc01.mydom.com dc01.mydom.com Shutting down [root at dc01 ~]# From tde3000 at gmail.com Tue Jul 14 12:49:22 2015 From: tde3000 at gmail.com (John Stein) Date: Tue, 14 Jul 2015 12:49:22 +0000 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: <559CF263.6020300@redhat.com> References: <55914D1F.4050704@redhat.com> <559CF263.6020300@redhat.com> Message-ID: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > On 5.7.2015 08:38, John Stein wrote: > > Hi, > > > > I ran these commands in the IdM server > > > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > > > At the Active Directory I have A and PTR records for the IdM server and > it > > is configured as a global forwarder. > > At the IdM server there are A and PTR records for both the IdM server and > > another client. > > However this setup does not work. > > From the IdM and linux client every record is resolvable, however from > the > > AD only the IdM is resolvable and the client is not. > > > > Maybe there's another thing I need to configure in the AD in order to > > enable forwarding that I'm missing? > > I'm not sure I understand you. > > A zone should be configured only on one server (or set of synchronized > servers). > > Could you tell us what exactly (using what commands or GUI in IPA and AD) > did > you configure? > > It would be good if you did not obfuscate DNS names in the steps because > the > obfuscation often hides the real cause of problem :-) > > Have a nice day! > > Petr^2 Spacek > > > > Thank you very much, > > John > > > > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > > > >> On 29.6.2015 13:57, John Stein wrote: > >>> Hi, > >>> > >>> I have an AD and IdM server. > >>> AD domain - john.com > >>> IdM domain - linux.john.com > >>> > >>> each spans multiple netwrok segments, with some segments having both > >> linux > >>> and windows machines. > >>> > >>> the IdM is configured to forward DNS requests to AD (forward first), > and > >>> the AD is configured to forward requests in the linux.john.com domain > to > >>> the IdM. > >>> > >>> However, I'm having a problem regarding reverse lookup zones. Where > >> should > >>> they be so they can be accessed from both linux and windows machines? > >> > >> >From DNS's point of view it does not matter, pick one side (AD or IPA) > to > >> host > >> the reverse zone and configure delegation or forwarding on the other > side. > >> That is all you need if you are willing to update records manually. > >> > >>> If I put them in IdM, how will the AD know which requests to forward to > >> the > >>> IdM? > >> > >> Either properly configure delegation (if you have control over the > parent > >> zone) or add forwarder (only if you do not have control over parent > zone - > >> usual caveats for forwarding apply). > >> > >>> It seems to me that I need to somehow register them at the AD, so the A > >>> record is in the IdM server and the PTR is in the AD. Is it possible to > >> do > >>> it automatically, > >> > >> "host/" principals from IPA Kerberos realm are generally not allowed to > get > >> tickets for AD realm so automatic update from IPA to AD is not possible. > >> > >> It might work the other way around (I did not test this): > >> - Configure reverse zone in IPA > >> - Configure delegation/forwarding in AD so all clients can properly > resolve > >> the reverse zone > >> - Allow all clients to update their PTR records. Update policy like this > >> might > >> work: > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > AD.EXAMPLE > >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >> > >> I would like to hear from you if this works in your environment or not. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Tue Jul 14 12:50:27 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 14 Jul 2015 13:50:27 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: <55A504D6.4070502@redhat.com> References: <55A390D5.4050104@redhat.com> <55A4BE64.4030106@redhat.com> <55A4FC3F.2040908@redhat.com> <55A504D6.4070502@redhat.com> Message-ID: Thank you again. The configuration does conform. On Tue, Jul 14, 2015 at 1:47 PM, Petr Spacek wrote: > On 14.7.2015 14:44, Sina Owolabi wrote: >> Thanks Petr. >> >> Can I assume that any fresh clients added to the IDM domain, is going >> to have both its forward and reverse records populated? > > Yes, as long as your configuration conforms with > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR > > Please let us know if you encounter any problems. > > Petr^2 Spacek > >> On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek wrote: >>> On 14.7.2015 10:28, Sina Owolabi wrote: >>>> Thanks Martin >>>> >>>> >>>> The expanded command shows all the output. Curiously, I still don't >>>> see any reverse addresses yet except on the reverse domain for this >>>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y >>>> solution but it didn't help :-) >>> >>> SyncPTR does something only when the data change. I.e. it will do nothing if >>> your A/AAAA records are up to date (even if clients send update). >>> >>> I'm afraid that there is no pre-made tool to do the mass update, sorry. You >>> probably need to script something yourself. >>> >>> Petr^2 Spacek >>> >>>> output: >>>> ipa dnszone-show mydom.com --all >>>> dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com >>>> Zone name: mydom.com. >>>> Active zone: TRUE >>>> Authoritative nameserver: dc.mydom.com. >>>> Administrator e-mail address: hostmaster.mydom.com. >>>> SOA serial: 1436861122 >>>> SOA refresh: 3600 >>>> SOA retry: 900 >>>> SOA expire: 1209600 >>>> SOA minimum: 3600 >>>> BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM >>>> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP; >>>> Dynamic update: TRUE >>>> Allow query: any; >>>> Allow transfer: none; >>>> Allow PTR sync: TRUE >>>> arecord: pu.bl.ic.add >>>> mxrecord: 0 mail.mydom.com. >>>> nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. >>>> objectclass: idnszone, top, idnsrecord >>>> >>>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: >>>>> On 13/07/15 19:58, Sina Owolabi wrote: >>>>>> >>>>>> Hi Martin >>>>>> >>>>>> Yes all my sssd configs are set ipa_dyndns_update = True >>>>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>>>>> them. >>>>>> I've tried to set it in the very first zone (setup during >>>>>> installation) but dnszone-mod complains: >>>>>> >>>>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>>>>> ipa: ERROR: no modifications to be performed >>>>>> >>>>>> But I don't see it in the show command: >>>>>> >>>>>> ipa dnszone-show mydom.com >>>>>> Zone name: mydom.com. >>>>>> Active zone: TRUE >>>>>> Authoritative nameserver: services.mydom.com. >>>>>> Administrator e-mail address: hostmaster.mydom.com. >>>>>> SOA serial: 1436799166 >>>>>> SOA refresh: 3600 >>>>>> SOA retry: 900 >>>>>> SOA expire: 1209600 >>>>>> SOA minimum: 3600 >>>>>> Allow query: any; >>>>>> Allow transfer: none; >>>>> >>>>> You must use option --all >>>>> >>>>> ipa dnszone-show mydom.com --all >>>>> >>>>> >>>>> Martin >>>>> >>>>>> >>>>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>>>>>> >>>>>>> On 12/07/15 10:05, Sina Owolabi wrote: >>>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> I have several dns zones defined in IPA. I noticed recently that the >>>>>>>> zone files are empty. I find this odd because I created them like the >>>>>>>> example below. >>>>>>>> Is it possible to force clients to auto-update reverse zones? >>>>>>>> >>>>>>>> Thanks in advance! >>>>>>>> >>>>>>>> How I created all the zones: >>>>>>>> >>>>>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>>>>>> --allow-sync-ptr=TRUE --dynamic-update >>>>>>>> Zone name: 0.14.10.in-addr.arpa. >>>>>>>> Active zone: TRUE >>>>>>>> Authoritative nameserver: services.ourdomain.com. >>>>>>>> Administrator e-mail address: hostmaster >>>>>>>> SOA serial: 1436688202 >>>>>>>> SOA refresh: 3600 >>>>>>>> SOA retry: 900 >>>>>>>> SOA expire: 1209600 >>>>>>>> SOA minimum: 3000 >>>>>>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>>>>>> 0.14.10.in-addr.arpa. PTR; >>>>>>>> Dynamic update: TRUE >>>>>>>> Allow query: any; >>>>>>>> Allow transfer: none; >>>>>>>> Allow PTR sync: TRUE >>>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> do you have --allow-sync-ptr=True configured in zones where the >>>>>>> particular >>>>>>> A/AAAA records are? >>>>>>> >>>>>>> SSSD is able to update records. >>>>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>>>>>> sssd-ipa) From pspacek at redhat.com Tue Jul 14 12:52:52 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 14:52:52 +0200 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: References: <55914D1F.4050704@redhat.com> <559CF263.6020300@redhat.com> Message-ID: <55A50624.4050507@redhat.com> On 14.7.2015 14:49, John Stein wrote: > I ran the above commands exactly as I told you on the IPA server. I also > set the IPA server as a global forwarder in the AD. > > On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > >> > On 5.7.2015 08:38, John Stein wrote: >>> > > Hi, >>> > > >>> > > I ran these commands in the IdM server >>> > > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM >>> > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >>> > > >>> > > At the Active Directory I have A and PTR records for the IdM server and >> > it >>> > > is configured as a global forwarder. >>> > > At the IdM server there are A and PTR records for both the IdM server and >>> > > another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek >>> > > However this setup does not work. >>> > > From the IdM and linux client every record is resolvable, however from >> > the >>> > > AD only the IdM is resolvable and the client is not. >>> > > >>> > > Maybe there's another thing I need to configure in the AD in order to >>> > > enable forwarding that I'm missing? >> > >> > I'm not sure I understand you. From tde3000 at gmail.com Tue Jul 14 13:19:17 2015 From: tde3000 at gmail.com (John Stein) Date: Tue, 14 Jul 2015 13:19:17 +0000 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: <55A50624.4050507@redhat.com> References: <55914D1F.4050704@redhat.com> <559CF263.6020300@redhat.com> <55A50624.4050507@redhat.com> Message-ID: Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones >John.com >>linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > On 14.7.2015 14:49, John Stein wrote: > > I ran the above commands exactly as I told you on the IPA server. I also > > set the IPA server as a global forwarder in the AD. > > > > On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > > > >> > On 5.7.2015 08:38, John Stein wrote: > >>> > > Hi, > >>> > > > >>> > > I ran these commands in the IdM server > >>> > > > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > JOHN.COM > >>> > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >>> > > > >>> > > At the Active Directory I have A and PTR records for the IdM > server and > >> > it > >>> > > is configured as a global forwarder. > >>> > > At the IdM server there are A and PTR records for both the IdM > server and > >>> > > another client. > > Can you explain what you did, exactly? I do not know what 'I have A and PTR > records for the IdM server' exactly means. We need to know exactly what you > typed in and where you clicked in AD. > > The original information is not sufficient, that is why I asking for more > details. > > Petr^2 Spacek > > >>> > > However this setup does not work. > >>> > > From the IdM and linux client every record is resolvable, however > from > >> > the > >>> > > AD only the IdM is resolvable and the client is not. > >>> > > > >>> > > Maybe there's another thing I need to configure in the AD in order > to > >>> > > enable forwarding that I'm missing? > >> > > >> > I'm not sure I understand you. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jul 14 13:20:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jul 2015 15:20:37 +0200 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: <55A390D5.4050104@redhat.com> Message-ID: <55A50CA5.3090901@redhat.com> On 13/07/15 19:58, Sina Owolabi wrote: > Hi Martin > > Yes all my sssd configs are set ipa_dyndns_update = True > I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. > I've tried to set it in the very first zone (setup during > installation) but dnszone-mod complains: > > # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE > ipa: ERROR: no modifications to be performed > > But I don't see it in the show command: > > ipa dnszone-show mydom.com > Zone name: mydom.com. > Active zone: TRUE > Authoritative nameserver: services.mydom.com. > Administrator e-mail address: hostmaster.mydom.com. > SOA serial: 1436799166 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Allow query: any; > Allow transfer: none; > > On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >> On 12/07/15 10:05, Sina Owolabi wrote: >>> Hi >>> >>> I have several dns zones defined in IPA. I noticed recently that the >>> zone files are empty. I find this odd because I created them like the >>> example below. >>> Is it possible to force clients to auto-update reverse zones? >>> >>> Thanks in advance! >>> >>> How I created all the zones: >>> >>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>> --allow-sync-ptr=TRUE --dynamic-update >>> Zone name: 0.14.10.in-addr.arpa. >>> Active zone: TRUE >>> Authoritative nameserver: services.ourdomain.com. >>> Administrator e-mail address: hostmaster >>> SOA serial: 1436688202 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3000 >>> BIND update policy: grant QRIOS.COM krb5-subdomain >>> 0.14.10.in-addr.arpa. PTR; >>> Dynamic update: TRUE >>> Allow query: any; >>> Allow transfer: none; >>> Allow PTR sync: TRUE >>> >> Hello, >> >> do you have --allow-sync-ptr=True configured in zones where the particular >> A/AAAA records are? >> >> SSSD is able to update records. >> Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) >> >> -- >> Martin Basti >> Can you try to restart SSSD, or to remove the A record and then restart SSSD on the particular host? -- Martin Basti From notify.sina at gmail.com Tue Jul 14 14:50:58 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 14 Jul 2015 15:50:58 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: <55A50CA5.3090901@redhat.com> References: <55A390D5.4050104@redhat.com> <55A50CA5.3090901@redhat.com> Message-ID: I removed the A record and restarted SSSD. The DNS record did not update. On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti wrote: > On 13/07/15 19:58, Sina Owolabi wrote: >> >> Hi Martin >> >> Yes all my sssd configs are set ipa_dyndns_update = True >> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >> them. >> I've tried to set it in the very first zone (setup during >> installation) but dnszone-mod complains: >> >> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >> ipa: ERROR: no modifications to be performed >> >> But I don't see it in the show command: >> >> ipa dnszone-show mydom.com >> Zone name: mydom.com. >> Active zone: TRUE >> Authoritative nameserver: services.mydom.com. >> Administrator e-mail address: hostmaster.mydom.com. >> SOA serial: 1436799166 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> Allow query: any; >> Allow transfer: none; >> >> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>> >>> On 12/07/15 10:05, Sina Owolabi wrote: >>>> >>>> Hi >>>> >>>> I have several dns zones defined in IPA. I noticed recently that the >>>> zone files are empty. I find this odd because I created them like the >>>> example below. >>>> Is it possible to force clients to auto-update reverse zones? >>>> >>>> Thanks in advance! >>>> >>>> How I created all the zones: >>>> >>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>> --allow-sync-ptr=TRUE --dynamic-update >>>> Zone name: 0.14.10.in-addr.arpa. >>>> Active zone: TRUE >>>> Authoritative nameserver: services.ourdomain.com. >>>> Administrator e-mail address: hostmaster >>>> SOA serial: 1436688202 >>>> SOA refresh: 3600 >>>> SOA retry: 900 >>>> SOA expire: 1209600 >>>> SOA minimum: 3000 >>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>> 0.14.10.in-addr.arpa. PTR; >>>> Dynamic update: TRUE >>>> Allow query: any; >>>> Allow transfer: none; >>>> Allow PTR sync: TRUE >>>> >>> Hello, >>> >>> do you have --allow-sync-ptr=True configured in zones where the >>> particular >>> A/AAAA records are? >>> >>> SSSD is able to update records. >>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>> sssd-ipa) >>> >>> -- >>> Martin Basti >>> > > Can you try to restart SSSD, or to remove the A record and then restart SSSD > on the particular host? > > -- > Martin Basti > From lkrispen at redhat.com Tue Jul 14 14:52:10 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 14 Jul 2015 16:52:10 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150714123507.GB8394@dead.ccr.buffalo.edu> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> Message-ID: <55A5221A.6050607@redhat.com> hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and Jul,7th - so it looks like it is iterating the changelog over and over again. Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master ? can you provide the result of the following search from m14-24.ccr.buffalo.edu adn the server with the high cpu: ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" "objectclass=nsds5replica" nsds50ruv On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: > On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: >> On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: >>> On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: >>>> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: >>>>> On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: >>>>>> can you get a pstack of the slapd process along with a top -H to find th >>>>>> ethread with high cpu usage >>>>> Attached is the full stacktrace of the running ns-slapd proccess. top -H >>>>> shows this thread (2879) with high cpu usage: >>>>> >>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>> this thread is a replication thread sending updates, what is strange is that >>>> the current csn_str is quite old (july, 7th), I can't tell which agreeement >>>> this thread is handling, but looks like it is heavily reading the changeglog >>>> and sending updates. anything changed recently in replication setup ? >>> Yes, we had one replica fail on (6/19) which we removed (not this one >>> showing high CPU load). Had to perform some manual cleanup of the ipa-ca >>> RUVs. Then we added the replica back in on 7/1. Since then, replication >>> appears to have been running normally between the 3 replicas. We've been >>> monitoring utilization since 7/1 and only recently seen this spike (past >>> 24 hours or so). >> is it still in this state ? or was it a spike. > Yes same state. > >> if it still is high cpu consuming, could you >> - get a few pstack like the one before with some time in between, I would >> like to see if it is progressing with the csns or looping on the same one > Attached are a few stacktraces. The thread pegging the cpu is: > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd > >> - check the consumer side. is there anything in the error log ? does the >> access log show replication activity from this server > > Here's some errors showing up on the first master server rep1 (rep2 is the > server with pegged cpu): > > [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. > [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. > [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. > > > Here's some snips from the access log of the rep2: > > > [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > .. > [14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 > .. > [14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 > [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 > [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 > > and here's some from the error log: > > [13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. > [13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) > [13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. > [13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. > [13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) > [14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. > [14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. > [14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > >> - eventually enable replication logging: nsslapd-errorlog-level: 8192 >>> On a side note, we get hit with this bug often: >>> >>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html >>> >>> (rouge sssd_be processing hammering a replica). >>> >>> This causes high ns-slapd utilization on the replica and restarting sssd >>> on the client host immediately fixes the issue. However, in this >>> case, we're not seeing this behavior. >>> >>> >>> >>> >>>>> >>>>> >>>>> >>>>>> On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: >>>>>>> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and >>>>>>> 389-ds 1.3.3.1-16. >>>>>>> >>>>>>> Recently, the ns-slapd process on one of our replicas started showing higher >>>>>>> than normal CPU usage. ns-slapd is pegged at high CPU usage more or less >>>>>>> constantly. >>>>>>> >>>>>>> Seems very similar to this thread: >>>>>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html >>>>>>> >>>>>>> There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not >>>>>>> sure if these are related): >>>>>>> >>>>>>> >>>>>>> [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>> [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) >>>>>>> [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. >>>>>>> [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. >>>>>>> [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. >>>>>>> [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) >>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. >>>>>>> [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. >>>>>>> [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>> >>>>>>> >>>>>>> access logs seem to be showing normal activity. Here's the number of open >>>>>>> connections: >>>>>>> >>>>>>> # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l >>>>>>> 62 >>>>>>> >>>>>>> Note: the other two replicas have much higher open connections (>250) and low >>>>>>> cpu load avgs. >>>>>>> >>>>>>> Here's some output of logconv.pl from our most recent access log on the replica >>>>>>> with high cpu load: >>>>>>> >>>>>>> Start of Logs: 13/Jul/2015:04:49:18 >>>>>>> End of Logs: 13/Jul/2015:10:06:11 >>>>>>> >>>>>>> Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds >>>>>>> >>>>>>> Restarts: 0 >>>>>>> Total Connections: 2343 >>>>>>> - LDAP Connections: 2120 >>>>>>> - LDAPI Connections: 223 >>>>>>> - LDAPS Connections: 0 >>>>>>> - StartTLS Extended Ops: 45 >>>>>>> Secure Protocol Versions: >>>>>>> - TLS1.2 128-bit AES - 45 >>>>>>> >>>>>>> Peak Concurrent Connections: 22 >>>>>>> Total Operations: 111865 >>>>>>> Total Results: 111034 >>>>>>> Overall Performance: 99.3% >>>>>>> >>>>>>> Searches: 95585 (5.03/sec) (301.64/min) >>>>>>> Modifications: 3369 (0.18/sec) (10.63/min) >>>>>>> Adds: 0 (0.00/sec) (0.00/min) >>>>>>> Deletes: 0 (0.00/sec) (0.00/min) >>>>>>> Mod RDNs: 0 (0.00/sec) (0.00/min) >>>>>>> Compares: 0 (0.00/sec) (0.00/min) >>>>>>> Binds: 7082 (0.37/sec) (22.35/min) >>>>>>> >>>>>>> Proxied Auth Operations: 0 >>>>>>> Persistent Searches: 0 >>>>>>> Internal Operations: 0 >>>>>>> Entry Operations: 0 >>>>>>> Extended Operations: 5317 >>>>>>> Abandoned Requests: 416 >>>>>>> Smart Referrals Received: 0 >>>>>>> >>>>>>> VLV Operations: 96 >>>>>>> VLV Unindexed Searches: 0 >>>>>>> VLV Unindexed Components: 32 >>>>>>> SORT Operations: 64 >>>>>>> >>>>>>> Entire Search Base Queries: 0 >>>>>>> Paged Searches: 3882 >>>>>>> Unindexed Searches: 0 >>>>>>> Unindexed Components: 5 >>>>>>> >>>>>>> FDs Taken: 2566 >>>>>>> FDs Returned: 2643 >>>>>>> Highest FD Taken: 249 >>>>>>> >>>>>>> Broken Pipes: 0 >>>>>>> Connections Reset By Peer: 0 >>>>>>> Resource Unavailable: 0 >>>>>>> Max BER Size Exceeded: 0 >>>>>>> >>>>>>> Binds: 7082 >>>>>>> Unbinds: 2443 >>>>>>> - LDAP v2 Binds: 0 >>>>>>> - LDAP v3 Binds: 6859 >>>>>>> - AUTOBINDs: 223 >>>>>>> - SSL Client Binds: 0 >>>>>>> - Failed SSL Client Binds: 0 >>>>>>> - SASL Binds: 6814 >>>>>>> GSSAPI - 6591 >>>>>>> EXTERNAL - 223 >>>>>>> - Directory Manager Binds: 0 >>>>>>> - Anonymous Binds: 6591 >>>>>>> - Other Binds: 491 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> strace timing on the ns-slapd process: >>>>>>> >>>>>>> >>>>>>> % time seconds usecs/call calls errors syscall >>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>> 94.40 0.346659 5977 58 poll >>>>>>> 4.10 0.015057 15057 1 restart_syscall >>>>>>> 0.91 0.003353 57 59 59 getpeername >>>>>>> 0.49 0.001796 150 12 futex >>>>>>> 0.10 0.000364 73 5 read >>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>> 100.00 0.367229 135 59 total >>>>>>> >>>>>>> >>>>>>> top output (with threads 'H'): >>>>>>> >>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd >>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd >>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd >>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd >>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd >>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd >>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd >>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd >>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd >>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd >>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd >>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd >>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd >>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd >>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd >>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd >>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd >>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd >>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd >>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd >>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd >>>>>>> >>>>>>> >>>>>>> ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any >>>>>>> pointers on where else to look? >>>>>>> >>>>>>> Thanks in advance. >>>>>>> >>>>>>> --Andrew >>>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >> From notify.sina at gmail.com Tue Jul 14 14:52:57 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 14 Jul 2015 15:52:57 +0100 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: <55A390D5.4050104@redhat.com> <55A50CA5.3090901@redhat.com> Message-ID: I restarted network services on the host, then I restarted sssd again. The record appeared! On Tue, Jul 14, 2015 at 3:50 PM, Sina Owolabi wrote: > I removed the A record and restarted SSSD. > The DNS record did not update. > > On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti wrote: >> On 13/07/15 19:58, Sina Owolabi wrote: >>> >>> Hi Martin >>> >>> Yes all my sssd configs are set ipa_dyndns_update = True >>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>> them. >>> I've tried to set it in the very first zone (setup during >>> installation) but dnszone-mod complains: >>> >>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>> ipa: ERROR: no modifications to be performed >>> >>> But I don't see it in the show command: >>> >>> ipa dnszone-show mydom.com >>> Zone name: mydom.com. >>> Active zone: TRUE >>> Authoritative nameserver: services.mydom.com. >>> Administrator e-mail address: hostmaster.mydom.com. >>> SOA serial: 1436799166 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3600 >>> Allow query: any; >>> Allow transfer: none; >>> >>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>>> >>>> On 12/07/15 10:05, Sina Owolabi wrote: >>>>> >>>>> Hi >>>>> >>>>> I have several dns zones defined in IPA. I noticed recently that the >>>>> zone files are empty. I find this odd because I created them like the >>>>> example below. >>>>> Is it possible to force clients to auto-update reverse zones? >>>>> >>>>> Thanks in advance! >>>>> >>>>> How I created all the zones: >>>>> >>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>>> --allow-sync-ptr=TRUE --dynamic-update >>>>> Zone name: 0.14.10.in-addr.arpa. >>>>> Active zone: TRUE >>>>> Authoritative nameserver: services.ourdomain.com. >>>>> Administrator e-mail address: hostmaster >>>>> SOA serial: 1436688202 >>>>> SOA refresh: 3600 >>>>> SOA retry: 900 >>>>> SOA expire: 1209600 >>>>> SOA minimum: 3000 >>>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>>> 0.14.10.in-addr.arpa. PTR; >>>>> Dynamic update: TRUE >>>>> Allow query: any; >>>>> Allow transfer: none; >>>>> Allow PTR sync: TRUE >>>>> >>>> Hello, >>>> >>>> do you have --allow-sync-ptr=True configured in zones where the >>>> particular >>>> A/AAAA records are? >>>> >>>> SSSD is able to update records. >>>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>>> sssd-ipa) >>>> >>>> -- >>>> Martin Basti >>>> >> >> Can you try to restart SSSD, or to remove the A record and then restart SSSD >> on the particular host? >> >> -- >> Martin Basti >> From mbasti at redhat.com Tue Jul 14 14:54:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jul 2015 16:54:25 +0200 Subject: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates In-Reply-To: References: <55A390D5.4050104@redhat.com> <55A50CA5.3090901@redhat.com> Message-ID: <55A522A1.70102@redhat.com> On 14/07/15 16:52, Sina Owolabi wrote: > I restarted network services on the host, then I restarted sssd again. > The record appeared! Great :) > > On Tue, Jul 14, 2015 at 3:50 PM, Sina Owolabi wrote: >> I removed the A record and restarted SSSD. >> The DNS record did not update. >> >> On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti wrote: >>> On 13/07/15 19:58, Sina Owolabi wrote: >>>> Hi Martin >>>> >>>> Yes all my sssd configs are set ipa_dyndns_update = True >>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>>> them. >>>> I've tried to set it in the very first zone (setup during >>>> installation) but dnszone-mod complains: >>>> >>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>>> ipa: ERROR: no modifications to be performed >>>> >>>> But I don't see it in the show command: >>>> >>>> ipa dnszone-show mydom.com >>>> Zone name: mydom.com. >>>> Active zone: TRUE >>>> Authoritative nameserver: services.mydom.com. >>>> Administrator e-mail address: hostmaster.mydom.com. >>>> SOA serial: 1436799166 >>>> SOA refresh: 3600 >>>> SOA retry: 900 >>>> SOA expire: 1209600 >>>> SOA minimum: 3600 >>>> Allow query: any; >>>> Allow transfer: none; >>>> >>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>>>> On 12/07/15 10:05, Sina Owolabi wrote: >>>>>> Hi >>>>>> >>>>>> I have several dns zones defined in IPA. I noticed recently that the >>>>>> zone files are empty. I find this odd because I created them like the >>>>>> example below. >>>>>> Is it possible to force clients to auto-update reverse zones? >>>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> How I created all the zones: >>>>>> >>>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>>>>> --allow-sync-ptr=TRUE --dynamic-update >>>>>> Zone name: 0.14.10.in-addr.arpa. >>>>>> Active zone: TRUE >>>>>> Authoritative nameserver: services.ourdomain.com. >>>>>> Administrator e-mail address: hostmaster >>>>>> SOA serial: 1436688202 >>>>>> SOA refresh: 3600 >>>>>> SOA retry: 900 >>>>>> SOA expire: 1209600 >>>>>> SOA minimum: 3000 >>>>>> BIND update policy: grant QRIOS.COM krb5-subdomain >>>>>> 0.14.10.in-addr.arpa. PTR; >>>>>> Dynamic update: TRUE >>>>>> Allow query: any; >>>>>> Allow transfer: none; >>>>>> Allow PTR sync: TRUE >>>>>> >>>>> Hello, >>>>> >>>>> do you have --allow-sync-ptr=True configured in zones where the >>>>> particular >>>>> A/AAAA records are? >>>>> >>>>> SSSD is able to update records. >>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>>>> sssd-ipa) >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>> Can you try to restart SSSD, or to remove the A record and then restart SSSD >>> on the particular host? >>> >>> -- >>> Martin Basti >>> -- Martin Basti From nsanchez at butterflynetinc.com Tue Jul 14 17:12:39 2015 From: nsanchez at butterflynetinc.com (Nevada Sanchez) Date: Tue, 14 Jul 2015 13:12:39 -0400 Subject: [Freeipa-users] Reverse DNS and Forwarding Message-ID: I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global forwarding ('Forward First') so that it will forward queries to Amazon's DNS, and then fall back on IPA if it doesn't see a hit. This works perfectly fine for forward DNS lookups: $ # This host does not exist on FreeIPA, but does on Amazon DNS $ host ip-10-0-6-17.ec2.internal ip-10-0-6-17.ec2.internal has address 10.0.6.17 However, for reverse lookups, it doesn't seem to get forwarded $ # Same host, reverse lookup fails at FreeIPA $ host 10.0.6.17 Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN) $ # Explicitly forwarding to Amazon DNS, reverse lookup works $ host 10.0.6.17 10.0.0.2 Using domain server: Name: 10.0.0.2 Address: 10.0.0.2#53 Aliases: 17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal. Please help. Thanks! -- *Nevada Sanchez* Co-Founder, ASIC Design Team Lead tel: 203.689.5650 x314 | mobile: 775.863.8726 Come join us and put a dent in the universe! -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Tue Jul 14 18:59:42 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Tue, 14 Jul 2015 14:59:42 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A5221A.6050607@redhat.com> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> Message-ID: <20150714185942.GD8394@dead.ccr.buffalo.edu> On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: > hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and > Jul,7th - so it looks like it is iterating the changelog over and over > again. > Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master > ? > > can you provide the result of the following search from > m14-24.ccr.buffalo.edu adn the server with the high cpu: > > ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" > "objectclass=nsds5replica" nsds50ruv master is srv-m14-24.. here's the results of the ldapsearch: [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f711000000040000 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a55aed001000040000 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 5591a3d2000700050000 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f74b000000600000 nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 server with high cpu load is srv-m14-26. here's the results of the ldapsearch from this server: [srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f711000000040000 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 55a55b47000300050000 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a53eb0000a00040000 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f74b000000600000 nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 srv-m14-25-02 is our 3rd replicate which we recently added back in after it failed (was added back in 7/1). Let me know if you need anything else. Thanks for the help. --Andrew > > On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: > >On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: > >>On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: > >>>On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: > >>>>On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: > >>>>>On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: > >>>>>>can you get a pstack of the slapd process along with a top -H to find th > >>>>>>ethread with high cpu usage > >>>>>Attached is the full stacktrace of the running ns-slapd proccess. top -H > >>>>>shows this thread (2879) with high cpu usage: > >>>>> > >>>>>2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>this thread is a replication thread sending updates, what is strange is that > >>>>the current csn_str is quite old (july, 7th), I can't tell which agreeement > >>>>this thread is handling, but looks like it is heavily reading the changeglog > >>>>and sending updates. anything changed recently in replication setup ? > >>>Yes, we had one replica fail on (6/19) which we removed (not this one > >>>showing high CPU load). Had to perform some manual cleanup of the ipa-ca > >>>RUVs. Then we added the replica back in on 7/1. Since then, replication > >>>appears to have been running normally between the 3 replicas. We've been > >>>monitoring utilization since 7/1 and only recently seen this spike (past > >>>24 hours or so). > >>is it still in this state ? or was it a spike. > >Yes same state. > > > >>if it still is high cpu consuming, could you > >>- get a few pstack like the one before with some time in between, I would > >>like to see if it is progressing with the csns or looping on the same one > >Attached are a few stacktraces. The thread pegging the cpu is: > > > >PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd > > > >>- check the consumer side. is there anything in the error log ? does the > >>access log show replication activity from this server > > > >Here's some errors showing up on the first master server rep1 (rep2 is the > >server with pegged cpu): > > > >[13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. > >[14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. > > > > > >Here's some snips from the access log of the rep2: > > > > > >[14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >[14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >[14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >.. > >[14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 > >.. > >[14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 > >[14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >[14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >[14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >[14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >[14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >[14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 > >[14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >[14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 > > > >and here's some from the error log: > > > >[13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. > >[13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >[13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) > >[13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. > >[13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. > >[13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >[14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) > >[14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. > >[14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. > >[14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > > > > >>- eventually enable replication logging: nsslapd-errorlog-level: 8192 > >>>On a side note, we get hit with this bug often: > >>> > >>>https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html > >>> > >>>(rouge sssd_be processing hammering a replica). > >>> > >>>This causes high ns-slapd utilization on the replica and restarting sssd > >>>on the client host immediately fixes the issue. However, in this > >>>case, we're not seeing this behavior. > >>> > >>> > >>> > >>> > >>>>> > >>>>> > >>>>> > >>>>>>On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > >>>>>>>We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > >>>>>>>389-ds 1.3.3.1-16. > >>>>>>> > >>>>>>>Recently, the ns-slapd process on one of our replicas started showing higher > >>>>>>>than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > >>>>>>>constantly. > >>>>>>> > >>>>>>>Seems very similar to this thread: > >>>>>>>https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > >>>>>>> > >>>>>>>There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > >>>>>>>sure if these are related): > >>>>>>> > >>>>>>> > >>>>>>>[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > >>>>>>>[13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > >>>>>>>[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > >>>>>>>[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > >>>>>>>[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > >>>>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > >>>>>>>[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > >>>>>>>[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>> > >>>>>>> > >>>>>>>access logs seem to be showing normal activity. Here's the number of open > >>>>>>>connections: > >>>>>>> > >>>>>>># ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > >>>>>>>62 > >>>>>>> > >>>>>>>Note: the other two replicas have much higher open connections (>250) and low > >>>>>>>cpu load avgs. > >>>>>>> > >>>>>>>Here's some output of logconv.pl from our most recent access log on the replica > >>>>>>>with high cpu load: > >>>>>>> > >>>>>>>Start of Logs: 13/Jul/2015:04:49:18 > >>>>>>>End of Logs: 13/Jul/2015:10:06:11 > >>>>>>> > >>>>>>>Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > >>>>>>> > >>>>>>>Restarts: 0 > >>>>>>>Total Connections: 2343 > >>>>>>> - LDAP Connections: 2120 > >>>>>>> - LDAPI Connections: 223 > >>>>>>> - LDAPS Connections: 0 > >>>>>>> - StartTLS Extended Ops: 45 > >>>>>>> Secure Protocol Versions: > >>>>>>> - TLS1.2 128-bit AES - 45 > >>>>>>> > >>>>>>>Peak Concurrent Connections: 22 > >>>>>>>Total Operations: 111865 > >>>>>>>Total Results: 111034 > >>>>>>>Overall Performance: 99.3% > >>>>>>> > >>>>>>>Searches: 95585 (5.03/sec) (301.64/min) > >>>>>>>Modifications: 3369 (0.18/sec) (10.63/min) > >>>>>>>Adds: 0 (0.00/sec) (0.00/min) > >>>>>>>Deletes: 0 (0.00/sec) (0.00/min) > >>>>>>>Mod RDNs: 0 (0.00/sec) (0.00/min) > >>>>>>>Compares: 0 (0.00/sec) (0.00/min) > >>>>>>>Binds: 7082 (0.37/sec) (22.35/min) > >>>>>>> > >>>>>>>Proxied Auth Operations: 0 > >>>>>>>Persistent Searches: 0 > >>>>>>>Internal Operations: 0 > >>>>>>>Entry Operations: 0 > >>>>>>>Extended Operations: 5317 > >>>>>>>Abandoned Requests: 416 > >>>>>>>Smart Referrals Received: 0 > >>>>>>> > >>>>>>>VLV Operations: 96 > >>>>>>>VLV Unindexed Searches: 0 > >>>>>>>VLV Unindexed Components: 32 > >>>>>>>SORT Operations: 64 > >>>>>>> > >>>>>>>Entire Search Base Queries: 0 > >>>>>>>Paged Searches: 3882 > >>>>>>>Unindexed Searches: 0 > >>>>>>>Unindexed Components: 5 > >>>>>>> > >>>>>>>FDs Taken: 2566 > >>>>>>>FDs Returned: 2643 > >>>>>>>Highest FD Taken: 249 > >>>>>>> > >>>>>>>Broken Pipes: 0 > >>>>>>>Connections Reset By Peer: 0 > >>>>>>>Resource Unavailable: 0 > >>>>>>>Max BER Size Exceeded: 0 > >>>>>>> > >>>>>>>Binds: 7082 > >>>>>>>Unbinds: 2443 > >>>>>>> - LDAP v2 Binds: 0 > >>>>>>> - LDAP v3 Binds: 6859 > >>>>>>> - AUTOBINDs: 223 > >>>>>>> - SSL Client Binds: 0 > >>>>>>> - Failed SSL Client Binds: 0 > >>>>>>> - SASL Binds: 6814 > >>>>>>> GSSAPI - 6591 > >>>>>>> EXTERNAL - 223 > >>>>>>> - Directory Manager Binds: 0 > >>>>>>> - Anonymous Binds: 6591 > >>>>>>> - Other Binds: 491 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>strace timing on the ns-slapd process: > >>>>>>> > >>>>>>> > >>>>>>>% time seconds usecs/call calls errors syscall > >>>>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>>> 94.40 0.346659 5977 58 poll > >>>>>>> 4.10 0.015057 15057 1 restart_syscall > >>>>>>> 0.91 0.003353 57 59 59 getpeername > >>>>>>> 0.49 0.001796 150 12 futex > >>>>>>> 0.10 0.000364 73 5 read > >>>>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>>>100.00 0.367229 135 59 total > >>>>>>> > >>>>>>> > >>>>>>>top output (with threads 'H'): > >>>>>>> > >>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > >>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > >>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > >>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > >>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > >>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > >>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > >>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > >>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > >>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > >>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > >>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > >>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > >>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > >>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > >>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > >>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > >>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > >>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > >>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > >>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > >>>>>>> > >>>>>>> > >>>>>>>ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > >>>>>>>pointers on where else to look? > >>>>>>> > >>>>>>>Thanks in advance. > >>>>>>> > >>>>>>>--Andrew > >>>>>>> > >>>>>>-- > >>>>>>Manage your subscription for the Freeipa-users mailing list: > >>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>Go to http://freeipa.org for more info on the project > >>>>>> > >>>>>> > >> > > From jcholast at redhat.com Wed Jul 15 05:53:30 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 07:53:30 +0200 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55A02C07.3090906@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> Message-ID: <55A5F55A.6090203@redhat.com> Hi, Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a): > On 07/08/2015 11:31 AM, Orion Poplawski wrote: >> But then when I go to make a replica: >> >> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >> Directory Manager (existing master) password: >> >> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> >> Which looks like others are experiencing (with not resolution that I could >> see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html Unfortunately this error code can mean almost anything, NSS isn't particularly helpful with errors. >> >> Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. >> > > Filed https://fedorahosted.org/freeipa/ticket/5117 > Without ipa-replica-prepare log or pk12util output it's really hard to tell what's going on. Could you provide the output of the following commands: # pk12util -l nwra.com.p12 # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX ? Honza -- Jan Cholasta From mbasti at redhat.com Wed Jul 15 07:43:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 09:43:37 +0200 Subject: [Freeipa-users] Reverse DNS and Forwarding In-Reply-To: References: Message-ID: <55A60F29.6040407@redhat.com> On 14/07/15 19:12, Nevada Sanchez wrote: > I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global > forwarding ('Forward First') so that it will forward queries to > Amazon's DNS, and then fall back on IPA if it doesn't see a hit. > > This works perfectly fine for forward DNS lookups: > > $ # This host does not exist on FreeIPA, but does on Amazon DNS > $ host ip-10-0-6-17.ec2.internal > ip-10-0-6-17.ec2.internal has address 10.0.6.17 > > However, for reverse lookups, it doesn't seem to get forwarded > > $ # Same host, reverse lookup fails at FreeIPA > $ host 10.0.6.17 > Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN) > > $ # Explicitly forwarding to Amazon DNS, reverse lookup works > $ host 10.0.6.17 10.0.0.2 > Using domain server: > Name: 10.0.0.2 > Address: 10.0.0.2#53 > Aliases: > 17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal. > > Please help. Thanks! > > -- > *Nevada Sanchez* > Co-Founder, ASIC Design Team Lead > > tel: 203.689.5650 x314 | mobile: 775.863.8726 > Come join us and put a > dent in the universe! > > Hello, do you have any reverse zones configured on IPA DNS? (with suffix 10.in-addr.arpa)? -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From rug at usm.lmu.de Wed Jul 15 08:22:47 2015 From: rug at usm.lmu.de (Rudolf Gabler) Date: Wed, 15 Jul 2015 10:22:47 +0200 Subject: [Freeipa-users] sendmail.schema In-Reply-To: <559F6991.8030302@redhat.com> References: <93C4017D-D6AF-40C7-B4C7-FD89D2349D1D@usm.lmu.de> <559F6991.8030302@redhat.com> Message-ID: Hi Martin, thank you for your advice. Now I solved this myself with the following procedure: I followed the page https://www.madboa.com/geek/ldap-aliases/ in a minimal invasive schema update for the freeipa directory server: ldapmodify -x -D "cn=Directory Manager" -W Enter LDAP Password: dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (1.3.6.1.4.1.6152.945.2.1 NAME 'mailingListName' SUP name ) and ldapmodify -x -D "cn=Directory Manager" -W Enter LDAP Password: dn: cn=schema changetype: modify add: objectclasses objectClasses: ( 1.3.6.1.4.1.6152.945.1.1 NAME 'mailingListPerson' SUP inetOrgPerson STRUCTURAL MAY mailingListName ) After that I created a tree for our mail-aliases: ldapadd -x -D "cn=Directory Manager" -W dn: cn=mail-aliases,cn=accounts,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: mailingListPerson cn: mail-aliases sn: mail-aliases and now I?m able to feed this tree with entries like: dn: cn=FaxMaster,cn=mail-aliases,cn=accounts,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: mailingListPerson mail: FaxMaster mailingListName: nirvana cn: FaxMaster sn: FaxMaster which import into our sendmail.mc configuration like: ... define(`ALIAS_FILE', `/etc/aliases,ldap: -h freeipa.example.com -b?cn=mail-aliases,cn=accounts,dc=example,dc=com" -v mailinglistname -k(&(objectClass=mailingListPerson)(mail=%0))')dnl ? Regards, Rudi Gabler > On 10 Jul 2015, at 08:43, Martin Kosek wrote: > > On 07/09/2015 11:09 AM, Rudolf Gabler wrote: >> Hi, >> >> we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). >> There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn?t find it). Is there now a different approach for freeipa to deal with this problem. >> >> Regards, >> >> Rudi Gabler > > I would recommend asking on 389-users at lists.fedoraproject.org if nobody in this list has a good answer. > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From piolet.y at gmail.com Wed Jul 15 10:20:05 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Wed, 15 Jul 2015 12:20:05 +0200 Subject: [Freeipa-users] CIFS share with no active directory Message-ID: Hi, My question is quite simple, yet I didn't find any answer on the Internet regarding how to do it :) How can I configure a linux samba server to use FreeIPA for authentication, without having clients to join an active directory domain when using Windows 8? I followed this article : https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA It works like a charm on Windows 7. Though, most of my users are using Windows 8 and authentication doesn't work (NT_STATUS_NO_SUCH_USER) What I understand is that Windows 8 is passing [username at DOMAIN.IPA]@[COMPUTER] as login instead of [username]@[DOMAIN.IPA]. Is there any solution for this? Thanks, -- Youenn Piolet piolet.y at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jul 15 13:22:51 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 15 Jul 2015 15:22:51 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150714185942.GD8394@dead.ccr.buffalo.edu> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> <20150714185942.GD8394@dead.ccr.buffalo.edu> Message-ID: <55A65EAB.6020207@redhat.com> On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: > On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: >> hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and >> Jul,7th - so it looks like it is iterating the changelog over and over >> again. >> Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master >> ? >> >> can you provide the result of the following search from >> m14-24.ccr.buffalo.edu adn the server with the high cpu: >> >> ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" >> "objectclass=nsds5replica" nsds50ruv > > master is srv-m14-24.. here's the results of the ldapsearch: > > [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv > > # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config > dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > nsds50ruv: {replicageneration} 5527f711000000040000 > nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a55aed001000040000 > nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 5591a3d2000700050000 > nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 so this is really strange, the master m14-24 has the latest change from replica 5(m14-26) as: 5591a3d2000700050000 which corresponds to Mon, 29 Jun 2015 20:00:18 GMT so no update from 14-24 since that did arrive, or could not update the ruv. So m14-26 tries to replicate all the changes back from that time, but looks like iit has no success. is there anything in the logs of m14-24 ? can you see successful mods with csn=xxxxxxx00050000 ? > > # replica, o\3Dipaca, mapping tree, config > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > nsds50ruv: {replicageneration} 5527f74b000000600000 > nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 > nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 > nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 > > > server with high cpu load is srv-m14-26. here's the results of the ldapsearch > from this server: > > [srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv > > # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config > dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > nsds50ruv: {replicageneration} 5527f711000000040000 > nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 55a55b47000300050000 > nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a53eb0000a00040000 > nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 > > # replica, o\3Dipaca, mapping tree, config > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > nsds50ruv: {replicageneration} 5527f74b000000600000 > nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 > nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 > nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 > > > srv-m14-25-02 is our 3rd replicate which we recently added back in after it > failed (was added back in 7/1). > > Let me know if you need anything else. Thanks for the help. > > --Andrew > >> On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: >>> On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: >>>> On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: >>>>> On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: >>>>>> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: >>>>>>> On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: >>>>>>>> can you get a pstack of the slapd process along with a top -H to find th >>>>>>>> ethread with high cpu usage >>>>>>> Attached is the full stacktrace of the running ns-slapd proccess. top -H >>>>>>> shows this thread (2879) with high cpu usage: >>>>>>> >>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>> this thread is a replication thread sending updates, what is strange is that >>>>>> the current csn_str is quite old (july, 7th), I can't tell which agreeement >>>>>> this thread is handling, but looks like it is heavily reading the changeglog >>>>>> and sending updates. anything changed recently in replication setup ? >>>>> Yes, we had one replica fail on (6/19) which we removed (not this one >>>>> showing high CPU load). Had to perform some manual cleanup of the ipa-ca >>>>> RUVs. Then we added the replica back in on 7/1. Since then, replication >>>>> appears to have been running normally between the 3 replicas. We've been >>>>> monitoring utilization since 7/1 and only recently seen this spike (past >>>>> 24 hours or so). >>>> is it still in this state ? or was it a spike. >>> Yes same state. >>> >>>> if it still is high cpu consuming, could you >>>> - get a few pstack like the one before with some time in between, I would >>>> like to see if it is progressing with the csns or looping on the same one >>> Attached are a few stacktraces. The thread pegging the cpu is: >>> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd >>> >>>> - check the consumer side. is there anything in the error log ? does the >>>> access log show replication activity from this server >>> Here's some errors showing up on the first master server rep1 (rep2 is the >>> server with pegged cpu): >>> >>> [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. >>> [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. >>> >>> >>> Here's some snips from the access log of the rep2: >>> >>> >>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>> .. >>> [14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 >>> .. >>> [14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 >>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>> [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 >>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 >>> >>> and here's some from the error log: >>> >>> [13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. >>> [13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> [13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) >>> [13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. >>> [13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. >>> [13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> [14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) >>> [14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. >>> [14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. >>> [14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> >>> >>>> - eventually enable replication logging: nsslapd-errorlog-level: 8192 >>>>> On a side note, we get hit with this bug often: >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html >>>>> >>>>> (rouge sssd_be processing hammering a replica). >>>>> >>>>> This causes high ns-slapd utilization on the replica and restarting sssd >>>>> on the client host immediately fixes the issue. However, in this >>>>> case, we're not seeing this behavior. >>>>> >>>>> >>>>> >>>>> >>>>>>> >>>>>>> >>>>>>>> On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: >>>>>>>>> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and >>>>>>>>> 389-ds 1.3.3.1-16. >>>>>>>>> >>>>>>>>> Recently, the ns-slapd process on one of our replicas started showing higher >>>>>>>>> than normal CPU usage. ns-slapd is pegged at high CPU usage more or less >>>>>>>>> constantly. >>>>>>>>> >>>>>>>>> Seems very similar to this thread: >>>>>>>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html >>>>>>>>> >>>>>>>>> There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not >>>>>>>>> sure if these are related): >>>>>>>>> >>>>>>>>> >>>>>>>>> [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>> [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) >>>>>>>>> [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. >>>>>>>>> [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. >>>>>>>>> [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. >>>>>>>>> [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) >>>>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. >>>>>>>>> [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. >>>>>>>>> [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>> >>>>>>>>> >>>>>>>>> access logs seem to be showing normal activity. Here's the number of open >>>>>>>>> connections: >>>>>>>>> >>>>>>>>> # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l >>>>>>>>> 62 >>>>>>>>> >>>>>>>>> Note: the other two replicas have much higher open connections (>250) and low >>>>>>>>> cpu load avgs. >>>>>>>>> >>>>>>>>> Here's some output of logconv.pl from our most recent access log on the replica >>>>>>>>> with high cpu load: >>>>>>>>> >>>>>>>>> Start of Logs: 13/Jul/2015:04:49:18 >>>>>>>>> End of Logs: 13/Jul/2015:10:06:11 >>>>>>>>> >>>>>>>>> Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds >>>>>>>>> >>>>>>>>> Restarts: 0 >>>>>>>>> Total Connections: 2343 >>>>>>>>> - LDAP Connections: 2120 >>>>>>>>> - LDAPI Connections: 223 >>>>>>>>> - LDAPS Connections: 0 >>>>>>>>> - StartTLS Extended Ops: 45 >>>>>>>>> Secure Protocol Versions: >>>>>>>>> - TLS1.2 128-bit AES - 45 >>>>>>>>> >>>>>>>>> Peak Concurrent Connections: 22 >>>>>>>>> Total Operations: 111865 >>>>>>>>> Total Results: 111034 >>>>>>>>> Overall Performance: 99.3% >>>>>>>>> >>>>>>>>> Searches: 95585 (5.03/sec) (301.64/min) >>>>>>>>> Modifications: 3369 (0.18/sec) (10.63/min) >>>>>>>>> Adds: 0 (0.00/sec) (0.00/min) >>>>>>>>> Deletes: 0 (0.00/sec) (0.00/min) >>>>>>>>> Mod RDNs: 0 (0.00/sec) (0.00/min) >>>>>>>>> Compares: 0 (0.00/sec) (0.00/min) >>>>>>>>> Binds: 7082 (0.37/sec) (22.35/min) >>>>>>>>> >>>>>>>>> Proxied Auth Operations: 0 >>>>>>>>> Persistent Searches: 0 >>>>>>>>> Internal Operations: 0 >>>>>>>>> Entry Operations: 0 >>>>>>>>> Extended Operations: 5317 >>>>>>>>> Abandoned Requests: 416 >>>>>>>>> Smart Referrals Received: 0 >>>>>>>>> >>>>>>>>> VLV Operations: 96 >>>>>>>>> VLV Unindexed Searches: 0 >>>>>>>>> VLV Unindexed Components: 32 >>>>>>>>> SORT Operations: 64 >>>>>>>>> >>>>>>>>> Entire Search Base Queries: 0 >>>>>>>>> Paged Searches: 3882 >>>>>>>>> Unindexed Searches: 0 >>>>>>>>> Unindexed Components: 5 >>>>>>>>> >>>>>>>>> FDs Taken: 2566 >>>>>>>>> FDs Returned: 2643 >>>>>>>>> Highest FD Taken: 249 >>>>>>>>> >>>>>>>>> Broken Pipes: 0 >>>>>>>>> Connections Reset By Peer: 0 >>>>>>>>> Resource Unavailable: 0 >>>>>>>>> Max BER Size Exceeded: 0 >>>>>>>>> >>>>>>>>> Binds: 7082 >>>>>>>>> Unbinds: 2443 >>>>>>>>> - LDAP v2 Binds: 0 >>>>>>>>> - LDAP v3 Binds: 6859 >>>>>>>>> - AUTOBINDs: 223 >>>>>>>>> - SSL Client Binds: 0 >>>>>>>>> - Failed SSL Client Binds: 0 >>>>>>>>> - SASL Binds: 6814 >>>>>>>>> GSSAPI - 6591 >>>>>>>>> EXTERNAL - 223 >>>>>>>>> - Directory Manager Binds: 0 >>>>>>>>> - Anonymous Binds: 6591 >>>>>>>>> - Other Binds: 491 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> strace timing on the ns-slapd process: >>>>>>>>> >>>>>>>>> >>>>>>>>> % time seconds usecs/call calls errors syscall >>>>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>>>> 94.40 0.346659 5977 58 poll >>>>>>>>> 4.10 0.015057 15057 1 restart_syscall >>>>>>>>> 0.91 0.003353 57 59 59 getpeername >>>>>>>>> 0.49 0.001796 150 12 futex >>>>>>>>> 0.10 0.000364 73 5 read >>>>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>>>> 100.00 0.367229 135 59 total >>>>>>>>> >>>>>>>>> >>>>>>>>> top output (with threads 'H'): >>>>>>>>> >>>>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd >>>>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd >>>>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd >>>>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd >>>>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd >>>>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd >>>>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd >>>>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd >>>>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd >>>>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd >>>>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd >>>>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd >>>>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd >>>>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd >>>>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd >>>>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd >>>>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd >>>>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd >>>>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd >>>>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd >>>>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd >>>>>>>>> >>>>>>>>> >>>>>>>>> ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any >>>>>>>>> pointers on where else to look? >>>>>>>>> >>>>>>>>> Thanks in advance. >>>>>>>>> >>>>>>>>> --Andrew >>>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >> From mbasti at redhat.com Wed Jul 15 13:47:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 15:47:56 +0200 Subject: [Freeipa-users] Reverse DNS and Forwarding In-Reply-To: References: <55A60F29.6040407@redhat.com> Message-ID: <55A6648C.1080404@redhat.com> On 15/07/15 15:07, Nevada Sanchez wrote: > On Wednesday, July 15, 2015, Martin Basti > wrote: > > On 14/07/15 19:12, Nevada Sanchez wrote: >> I have FreeIPA setup as our primary DNS on an AWS VPC. I setup >> global forwarding ('Forward First') so that it will forward >> queries to Amazon's DNS, and then fall back on IPA if it doesn't >> see a hit. >> >> This works perfectly fine for forward DNS lookups: >> >> $ # This host does not exist on FreeIPA, but does on Amazon DNS >> $ host ip-10-0-6-17.ec2.internal >> ip-10-0-6-17.ec2.internal has address 10.0.6.17 >> >> However, for reverse lookups, it doesn't seem to get forwarded >> >> $ # Same host, reverse lookup fails at FreeIPA >> $ host 10.0.6.17 >> Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN) >> >> $ # Explicitly forwarding to Amazon DNS, reverse lookup works >> $ host 10.0.6.17 10.0.0.2 >> Using domain server: >> Name: 10.0.0.2 >> Address: 10.0.0.2#53 >> Aliases: >> 17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal. >> >> Please help. Thanks! >> >> -- >> *Nevada Sanchez* >> Co-Founder, ASIC Design Team Lead >> >> tel: 203.689.5650 x314 | mobile: 775.863.8726 >> Come join us and put >> a dent in the universe! >> >> > Hello, do you have any reverse zones configured on IPA DNS? (with > suffix 10.in-addr.arpa)? > > -- > Martin Basti > > Yes. > > > -- > *Nevada Sanchez* > Co-Founder, ASIC Design Team Lead > > tel: 203.689.5650 x314 | mobile: 775.863.8726 > Come join us and put a > dent in the universe! > Do you have configured proper delegation via NS records to subzones of 10.in-addr.arpa. on IPA DNS? Respectively do you have delegation for 6.0.10.in-addr.arpa. zone to Amazon DNS? Please notice that forward first doesn't mean that the forwarder will be contacted first, then fallback to IPA. Forward first means if there is no authoritative zone in IPA server, query will be forwarded to forwarder, if forwarder doesn't return the answer, then recursive search (if allowed) will be used from root zone. You have 10.in-addr.arpa. zone configured, so it is authoritative zone for 17.6.0.10.in-addr.arpa. query, and you will get the authoritative answer NXDOMAIN, there is no need for forwarding. You need to add an delegation ipa dnsrecord-add 10.in-addr.arpa. 6.0.10.in-addr.arpa. --ns-rec=amazon.dns. HTH -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Wed Jul 15 14:10:05 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 15 Jul 2015 10:10:05 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A65EAB.6020207@redhat.com> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> <20150714185942.GD8394@dead.ccr.buffalo.edu> <55A65EAB.6020207@redhat.com> Message-ID: <20150715141005.GA24682@dead.ccr.buffalo.edu> On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: > > On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: > >On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: > >>hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and > >>Jul,7th - so it looks like it is iterating the changelog over and over > >>again. > >>Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master > >>? > >> > >>can you provide the result of the following search from > >>m14-24.ccr.buffalo.edu adn the server with the high cpu: > >> > >>ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" > >>"objectclass=nsds5replica" nsds50ruv > > > >master is srv-m14-24.. here's the results of the ldapsearch: > > > >[srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv > > > ># replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config > >dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > >nsds50ruv: {replicageneration} 5527f711000000040000 > >nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a55aed001000040000 > >nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 5591a3d2000700050000 > >nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 > so this is really strange, the master m14-24 has the latest change from > replica 5(m14-26) as: 5591a3d2000700050000 > which corresponds to Mon, 29 Jun 2015 20:00:18 GMT > so no update from 14-24 since that did arrive, or could not update the ruv. > So m14-26 tries to replicate all the changes back from that time, but looks > like iit has no success. > is there anything in the logs of m14-24 ? can you see successful mods with > csn=xxxxxxx00050000 ? Here's what I could find from the logs on srv-m14-24: [srv-m14-24 ~]# grep -r 00050000 /var/log/dirsrv/slapd-[domain]/* access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f0005000040000 And here's the last few lines the error log on srv-m14-24: [12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! [12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! [13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a406000000600000): Operations error (1). Will retry later. [13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca000000600000): Operations error (1). Will retry later. [13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f2000000600000): Operations error (1). Will retry later. [13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a41102000000600000): Operations error (1). Will retry later. [13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b32000000600000): Operations error (1). Will retry later. [13/Jul/2015:18:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4423a000000600000): Operations error (1). Will retry later. [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. [14/Jul/2015:09:56:52 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a5152a000000600000): Operations error (1). Will retry later. [14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552223,cn=changelog!! [14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552224,cn=changelog!! [14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557315,cn=changelog!! [14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557318,cn=changelog!! [14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561020,cn=changelog!! [14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561043,cn=changelog!! [14/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2586022,cn=changelog!! [14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598989,cn=changelog!! [14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598990,cn=changelog!! [14/Jul/2015:10:12:01 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2600966,cn=changelog!! [14/Jul/2015:10:12:03 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604037,cn=changelog!! [14/Jul/2015:10:12:04 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604054,cn=changelog!! [14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629803,cn=changelog!! [14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629804,cn=changelog!! > > > ># replica, o\3Dipaca, mapping tree, config > >dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > >nsds50ruv: {replicageneration} 5527f74b000000600000 > >nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 > >nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 > >nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 > > > > > >server with high cpu load is srv-m14-26. here's the results of the ldapsearch > >from this server: > > > >[srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv > > > ># replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config > >dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > >nsds50ruv: {replicageneration} 5527f711000000040000 > >nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 55a55b47000300050000 > >nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a53eb0000a00040000 > >nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 > > > ># replica, o\3Dipaca, mapping tree, config > >dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > >nsds50ruv: {replicageneration} 5527f74b000000600000 > >nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 > >nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 > >nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 > > > > > >srv-m14-25-02 is our 3rd replicate which we recently added back in after it > >failed (was added back in 7/1). > > > >Let me know if you need anything else. Thanks for the help. > > > >--Andrew > > > >>On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: > >>>On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: > >>>>On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: > >>>>>On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: > >>>>>>On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: > >>>>>>>On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: > >>>>>>>>can you get a pstack of the slapd process along with a top -H to find th > >>>>>>>>ethread with high cpu usage > >>>>>>>Attached is the full stacktrace of the running ns-slapd proccess. top -H > >>>>>>>shows this thread (2879) with high cpu usage: > >>>>>>> > >>>>>>>2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>>>this thread is a replication thread sending updates, what is strange is that > >>>>>>the current csn_str is quite old (july, 7th), I can't tell which agreeement > >>>>>>this thread is handling, but looks like it is heavily reading the changeglog > >>>>>>and sending updates. anything changed recently in replication setup ? > >>>>>Yes, we had one replica fail on (6/19) which we removed (not this one > >>>>>showing high CPU load). Had to perform some manual cleanup of the ipa-ca > >>>>>RUVs. Then we added the replica back in on 7/1. Since then, replication > >>>>>appears to have been running normally between the 3 replicas. We've been > >>>>>monitoring utilization since 7/1 and only recently seen this spike (past > >>>>>24 hours or so). > >>>>is it still in this state ? or was it a spike. > >>>Yes same state. > >>> > >>>>if it still is high cpu consuming, could you > >>>>- get a few pstack like the one before with some time in between, I would > >>>>like to see if it is progressing with the csns or looping on the same one > >>>Attached are a few stacktraces. The thread pegging the cpu is: > >>> > >>>PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd > >>> > >>>>- check the consumer side. is there anything in the error log ? does the > >>>>access log show replication activity from this server > >>>Here's some errors showing up on the first master server rep1 (rep2 is the > >>>server with pegged cpu): > >>> > >>>[13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. > >>>[13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. > >>>[14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. > >>> > >>> > >>>Here's some snips from the access log of the rep2: > >>> > >>> > >>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>.. > >>>[14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 > >>>.. > >>>[14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 > >>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>[14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>[14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 > >>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 > >>> > >>>and here's some from the error log: > >>> > >>>[13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. > >>>[13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>[13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) > >>>[13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. > >>>[13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. > >>>[13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>[14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) > >>>[14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. > >>>[14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. > >>>[14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>> > >>> > >>>>- eventually enable replication logging: nsslapd-errorlog-level: 8192 > >>>>>On a side note, we get hit with this bug often: > >>>>> > >>>>>https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html > >>>>> > >>>>>(rouge sssd_be processing hammering a replica). > >>>>> > >>>>>This causes high ns-slapd utilization on the replica and restarting sssd > >>>>>on the client host immediately fixes the issue. However, in this > >>>>>case, we're not seeing this behavior. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>> > >>>>>>> > >>>>>>>>On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > >>>>>>>>>We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > >>>>>>>>>389-ds 1.3.3.1-16. > >>>>>>>>> > >>>>>>>>>Recently, the ns-slapd process on one of our replicas started showing higher > >>>>>>>>>than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > >>>>>>>>>constantly. > >>>>>>>>> > >>>>>>>>>Seems very similar to this thread: > >>>>>>>>>https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > >>>>>>>>> > >>>>>>>>>There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > >>>>>>>>>sure if these are related): > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>>>[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > >>>>>>>>>[13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > >>>>>>>>>[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > >>>>>>>>>[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > >>>>>>>>>[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > >>>>>>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > >>>>>>>>>[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > >>>>>>>>>[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>access logs seem to be showing normal activity. Here's the number of open > >>>>>>>>>connections: > >>>>>>>>> > >>>>>>>>># ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > >>>>>>>>>62 > >>>>>>>>> > >>>>>>>>>Note: the other two replicas have much higher open connections (>250) and low > >>>>>>>>>cpu load avgs. > >>>>>>>>> > >>>>>>>>>Here's some output of logconv.pl from our most recent access log on the replica > >>>>>>>>>with high cpu load: > >>>>>>>>> > >>>>>>>>>Start of Logs: 13/Jul/2015:04:49:18 > >>>>>>>>>End of Logs: 13/Jul/2015:10:06:11 > >>>>>>>>> > >>>>>>>>>Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > >>>>>>>>> > >>>>>>>>>Restarts: 0 > >>>>>>>>>Total Connections: 2343 > >>>>>>>>> - LDAP Connections: 2120 > >>>>>>>>> - LDAPI Connections: 223 > >>>>>>>>> - LDAPS Connections: 0 > >>>>>>>>> - StartTLS Extended Ops: 45 > >>>>>>>>> Secure Protocol Versions: > >>>>>>>>> - TLS1.2 128-bit AES - 45 > >>>>>>>>> > >>>>>>>>>Peak Concurrent Connections: 22 > >>>>>>>>>Total Operations: 111865 > >>>>>>>>>Total Results: 111034 > >>>>>>>>>Overall Performance: 99.3% > >>>>>>>>> > >>>>>>>>>Searches: 95585 (5.03/sec) (301.64/min) > >>>>>>>>>Modifications: 3369 (0.18/sec) (10.63/min) > >>>>>>>>>Adds: 0 (0.00/sec) (0.00/min) > >>>>>>>>>Deletes: 0 (0.00/sec) (0.00/min) > >>>>>>>>>Mod RDNs: 0 (0.00/sec) (0.00/min) > >>>>>>>>>Compares: 0 (0.00/sec) (0.00/min) > >>>>>>>>>Binds: 7082 (0.37/sec) (22.35/min) > >>>>>>>>> > >>>>>>>>>Proxied Auth Operations: 0 > >>>>>>>>>Persistent Searches: 0 > >>>>>>>>>Internal Operations: 0 > >>>>>>>>>Entry Operations: 0 > >>>>>>>>>Extended Operations: 5317 > >>>>>>>>>Abandoned Requests: 416 > >>>>>>>>>Smart Referrals Received: 0 > >>>>>>>>> > >>>>>>>>>VLV Operations: 96 > >>>>>>>>>VLV Unindexed Searches: 0 > >>>>>>>>>VLV Unindexed Components: 32 > >>>>>>>>>SORT Operations: 64 > >>>>>>>>> > >>>>>>>>>Entire Search Base Queries: 0 > >>>>>>>>>Paged Searches: 3882 > >>>>>>>>>Unindexed Searches: 0 > >>>>>>>>>Unindexed Components: 5 > >>>>>>>>> > >>>>>>>>>FDs Taken: 2566 > >>>>>>>>>FDs Returned: 2643 > >>>>>>>>>Highest FD Taken: 249 > >>>>>>>>> > >>>>>>>>>Broken Pipes: 0 > >>>>>>>>>Connections Reset By Peer: 0 > >>>>>>>>>Resource Unavailable: 0 > >>>>>>>>>Max BER Size Exceeded: 0 > >>>>>>>>> > >>>>>>>>>Binds: 7082 > >>>>>>>>>Unbinds: 2443 > >>>>>>>>> - LDAP v2 Binds: 0 > >>>>>>>>> - LDAP v3 Binds: 6859 > >>>>>>>>> - AUTOBINDs: 223 > >>>>>>>>> - SSL Client Binds: 0 > >>>>>>>>> - Failed SSL Client Binds: 0 > >>>>>>>>> - SASL Binds: 6814 > >>>>>>>>> GSSAPI - 6591 > >>>>>>>>> EXTERNAL - 223 > >>>>>>>>> - Directory Manager Binds: 0 > >>>>>>>>> - Anonymous Binds: 6591 > >>>>>>>>> - Other Binds: 491 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>strace timing on the ns-slapd process: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>% time seconds usecs/call calls errors syscall > >>>>>>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>>>>> 94.40 0.346659 5977 58 poll > >>>>>>>>> 4.10 0.015057 15057 1 restart_syscall > >>>>>>>>> 0.91 0.003353 57 59 59 getpeername > >>>>>>>>> 0.49 0.001796 150 12 futex > >>>>>>>>> 0.10 0.000364 73 5 read > >>>>>>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>>>>>100.00 0.367229 135 59 total > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>top output (with threads 'H'): > >>>>>>>>> > >>>>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > >>>>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > >>>>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > >>>>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > >>>>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > >>>>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > >>>>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > >>>>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > >>>>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > >>>>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > >>>>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > >>>>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > >>>>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > >>>>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > >>>>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > >>>>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > >>>>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > >>>>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > >>>>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > >>>>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > >>>>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > >>>>>>>>>pointers on where else to look? > >>>>>>>>> > >>>>>>>>>Thanks in advance. > >>>>>>>>> > >>>>>>>>>--Andrew > >>>>>>>>> > >>>>>>>>-- > >>>>>>>>Manage your subscription for the Freeipa-users mailing list: > >>>>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>>Go to http://freeipa.org for more info on the project > >>>>>>>> > >>>>>>>> > >> > > From lkrispen at redhat.com Wed Jul 15 14:58:23 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 15 Jul 2015 16:58:23 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150715141005.GA24682@dead.ccr.buffalo.edu> References: <20150713144619.GA15499@dead.ccr.buffalo.edu> <55A3D226.3070808@redhat.com> <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> <20150714185942.GD8394@dead.ccr.buffalo.edu> <55A65EAB.6020207@redhat.com> <20150715141005.GA24682@dead.ccr.buffalo.edu> Message-ID: <55A6750F.5000906@redhat.com> On 07/15/2015 04:10 PM, Andrew E. Bruno wrote: > On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: >> On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: >>> On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: >>>> hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and >>>> Jul,7th - so it looks like it is iterating the changelog over and over >>>> again. >>>> Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master >>>> ? >>>> >>>> can you provide the result of the following search from >>>> m14-24.ccr.buffalo.edu adn the server with the high cpu: >>>> >>>> ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" >>>> "objectclass=nsds5replica" nsds50ruv >>> master is srv-m14-24.. here's the results of the ldapsearch: >>> >>> [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv >>> >>> # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config >>> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config >>> nsds50ruv: {replicageneration} 5527f711000000040000 >>> nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a55aed001000040000 >>> nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 5591a3d2000700050000 >>> nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 >> so this is really strange, the master m14-24 has the latest change from >> replica 5(m14-26) as: 5591a3d2000700050000 >> which corresponds to Mon, 29 Jun 2015 20:00:18 GMT >> so no update from 14-24 since that did arrive, or could not update the ruv. >> So m14-26 tries to replicate all the changes back from that time, but looks >> like iit has no success. >> is there anything in the logs of m14-24 ? can you see successful mods with >> csn=xxxxxxx00050000 ? > Here's what I could find from the logs on srv-m14-24: > > > [srv-m14-24 ~]# grep -r 00050000 /var/log/dirsrv/slapd-[domain]/* > access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f0005000040000 ok, so no update originating at replica 5 has been replicated (probably since June,29) did you experience data inconsistency between the servers ? > > > And here's the last few lines the error log on srv-m14-24: one set of messages refers to the o=ipaca backend and seem to be transient, replication continues later. the other set of msg "No original tombstone .." is annoying (and it is fixed in ticket https://fedorahosted.org/389/ticket/47912) the next thing we can do to try to understand what is going on is to enable replication logging on m14-26, it will then not only consume all cpu, but write tons of messages to the error log. But it can be turned on and off: ldapmodify ... dn: cn=config replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 and let it run for a while, then set it back to: 0 > > [12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! > [12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! > [13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a406000000600000): Operations error (1). Will retry later. > [13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca000000600000): Operations error (1). Will retry later. > [13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f2000000600000): Operations error (1). Will retry later. > [13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a41102000000600000): Operations error (1). Will retry later. > [13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b32000000600000): Operations error (1). Will retry later. > [13/Jul/2015:18:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4423a000000600000): Operations error (1). Will retry later. > [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. > [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. > [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. > [14/Jul/2015:09:56:52 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a5152a000000600000): Operations error (1). Will retry later. > [14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552223,cn=changelog!! > [14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552224,cn=changelog!! > [14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557315,cn=changelog!! > [14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557318,cn=changelog!! > [14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561020,cn=changelog!! > [14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561043,cn=changelog!! > [14/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2586022,cn=changelog!! > [14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598989,cn=changelog!! > [14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598990,cn=changelog!! > [14/Jul/2015:10:12:01 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2600966,cn=changelog!! > [14/Jul/2015:10:12:03 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604037,cn=changelog!! > [14/Jul/2015:10:12:04 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604054,cn=changelog!! > [14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629803,cn=changelog!! > [14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629804,cn=changelog!! > > > > > >>> # replica, o\3Dipaca, mapping tree, config >>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >>> nsds50ruv: {replicageneration} 5527f74b000000600000 >>> nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 >>> nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 >>> nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 >>> >>> >>> server with high cpu load is srv-m14-26. here's the results of the ldapsearch >> >from this server: >>> [srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv >>> >>> # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config >>> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config >>> nsds50ruv: {replicageneration} 5527f711000000040000 >>> nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 55a55b47000300050000 >>> nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a53eb0000a00040000 >>> nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 >>> >>> # replica, o\3Dipaca, mapping tree, config >>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >>> nsds50ruv: {replicageneration} 5527f74b000000600000 >>> nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 >>> nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 >>> nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 >>> >>> >>> srv-m14-25-02 is our 3rd replicate which we recently added back in after it >>> failed (was added back in 7/1). >>> >>> Let me know if you need anything else. Thanks for the help. >>> >>> --Andrew >>> >>>> On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: >>>>> On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: >>>>>> On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: >>>>>>> On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: >>>>>>>> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: >>>>>>>>> On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: >>>>>>>>>> can you get a pstack of the slapd process along with a top -H to find th >>>>>>>>>> ethread with high cpu usage >>>>>>>>> Attached is the full stacktrace of the running ns-slapd proccess. top -H >>>>>>>>> shows this thread (2879) with high cpu usage: >>>>>>>>> >>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>>>> this thread is a replication thread sending updates, what is strange is that >>>>>>>> the current csn_str is quite old (july, 7th), I can't tell which agreeement >>>>>>>> this thread is handling, but looks like it is heavily reading the changeglog >>>>>>>> and sending updates. anything changed recently in replication setup ? >>>>>>> Yes, we had one replica fail on (6/19) which we removed (not this one >>>>>>> showing high CPU load). Had to perform some manual cleanup of the ipa-ca >>>>>>> RUVs. Then we added the replica back in on 7/1. Since then, replication >>>>>>> appears to have been running normally between the 3 replicas. We've been >>>>>>> monitoring utilization since 7/1 and only recently seen this spike (past >>>>>>> 24 hours or so). >>>>>> is it still in this state ? or was it a spike. >>>>> Yes same state. >>>>> >>>>>> if it still is high cpu consuming, could you >>>>>> - get a few pstack like the one before with some time in between, I would >>>>>> like to see if it is progressing with the csns or looping on the same one >>>>> Attached are a few stacktraces. The thread pegging the cpu is: >>>>> >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd >>>>> >>>>>> - check the consumer side. is there anything in the error log ? does the >>>>>> access log show replication activity from this server >>>>> Here's some errors showing up on the first master server rep1 (rep2 is the >>>>> server with pegged cpu): >>>>> >>>>> [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. >>>>> [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. >>>>> [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. >>>>> >>>>> >>>>> Here's some snips from the access log of the rep2: >>>>> >>>>> >>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>> .. >>>>> [14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 >>>>> .. >>>>> [14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>> [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 >>>>> >>>>> and here's some from the error log: >>>>> >>>>> [13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. >>>>> [13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> [13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) >>>>> [13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. >>>>> [13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. >>>>> [13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> [14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) >>>>> [14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. >>>>> [14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. >>>>> [14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> >>>>> >>>>>> - eventually enable replication logging: nsslapd-errorlog-level: 8192 >>>>>>> On a side note, we get hit with this bug often: >>>>>>> >>>>>>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html >>>>>>> >>>>>>> (rouge sssd_be processing hammering a replica). >>>>>>> >>>>>>> This causes high ns-slapd utilization on the replica and restarting sssd >>>>>>> on the client host immediately fixes the issue. However, in this >>>>>>> case, we're not seeing this behavior. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> >>>>>>>>>> On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: >>>>>>>>>>> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and >>>>>>>>>>> 389-ds 1.3.3.1-16. >>>>>>>>>>> >>>>>>>>>>> Recently, the ns-slapd process on one of our replicas started showing higher >>>>>>>>>>> than normal CPU usage. ns-slapd is pegged at high CPU usage more or less >>>>>>>>>>> constantly. >>>>>>>>>>> >>>>>>>>>>> Seems very similar to this thread: >>>>>>>>>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html >>>>>>>>>>> >>>>>>>>>>> There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not >>>>>>>>>>> sure if these are related): >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) >>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. >>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. >>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. >>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) >>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. >>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. >>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> access logs seem to be showing normal activity. Here's the number of open >>>>>>>>>>> connections: >>>>>>>>>>> >>>>>>>>>>> # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l >>>>>>>>>>> 62 >>>>>>>>>>> >>>>>>>>>>> Note: the other two replicas have much higher open connections (>250) and low >>>>>>>>>>> cpu load avgs. >>>>>>>>>>> >>>>>>>>>>> Here's some output of logconv.pl from our most recent access log on the replica >>>>>>>>>>> with high cpu load: >>>>>>>>>>> >>>>>>>>>>> Start of Logs: 13/Jul/2015:04:49:18 >>>>>>>>>>> End of Logs: 13/Jul/2015:10:06:11 >>>>>>>>>>> >>>>>>>>>>> Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds >>>>>>>>>>> >>>>>>>>>>> Restarts: 0 >>>>>>>>>>> Total Connections: 2343 >>>>>>>>>>> - LDAP Connections: 2120 >>>>>>>>>>> - LDAPI Connections: 223 >>>>>>>>>>> - LDAPS Connections: 0 >>>>>>>>>>> - StartTLS Extended Ops: 45 >>>>>>>>>>> Secure Protocol Versions: >>>>>>>>>>> - TLS1.2 128-bit AES - 45 >>>>>>>>>>> >>>>>>>>>>> Peak Concurrent Connections: 22 >>>>>>>>>>> Total Operations: 111865 >>>>>>>>>>> Total Results: 111034 >>>>>>>>>>> Overall Performance: 99.3% >>>>>>>>>>> >>>>>>>>>>> Searches: 95585 (5.03/sec) (301.64/min) >>>>>>>>>>> Modifications: 3369 (0.18/sec) (10.63/min) >>>>>>>>>>> Adds: 0 (0.00/sec) (0.00/min) >>>>>>>>>>> Deletes: 0 (0.00/sec) (0.00/min) >>>>>>>>>>> Mod RDNs: 0 (0.00/sec) (0.00/min) >>>>>>>>>>> Compares: 0 (0.00/sec) (0.00/min) >>>>>>>>>>> Binds: 7082 (0.37/sec) (22.35/min) >>>>>>>>>>> >>>>>>>>>>> Proxied Auth Operations: 0 >>>>>>>>>>> Persistent Searches: 0 >>>>>>>>>>> Internal Operations: 0 >>>>>>>>>>> Entry Operations: 0 >>>>>>>>>>> Extended Operations: 5317 >>>>>>>>>>> Abandoned Requests: 416 >>>>>>>>>>> Smart Referrals Received: 0 >>>>>>>>>>> >>>>>>>>>>> VLV Operations: 96 >>>>>>>>>>> VLV Unindexed Searches: 0 >>>>>>>>>>> VLV Unindexed Components: 32 >>>>>>>>>>> SORT Operations: 64 >>>>>>>>>>> >>>>>>>>>>> Entire Search Base Queries: 0 >>>>>>>>>>> Paged Searches: 3882 >>>>>>>>>>> Unindexed Searches: 0 >>>>>>>>>>> Unindexed Components: 5 >>>>>>>>>>> >>>>>>>>>>> FDs Taken: 2566 >>>>>>>>>>> FDs Returned: 2643 >>>>>>>>>>> Highest FD Taken: 249 >>>>>>>>>>> >>>>>>>>>>> Broken Pipes: 0 >>>>>>>>>>> Connections Reset By Peer: 0 >>>>>>>>>>> Resource Unavailable: 0 >>>>>>>>>>> Max BER Size Exceeded: 0 >>>>>>>>>>> >>>>>>>>>>> Binds: 7082 >>>>>>>>>>> Unbinds: 2443 >>>>>>>>>>> - LDAP v2 Binds: 0 >>>>>>>>>>> - LDAP v3 Binds: 6859 >>>>>>>>>>> - AUTOBINDs: 223 >>>>>>>>>>> - SSL Client Binds: 0 >>>>>>>>>>> - Failed SSL Client Binds: 0 >>>>>>>>>>> - SASL Binds: 6814 >>>>>>>>>>> GSSAPI - 6591 >>>>>>>>>>> EXTERNAL - 223 >>>>>>>>>>> - Directory Manager Binds: 0 >>>>>>>>>>> - Anonymous Binds: 6591 >>>>>>>>>>> - Other Binds: 491 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> strace timing on the ns-slapd process: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> % time seconds usecs/call calls errors syscall >>>>>>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>>>>>> 94.40 0.346659 5977 58 poll >>>>>>>>>>> 4.10 0.015057 15057 1 restart_syscall >>>>>>>>>>> 0.91 0.003353 57 59 59 getpeername >>>>>>>>>>> 0.49 0.001796 150 12 futex >>>>>>>>>>> 0.10 0.000364 73 5 read >>>>>>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>>>>>> 100.00 0.367229 135 59 total >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> top output (with threads 'H'): >>>>>>>>>>> >>>>>>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd >>>>>>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd >>>>>>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd >>>>>>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd >>>>>>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd >>>>>>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd >>>>>>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd >>>>>>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd >>>>>>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd >>>>>>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd >>>>>>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd >>>>>>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd >>>>>>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd >>>>>>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd >>>>>>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd >>>>>>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd >>>>>>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd >>>>>>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd >>>>>>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd >>>>>>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd >>>>>>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any >>>>>>>>>>> pointers on where else to look? >>>>>>>>>>> >>>>>>>>>>> Thanks in advance. >>>>>>>>>>> >>>>>>>>>>> --Andrew >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >> From pspacek at redhat.com Wed Jul 15 15:28:44 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jul 2015 17:28:44 +0200 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: References: <55914D1F.4050704@redhat.com> <559CF263.6020300@redhat.com> <55A50624.4050507@redhat.com> Message-ID: <55A67C2C.6070006@redhat.com> On 14.7.2015 15:19, John Stein wrote: > Hi, > > What I meant was that the IPA server is managing two zones: > > Linux.john.com > Which has these records > Ipa1 A 192.168.0.140 > client1 A 192.168.0.11 > > 0.168.192.in-addr.arpa. > Which has these records > 11 PTR client1.linux.john.com > @ NS ipa1.linux.john.com > > In the AD > forward lookup zones >> John.com >>> linux > (Same as parent folder) NS ipa1.linux.john.com > > Anything more that's unclear? This is enough. You have the same 'master' zone configured on IPA and AD, which does not make sense from DNS point of view. You need to move all records to one server and configure 'forward' zone on the other server. In AD terminology you need to create 'conditional forwarder'. Petr^2 Spacek > > Thank you very much! > John > > On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > >> On 14.7.2015 14:49, John Stein wrote: >>> I ran the above commands exactly as I told you on the IPA server. I also >>> set the IPA server as a global forwarder in the AD. >>> >>> On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: >>> >>>>> On 5.7.2015 08:38, John Stein wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I ran these commands in the IdM server >>>>>>> >>>>>>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant >> JOHN.COM >>>>>>> krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' >>>>>>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >>>>>>> >>>>>>> At the Active Directory I have A and PTR records for the IdM >> server and >>>>> it >>>>>>> is configured as a global forwarder. >>>>>>> At the IdM server there are A and PTR records for both the IdM >> server and >>>>>>> another client. >> >> Can you explain what you did, exactly? I do not know what 'I have A and PTR >> records for the IdM server' exactly means. We need to know exactly what you >> typed in and where you clicked in AD. >> >> The original information is not sufficient, that is why I asking for more >> details. >> >> Petr^2 Spacek >> >>>>>>> However this setup does not work. >>>>>>> From the IdM and linux client every record is resolvable, however >> from >>>>> the >>>>>>> AD only the IdM is resolvable and the client is not. >>>>>>> >>>>>>> Maybe there's another thing I need to configure in the AD in order >> to >>>>>>> enable forwarding that I'm missing? >>>>> >>>>> I'm not sure I understand you. From aebruno2 at buffalo.edu Wed Jul 15 17:05:32 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 15 Jul 2015 13:05:32 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A6750F.5000906@redhat.com> References: <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> <20150714185942.GD8394@dead.ccr.buffalo.edu> <55A65EAB.6020207@redhat.com> <20150715141005.GA24682@dead.ccr.buffalo.edu> <55A6750F.5000906@redhat.com> Message-ID: <20150715170532.GB24682@dead.ccr.buffalo.edu> On Wed, Jul 15, 2015 at 04:58:23PM +0200, Ludwig Krispenz wrote: > > On 07/15/2015 04:10 PM, Andrew E. Bruno wrote: > >On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: > >>On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: > >>>On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: > >>>>hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and > >>>>Jul,7th - so it looks like it is iterating the changelog over and over > >>>>again. > >>>>Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master > >>>>? > >>>> > >>>>can you provide the result of the following search from > >>>>m14-24.ccr.buffalo.edu adn the server with the high cpu: > >>>> > >>>>ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" > >>>>"objectclass=nsds5replica" nsds50ruv > >>>master is srv-m14-24.. here's the results of the ldapsearch: > >>> > >>>[srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv > >>> > >>># replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config > >>>dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > >>>nsds50ruv: {replicageneration} 5527f711000000040000 > >>>nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a55aed001000040000 > >>>nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 5591a3d2000700050000 > >>>nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 > >>so this is really strange, the master m14-24 has the latest change from > >>replica 5(m14-26) as: 5591a3d2000700050000 > >>which corresponds to Mon, 29 Jun 2015 20:00:18 GMT > >>so no update from 14-24 since that did arrive, or could not update the ruv. > >>So m14-26 tries to replicate all the changes back from that time, but looks > >>like iit has no success. > >>is there anything in the logs of m14-24 ? can you see successful mods with > >>csn=xxxxxxx00050000 ? > >Here's what I could find from the logs on srv-m14-24: > > > > > >[srv-m14-24 ~]# grep -r 00050000 /var/log/dirsrv/slapd-[domain]/* > >access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f0005000040000 > ok, so no update originating at replica 5 has been replicated (probably > since June,29) did you experience data inconsistency between the servers ? > > > > > >And here's the last few lines the error log on srv-m14-24: > one set of messages refers to the o=ipaca backend and seem to be transient, > replication continues later. > the other set of msg "No original tombstone .." is annoying (and it is fixed > in ticket https://fedorahosted.org/389/ticket/47912) > > the next thing we can do to try to understand what is going on is to enable > replication logging on m14-26, it will then not only consume all cpu, but > write tons of messages to the error log. > But it can be turned on and off: > > ldapmodify ... > dn: cn=config > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > > and let it run for a while, then set it back to: 0 I enabled replication logging and it's running now. I noticed the default value for nsslapd-errorlog-level was set to 16384 (not 0). OK to send you the logs off list? Looks like they contain quite a bit of sensitive data. Thanks again for all the help looking into this. Best, --Andrew > > > > >[12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! > >[12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! > >[13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a406000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f2000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a41102000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b32000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:18:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4423a000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. > >[13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. > >[14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. > >[14/Jul/2015:09:56:52 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a5152a000000600000): Operations error (1). Will retry later. > >[14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552223,cn=changelog!! > >[14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552224,cn=changelog!! > >[14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557315,cn=changelog!! > >[14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557318,cn=changelog!! > >[14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561020,cn=changelog!! > >[14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561043,cn=changelog!! > >[14/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2586022,cn=changelog!! > >[14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598989,cn=changelog!! > >[14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598990,cn=changelog!! > >[14/Jul/2015:10:12:01 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2600966,cn=changelog!! > >[14/Jul/2015:10:12:03 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604037,cn=changelog!! > >[14/Jul/2015:10:12:04 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604054,cn=changelog!! > >[14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629803,cn=changelog!! > >[14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629804,cn=changelog!! > > > > > > > > > > > >>># replica, o\3Dipaca, mapping tree, config > >>>dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > >>>nsds50ruv: {replicageneration} 5527f74b000000600000 > >>>nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 > >>>nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 > >>>nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 > >>> > >>> > >>>server with high cpu load is srv-m14-26. here's the results of the ldapsearch > >>>from this server: > >>>[srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv > >>> > >>># replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config > >>>dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config > >>>nsds50ruv: {replicageneration} 5527f711000000040000 > >>>nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 55a55b47000300050000 > >>>nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a53eb0000a00040000 > >>>nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 > >>> > >>># replica, o\3Dipaca, mapping tree, config > >>>dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > >>>nsds50ruv: {replicageneration} 5527f74b000000600000 > >>>nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 > >>>nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 > >>>nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 > >>> > >>> > >>>srv-m14-25-02 is our 3rd replicate which we recently added back in after it > >>>failed (was added back in 7/1). > >>> > >>>Let me know if you need anything else. Thanks for the help. > >>> > >>>--Andrew > >>> > >>>>On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: > >>>>>On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: > >>>>>>On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: > >>>>>>>On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: > >>>>>>>>On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: > >>>>>>>>>On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: > >>>>>>>>>>can you get a pstack of the slapd process along with a top -H to find th > >>>>>>>>>>ethread with high cpu usage > >>>>>>>>>Attached is the full stacktrace of the running ns-slapd proccess. top -H > >>>>>>>>>shows this thread (2879) with high cpu usage: > >>>>>>>>> > >>>>>>>>>2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>>>>>this thread is a replication thread sending updates, what is strange is that > >>>>>>>>the current csn_str is quite old (july, 7th), I can't tell which agreeement > >>>>>>>>this thread is handling, but looks like it is heavily reading the changeglog > >>>>>>>>and sending updates. anything changed recently in replication setup ? > >>>>>>>Yes, we had one replica fail on (6/19) which we removed (not this one > >>>>>>>showing high CPU load). Had to perform some manual cleanup of the ipa-ca > >>>>>>>RUVs. Then we added the replica back in on 7/1. Since then, replication > >>>>>>>appears to have been running normally between the 3 replicas. We've been > >>>>>>>monitoring utilization since 7/1 and only recently seen this spike (past > >>>>>>>24 hours or so). > >>>>>>is it still in this state ? or was it a spike. > >>>>>Yes same state. > >>>>> > >>>>>>if it still is high cpu consuming, could you > >>>>>>- get a few pstack like the one before with some time in between, I would > >>>>>>like to see if it is progressing with the csns or looping on the same one > >>>>>Attached are a few stacktraces. The thread pegging the cpu is: > >>>>> > >>>>>PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>>>2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd > >>>>> > >>>>>>- check the consumer side. is there anything in the error log ? does the > >>>>>>access log show replication activity from this server > >>>>>Here's some errors showing up on the first master server rep1 (rep2 is the > >>>>>server with pegged cpu): > >>>>> > >>>>>[13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. > >>>>>[13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. > >>>>>[14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. > >>>>> > >>>>> > >>>>>Here's some snips from the access log of the rep2: > >>>>> > >>>>> > >>>>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>>>[14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>>>.. > >>>>>[14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 > >>>>>.. > >>>>>[14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 > >>>>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>>>[14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>>>[14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>>>[14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > >>>>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > >>>>>[14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 > >>>>> > >>>>>and here's some from the error log: > >>>>> > >>>>>[13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. > >>>>>[13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>[13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) > >>>>>[13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. > >>>>>[13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. > >>>>>[13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>[14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) > >>>>>[14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. > >>>>>[14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. > >>>>>[14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>> > >>>>> > >>>>>>- eventually enable replication logging: nsslapd-errorlog-level: 8192 > >>>>>>>On a side note, we get hit with this bug often: > >>>>>>> > >>>>>>>https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html > >>>>>>> > >>>>>>>(rouge sssd_be processing hammering a replica). > >>>>>>> > >>>>>>>This causes high ns-slapd utilization on the replica and restarting sssd > >>>>>>>on the client host immediately fixes the issue. However, in this > >>>>>>>case, we're not seeing this behavior. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>> > >>>>>>>>>>On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: > >>>>>>>>>>>We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and > >>>>>>>>>>>389-ds 1.3.3.1-16. > >>>>>>>>>>> > >>>>>>>>>>>Recently, the ns-slapd process on one of our replicas started showing higher > >>>>>>>>>>>than normal CPU usage. ns-slapd is pegged at high CPU usage more or less > >>>>>>>>>>>constantly. > >>>>>>>>>>> > >>>>>>>>>>>Seems very similar to this thread: > >>>>>>>>>>>https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html > >>>>>>>>>>> > >>>>>>>>>>>There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not > >>>>>>>>>>>sure if these are related): > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>>>>>[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) > >>>>>>>>>>>[13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. > >>>>>>>>>>>[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. > >>>>>>>>>>>[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. > >>>>>>>>>>>[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) > >>>>>>>>>>>[13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. > >>>>>>>>>>>[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. > >>>>>>>>>>>[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>access logs seem to be showing normal activity. Here's the number of open > >>>>>>>>>>>connections: > >>>>>>>>>>> > >>>>>>>>>>># ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l > >>>>>>>>>>>62 > >>>>>>>>>>> > >>>>>>>>>>>Note: the other two replicas have much higher open connections (>250) and low > >>>>>>>>>>>cpu load avgs. > >>>>>>>>>>> > >>>>>>>>>>>Here's some output of logconv.pl from our most recent access log on the replica > >>>>>>>>>>>with high cpu load: > >>>>>>>>>>> > >>>>>>>>>>>Start of Logs: 13/Jul/2015:04:49:18 > >>>>>>>>>>>End of Logs: 13/Jul/2015:10:06:11 > >>>>>>>>>>> > >>>>>>>>>>>Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds > >>>>>>>>>>> > >>>>>>>>>>>Restarts: 0 > >>>>>>>>>>>Total Connections: 2343 > >>>>>>>>>>> - LDAP Connections: 2120 > >>>>>>>>>>> - LDAPI Connections: 223 > >>>>>>>>>>> - LDAPS Connections: 0 > >>>>>>>>>>> - StartTLS Extended Ops: 45 > >>>>>>>>>>> Secure Protocol Versions: > >>>>>>>>>>> - TLS1.2 128-bit AES - 45 > >>>>>>>>>>> > >>>>>>>>>>>Peak Concurrent Connections: 22 > >>>>>>>>>>>Total Operations: 111865 > >>>>>>>>>>>Total Results: 111034 > >>>>>>>>>>>Overall Performance: 99.3% > >>>>>>>>>>> > >>>>>>>>>>>Searches: 95585 (5.03/sec) (301.64/min) > >>>>>>>>>>>Modifications: 3369 (0.18/sec) (10.63/min) > >>>>>>>>>>>Adds: 0 (0.00/sec) (0.00/min) > >>>>>>>>>>>Deletes: 0 (0.00/sec) (0.00/min) > >>>>>>>>>>>Mod RDNs: 0 (0.00/sec) (0.00/min) > >>>>>>>>>>>Compares: 0 (0.00/sec) (0.00/min) > >>>>>>>>>>>Binds: 7082 (0.37/sec) (22.35/min) > >>>>>>>>>>> > >>>>>>>>>>>Proxied Auth Operations: 0 > >>>>>>>>>>>Persistent Searches: 0 > >>>>>>>>>>>Internal Operations: 0 > >>>>>>>>>>>Entry Operations: 0 > >>>>>>>>>>>Extended Operations: 5317 > >>>>>>>>>>>Abandoned Requests: 416 > >>>>>>>>>>>Smart Referrals Received: 0 > >>>>>>>>>>> > >>>>>>>>>>>VLV Operations: 96 > >>>>>>>>>>>VLV Unindexed Searches: 0 > >>>>>>>>>>>VLV Unindexed Components: 32 > >>>>>>>>>>>SORT Operations: 64 > >>>>>>>>>>> > >>>>>>>>>>>Entire Search Base Queries: 0 > >>>>>>>>>>>Paged Searches: 3882 > >>>>>>>>>>>Unindexed Searches: 0 > >>>>>>>>>>>Unindexed Components: 5 > >>>>>>>>>>> > >>>>>>>>>>>FDs Taken: 2566 > >>>>>>>>>>>FDs Returned: 2643 > >>>>>>>>>>>Highest FD Taken: 249 > >>>>>>>>>>> > >>>>>>>>>>>Broken Pipes: 0 > >>>>>>>>>>>Connections Reset By Peer: 0 > >>>>>>>>>>>Resource Unavailable: 0 > >>>>>>>>>>>Max BER Size Exceeded: 0 > >>>>>>>>>>> > >>>>>>>>>>>Binds: 7082 > >>>>>>>>>>>Unbinds: 2443 > >>>>>>>>>>> - LDAP v2 Binds: 0 > >>>>>>>>>>> - LDAP v3 Binds: 6859 > >>>>>>>>>>> - AUTOBINDs: 223 > >>>>>>>>>>> - SSL Client Binds: 0 > >>>>>>>>>>> - Failed SSL Client Binds: 0 > >>>>>>>>>>> - SASL Binds: 6814 > >>>>>>>>>>> GSSAPI - 6591 > >>>>>>>>>>> EXTERNAL - 223 > >>>>>>>>>>> - Directory Manager Binds: 0 > >>>>>>>>>>> - Anonymous Binds: 6591 > >>>>>>>>>>> - Other Binds: 491 > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>strace timing on the ns-slapd process: > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>% time seconds usecs/call calls errors syscall > >>>>>>>>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>>>>>>> 94.40 0.346659 5977 58 poll > >>>>>>>>>>> 4.10 0.015057 15057 1 restart_syscall > >>>>>>>>>>> 0.91 0.003353 57 59 59 getpeername > >>>>>>>>>>> 0.49 0.001796 150 12 futex > >>>>>>>>>>> 0.10 0.000364 73 5 read > >>>>>>>>>>>------ ----------- ----------- --------- --------- ---------------- > >>>>>>>>>>>100.00 0.367229 135 59 total > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>top output (with threads 'H'): > >>>>>>>>>>> > >>>>>>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd > >>>>>>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd > >>>>>>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd > >>>>>>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd > >>>>>>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd > >>>>>>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd > >>>>>>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd > >>>>>>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd > >>>>>>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd > >>>>>>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd > >>>>>>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd > >>>>>>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd > >>>>>>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd > >>>>>>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd > >>>>>>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd > >>>>>>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd > >>>>>>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd > >>>>>>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd > >>>>>>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd > >>>>>>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd > >>>>>>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd > >>>>>>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any > >>>>>>>>>>>pointers on where else to look? > >>>>>>>>>>> > >>>>>>>>>>>Thanks in advance. > >>>>>>>>>>> > >>>>>>>>>>>--Andrew > >>>>>>>>>>> > >>>>>>>>>>-- > >>>>>>>>>>Manage your subscription for the Freeipa-users mailing list: > >>>>>>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>>>>Go to http://freeipa.org for more info on the project > >>>>>>>>>> > >>>>>>>>>> > >> > > From nsanchez at butterflynetinc.com Wed Jul 15 13:07:19 2015 From: nsanchez at butterflynetinc.com (Nevada Sanchez) Date: Wed, 15 Jul 2015 09:07:19 -0400 Subject: [Freeipa-users] Reverse DNS and Forwarding In-Reply-To: <55A60F29.6040407@redhat.com> References: <55A60F29.6040407@redhat.com> Message-ID: On Wednesday, July 15, 2015, Martin Basti wrote: > On 14/07/15 19:12, Nevada Sanchez wrote: > > I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global > forwarding ('Forward First') so that it will forward queries to Amazon's > DNS, and then fall back on IPA if it doesn't see a hit. > > This works perfectly fine for forward DNS lookups: > > $ # This host does not exist on FreeIPA, but does on Amazon DNS > $ host ip-10-0-6-17.ec2.internal > ip-10-0-6-17.ec2.internal has address 10.0.6.17 > > However, for reverse lookups, it doesn't seem to get forwarded > > $ # Same host, reverse lookup fails at FreeIPA > $ host 10.0.6.17 > Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN) > > $ # Explicitly forwarding to Amazon DNS, reverse lookup works > $ host 10.0.6.17 10.0.0.2 > Using domain server: > Name: 10.0.0.2 > Address: 10.0.0.2#53 > Aliases: > 17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal. > > Please help. Thanks! > > -- > *Nevada Sanchez* > Co-Founder, ASIC Design Team Lead > > tel: 203.689.5650 x314 | mobile: 775.863.8726 > Come join us and put a dent > in the universe! > > > Hello, do you have any reverse zones configured on IPA DNS? (with suffix > 10.in-addr.arpa)? > > -- > Martin Basti > > Yes. -- *Nevada Sanchez* Co-Founder, ASIC Design Team Lead tel: 203.689.5650 x314 | mobile: 775.863.8726 Come join us and put a dent in the universe! -------------- next part -------------- An HTML attachment was scrubbed... URL: From orion at cora.nwra.com Wed Jul 15 18:57:34 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Wed, 15 Jul 2015 12:57:34 -0600 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55A5F55A.6090203@redhat.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> Message-ID: <55A6AD1E.2070604@cora.nwra.com> On 07/14/2015 11:53 PM, Jan Cholasta wrote: > Hi, > > Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a): >> On 07/08/2015 11:31 AM, Orion Poplawski wrote: >>> But then when I go to make a replica: >>> >>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >>> Directory Manager (existing master) password: >>> >>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>> >>> Which looks like others are experiencing (with not resolution that I could >>> see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html > > Unfortunately this error code can mean almost anything, NSS isn't particularly > helpful with errors. > >>> >>> Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. >>> >> >> Filed https://fedorahosted.org/freeipa/ticket/5117 >> > > Without ipa-replica-prepare log or pk12util output it's really hard to tell > what's going on. Could you provide the output of the following commands: > > # pk12util -l nwra.com.p12 Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 00:d1:3f:8c:79:cf:1c:87:53:f0:05:7c:f6:56:18:3a: 5c Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB" Validity: Not Before: Thu Oct 11 00:00:00 2012 Not After : Sun Jan 10 23:59:59 2016 Subject: "CN=*.nwra.com,OU=PositiveSSL Wildcard,OU=Domain Control Val idated" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d8:08:80:96:8f:f0:80:86:cd:f0:e7:6a:11:7f:8e:fb: 4b:95:6a:42:93:c7:cf:c3:76:80:bd:a6:cc:6c:fd:e2: 89:1a:3f:97:c1:3d:2d:fe:e4:4a:90:c5:aa:33:97:b3: 54:cc:67:73:57:2d:cb:9f:d0:27:ea:f0:d8:9b:5d:24: 94:2f:f5:84:06:d4:04:e8:83:c5:b2:40:b1:59:2c:f8: 4f:73:9c:41:fc:8d:46:3d:be:46:e7:9f:15:5d:8c:a5: 47:23:de:e2:cf:b3:be:97:ed:0c:82:3e:00:29:b7:8b: a0:86:92:ec:07:00:8b:35:77:1c:27:ba:c8:a0:80:dc: 9a:69:dd:99:89:df:b4:70:f6:f6:8c:23:8b:f9:1d:bf: ba:07:32:36:17:bc:25:e7:fb:7a:b0:11:86:de:88:59: 51:ed:e5:de:5e:14:e5:c0:28:ce:d3:5b:92:38:de:fa: 4b:15:9d:62:13:69:31:5a:0d:21:6e:2e:a6:c6:ae:30: 94:95:ce:e6:6c:dc:22:71:b4:1a:3a:f9:ec:4b:72:e4: 9d:82:ba:6b:a5:46:b0:b7:5a:23:22:d3:92:57:5b:bf: 55:fd:70:df:36:13:9c:a9:df:50:6e:62:43:23:13:eb: f5:ef:ee:c7:15:e0:46:37:21:9b:3d:86:ea:2c:c7:01 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4: 3a:28:da:e7 Name: Certificate Subject Key ID Data: e9:88:f0:50:0f:f6:09:89:5c:3d:53:70:38:ca:82:22: 42:7e:21:e3 Name: Certificate Key Usage Critical: True Usages: Digital Signature Key Encipherment Name: Certificate Basic Constraints Critical: True Data: Is not a CA. Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Policies Data: Policy Name: OID.1.3.6.1.4.1.6449.1.2.2.7 Policy Qualifier Name: PKIX CPS Pointer Qualifier Policy Qualifier Data: "https://secure.comodo.com/CPS" Policy Name: OID.2.23.140.1.2.1 Name: CRL Distribution Points Distribution point: URI: "http://crl.comodoca.com/COMODORSADomainValidationSecure ServerCA.crl" Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: "http://crt.comodoca.com/COMODORSADomainValidationSecure ServerCA.crt" Method: PKIX Online Certificate Status Protocol Location: URI: "http://ocsp.comodoca.com" Name: Certificate Subject Alt Name DNS name: "*.nwra.com" DNS name: "nwra.com" Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 54:10:0f:42:9a:1f:42:df:1d:4e:e2:b8:bb:9f:c2:fc: e1:d7:b7:02:c5:9f:ed:5a:f1:d7:b4:58:23:ab:3c:a7: d3:9a:8d:71:f5:f4:a1:8b:02:0f:ce:ec:79:30:90:09: 41:fe:03:0d:0a:ee:44:ea:f0:9b:c0:e4:92:16:da:fd: b3:aa:bf:1d:30:7d:2d:40:33:cb:e5:a3:cc:a5:8f:0e: b3:40:8f:aa:1f:f5:74:40:95:5d:8f:5a:83:9a:3b:1f: ab:de:47:0a:e1:31:f8:ff:6e:85:89:4d:64:77:fb:7c: 45:fa:5f:82:59:cc:d8:d0:64:78:e9:19:53:26:3c:fb: da:08:27:50:be:63:6e:05:cc:f1:88:72:d2:1b:74:f3: c1:d1:7f:6b:8d:26:7f:82:5b:ca:2a:d8:bd:3d:c5:e3: 50:e3:ff:65:50:38:9c:dd:3c:12:ed:f2:69:e2:3f:99: 8e:8f:4f:a7:4e:0a:4a:8c:1a:c7:13:7b:a7:a6:36:f7: f4:5d:15:92:b3:24:61:bd:a7:e4:d9:bf:ad:33:ff:0f: 11:a0:5d:02:f6:e0:03:2d:54:f2:8f:5b:5d:27:a7:ec: 7b:39:0b:ca:4c:36:f8:45:6a:71:33:1b:ef:7a:9b:45: c7:fa:8c:de:7d:af:fd:a7:9a:b8:c0:5d:67:e8:5b:a7 Fingerprint (SHA-256): F0:50:7E:1A:AA:26:ED:D2:2C:D4:ED:3C:55:16:5B:49:2D:F4:52:1E:FD:8C:EA:70:1F:59:E3:5C:0E:D2:97:E2 Fingerprint (SHA1): 7C:19:10:39:E2:35:52:F8:36:89:38:01:A6:1B:8B:1A:DC:D2:26:86 Certificate: Data: Version: 3 (0x2) Serial Number: 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07 Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Issuer: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L= Salford,ST=Greater Manchester,C=GB" Validity: Not Before: Wed Feb 12 00:00:00 2014 Not After : Sun Feb 11 23:59:59 2029 Subject: "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO C A Limited,L=Salford,ST=Greater Manchester,C=GB" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd:01:d0: d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0:c0:0c:02: 7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86:f9:e3:06:9c: 3e:0b:81:8a:9b:49:1b:ad:03:be:fa:4b:db:8c:20:ed: d5:ce:5e:65:8e:3e:0d:af:4c:c2:b0:b7:45:5e:52:2f: 34:de:48:24:64:b4:41:ae:00:97:f7:be:67:de:9e:d0: 7a:a7:53:80:3b:7c:ad:f5:96:55:6f:97:47:0a:7c:85: 8b:22:97:8d:b3:84:e0:96:57:d0:70:18:60:96:8f:ee: 2d:07:93:9d:a1:ba:ca:d1:cd:7b:e9:c4:2a:9a:28:21: 91:4d:6f:92:4f:25:a5:f2:7a:35:dd:26:dc:46:a5:d0: ac:59:35:8c:ff:4e:91:43:50:3f:59:93:1e:6c:51:21: ee:58:14:ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b: 98:bc:e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27: 51:45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8: cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2:41: 0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85:82:a5 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec: d9:32:32:d4 Name: Certificate Subject Key ID Data: 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4: 3a:28:da:e7 Name: Certificate Key Usage Critical: True Usages: Digital Signature Certificate Signing CRL Signing Name: Certificate Basic Constraints Critical: True Data: Is a CA with a maximum path length of 0. Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Policies Data: Policy Name: Certificate Policies AnyPolicy Policy Name: OID.2.23.140.1.2.1 Name: CRL Distribution Points Distribution point: URI: "http://crl.comodoca.com/COMODORSACertificationAuthority .crl" Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt" Method: PKIX Online Certificate Status Protocol Location: URI: "http://ocsp.comodoca.com" Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Signature: 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c: d6:44:9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2: 35:bc:fa:f6:dd:95:8e:99:35:98:0e:36:18:75:b1:dd: dd:50:72:7c:ae:dc:77:88:ce:0f:f7:90:20:ca:a3:67: 2e:1f:56:7f:7b:e1:44:ea:42:95:c4:5d:0d:01:50:46: 15:f2:81:89:59:6c:8a:dd:8c:f1:12:a1:8d:3a:42:8a: 98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b:72:9d:63:74: 58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37:ef:10: 45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c: 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77: 68:96:d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04: 43:28:e9:16:fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b: 6c:72:a2:94:f8:42:1a:df:ed:6f:06:8c:45:c2:06:00: aa:e4:e8:dc:d9:b5:e1:73:78:ec:f6:23:dc:d1:dd:6c: 8e:1a:8f:a5:ea:54:7c:96:b7:c3:fe:55:8e:8d:49:5e: fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0:48:f1:62:82: 10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f:94:05: 96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8: a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a: fb:97:e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31: e5:0e:57:2d:5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6: b5:39:c1:f5:98:43:ff:ee:f9:a7:a7:fd:ee:ca:24:3d: 80:16:c4:17:8f:8a:c1:60:a1:0c:ae:5b:43:47:91:4b: d5:9a:17:5f:f9:d4:87:c1:c2:8c:b7:e7:e2:0f:30:19: 37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae:fd:0f:24:51: 94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed:0e:dd: ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5: 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66: 24:37:90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28: 6a:44:70:26:23:62:a9:9f:86:6f:bf:ba:90:70:d2:56: 77:85:78:ef:ea:25:a9:17:ce:50:72:8c:00:3a:aa:e3: db:63:34:9f:f8:06:71:01:e2:82:20:d4:fe:6f:bd:b1 Fingerprint (SHA-256): 02:AB:57:E4:E6:7A:0C:B4:8D:D2:FF:34:83:0E:8A:C4:0F:44:76:FB:08:CA:6B:E3:F5:CD:84:6F:64:68:40:F0 Fingerprint (SHA1): 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 Certificate: Data: Version: 3 (0x2) Serial Number: 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ k,O=AddTrust AB,C=SE" Validity: Not Before: Tue May 30 10:48:38 2000 Not After : Sat May 30 10:48:38 2020 Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L =Salford,ST=Greater Manchester,C=GB" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:44:67: 74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:c4:fa:2a: 12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:7f:c9:4b:0f: 17:a7:3d:e3:b0:04:61:ee:ff:11:97:c7:f4:86:3e:0a: fa:3e:5c:f9:93:e6:34:7a:d9:14:6b:e7:9c:b3:85:a0: 82:7a:76:af:71:90:d7:ec:fd:0d:fa:9c:6c:fa:df:b0: 82:f4:14:7e:f9:be:c4:a6:2f:4f:7f:99:7f:b5:fc:67: 43:72:bd:0c:00:d6:89:eb:6b:2c:d3:ed:8f:98:1c:14: ab:7e:e5:e3:6e:fc:d8:a8:e4:92:24:da:43:6b:62:b8: 55:fd:ea:c1:bc:6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69: 99:f8:78:48:30:45:d5:ad:e1:0d:3c:45:60:fc:32:96: 51:27:bc:67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1: 1f:65:de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8: cc:81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c: 22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:3e: 99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:b6:5c: af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:af:45:99: e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:ff:49:58:be: f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:f4:0b:3a:f9:e8: 43:42:1e:89:d8:84:cb:13:f1:d9:bb:e1:89:60:b8:8c: 28:56:ac:14:1d:9c:0a:e7:71:eb:cf:0e:dd:3d:a9:96: a1:48:bd:3c:f7:af:b5:0d:22:4c:c0:11:81:ec:56:3b: f6:d3:a2:e2:5b:b7:b2:04:22:52:95:80:93:69:e8:8e: 4c:65:f1:91:03:2d:70:74:02:ea:8b:67:15:29:69:52: 02:bb:d7:df:50:6a:55:46:bf:a0:a3:28:61:7f:70:d0: c3:a2:aa:2c:21:aa:47:ce:28:9c:06:45:76:bf:82:18: 27:b4:d5:ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6: df:16:86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a: 2e:5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7: 31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:98: aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:e5:ed: 1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:e5:84:53 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: 24:cb:54:1a Name: Certificate Subject Key ID Data: bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec: d9:32:32:d4 Name: Certificate Key Usage Critical: True Usages: Digital Signature Certificate Signing CRL Signing Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Policies Data: Policy Name: Certificate Policies AnyPolicy Name: CRL Distribution Points Distribution point: URI: "http://crl.usertrust.com/AddTrustExternalCARoot.crl" Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ocsp.usertrust.com" Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Signature: 64:bf:83:f1:5f:9a:85:d0:cd:b8:a1:29:57:0d:e8:5a: f7:d1:e9:3e:f2:76:04:6e:f1:52:70:bb:1e:3c:ff:4d: 0d:74:6a:cc:81:82:25:d3:c3:a0:2a:5d:4c:f5:ba:8b: a1:6d:c4:54:09:75:c7:e3:27:0e:5d:84:79:37:40:13: 77:f5:b4:ac:1c:d0:3b:ab:17:12:d6:ef:34:18:7e:2b: e9:79:d3:ab:57:45:0c:af:28:fa:d0:db:e5:50:95:88: bb:df:85:57:69:7d:92:d8:52:ca:73:81:bf:1c:f3:e6: b8:6e:66:11:05:b3:1e:94:2d:7f:91:95:92:59:f1:4c: ce:a3:91:71:4c:7c:47:0c:3b:0b:19:f6:a1:b1:6c:86: 3e:5c:aa:c4:2e:82:cb:f9:07:96:ba:48:4d:90:f2:94: c8:a9:73:a2:eb:06:7b:23:9d:de:a2:f3:4d:55:9f:7a: 61:45:98:18:68:c7:5e:40:6b:23:f5:79:7a:ef:8c:b5: 6b:8b:b7:6f:46:f4:7b:f1:3d:4b:04:d8:93:80:59:5a: e0:41:24:1d:b2:8f:15:60:58:47:db:ef:6e:46:fd:15: f5:d9:5f:9a:b3:db:d8:b8:e4:40:b3:cd:97:39:ae:85: bb:1d:8e:bc:dc:87:9b:d1:a6:ef:f1:3b:6f:10:38:6f Fingerprint (SHA-256): 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA Fingerprint (SHA1): F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0 Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ k,O=AddTrust AB,C=SE" Validity: Not Before: Tue May 30 10:48:38 2000 Not After : Sat May 30 10:48:38 2020 Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo rk,O=AddTrust AB,C=SE" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:1f:bc: 6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:a4:29:4c: 7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:cf:e5:6d:50: 5a:d6:97:29:94:5a:80:b0:49:7a:db:2e:95:fd:b8:ca: bf:37:38:2d:1e:3e:91:41:ad:70:56:c7:f0:4f:3f:e8: 32:9e:74:ca:c8:90:54:e9:c6:5f:0f:78:9d:9a:40:3c: 0e:ac:61:aa:5e:14:8f:9e:87:a1:6a:50:dc:d7:9a:4e: af:05:b3:a6:71:94:9c:71:b3:50:60:0a:c7:13:9d:38: 07:86:02:a8:e9:a8:69:26:18:90:ab:4c:b0:4f:23:ab: 3a:4f:84:d8:df:ce:9f:e1:69:6f:bb:d7:42:d7:6b:44: e4:c7:ad:ee:6d:41:5f:72:5a:71:08:37:b3:79:65:a4: 59:a0:94:37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db: 14:a8:45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44: b7:c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7: a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:b6: d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:5a:27 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: 24:cb:54:1a Name: Certificate Key Usage Usages: Certificate Signing CRL Signing Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Authority Key Identifier Key ID: ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: 24:cb:54:1a Issuer: Directory Name: "CN=AddTrust External CA Root,OU=AddTrust Ext ernal TTP Network,O=AddTrust AB,C=SE" Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98: 9c:d9:84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8: 77:bb:ac:41:6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6: 26:13:c7:80:16:a5:bf:5a:fc:87:cf:78:79:89:21:9a: e2:4c:07:0a:86:35:bc:f2:de:51:c4:d2:96:b7:dc:7e: 4e:ee:70:fd:1c:39:eb:0c:02:51:14:2d:8e:bd:16:e0: c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:93:70:10:67: ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:63:d1: e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b: a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05: 51:d4:45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c: bd:24:d8:a9:91:17:73:88:3f:56:1b:31:38:18:b4:71: 0f:9a:cd:c8:0e:9e:8e:2e:1b:e1:8c:98:83:cb:1f:31: f1:44:4c:c6:04:73:49:76:60:0f:c7:f8:bd:17:80:6b: 2e:e9:cc:4c:0e:5a:9a:79:0f:20:0a:2e:d5:9e:63:26: 1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:8f:4e:86:04 Fingerprint (SHA-256): 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2 Fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 Key(shrouded): Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC Parameters: Salt: b3:e3:41:6a:fb:9f:08:8b Iteration Count: 2048 (0x800) > > # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 > --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE) security library failure. Not much :( Seems to be very early. I can't find an ipa-replica-prepare.log file. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From ghilteras at gmail.com Wed Jul 15 20:09:42 2015 From: ghilteras at gmail.com (Angelo Pantano) Date: Wed, 15 Jul 2015 13:09:42 -0700 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: <20150714064600.GF21928@redhat.com> References: <20150714055229.GE21928@redhat.com> <20150714064600.GF21928@redhat.com> Message-ID: SSSD is able to evaluate group membership, but if for instance I create a view for my user and I add a ssh public key I can only use it to login passwordless in the IPA server, not on an IPA client. The password still works, but I see nothing in the sssd logs that explains why the pubkey was rejected on the IPA client. Could be that the client is not really aware that there is a view override? I thought that the external mapping would facilitate this.. On Mon, Jul 13, 2015 at 11:46 PM, Alexander Bokovoy wrote: > On Mon, 13 Jul 2015, Angelo Pantano wrote: > >> I have the same entry there, my question is that I don't understand why it >> doesn't it give me any visibility of the AD users mapped in that group, I >> mean I just see that entry, but what's that supposed to do? It doesn't >> really change anything with or without, I am missing the supposed value of >> having the AD users mapped in a FreeIPA posix group. >> >> I was expecting to see the AD users in that group, but I got nothing.. I'm >> a bit confused >> > Read the documentation. > > Once you added AD user or group as external member of an external IPA > group and then added this group as a member of IPA POSIX group, the user > belonging to AD group would appear as a member of IPA POSIX group: > > # id administrator at adx.test > uid=1878600500(administrator at adx.test) > gid=1878600500(administrator at adx.test) > groups=1878600500(administrator at adx.test),1878600520(group policy > creator owners at adx.test),1878600519(enterprise > admins at adx.test),1878600512(domain admins at adx.test),1878600518(schema > admins at adx.test),1878600513(domain users at adx.test),1634400007(ad_admins) > > You wouldn't see this in the web UI because web UI is showing what is in > the LDAP, not what is visible in the system when SSSD evaluates the > group membership. > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Jul 15 21:16:13 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 15 Jul 2015 23:16:13 +0200 Subject: [Freeipa-users] AD users not visible in FreeIPA mapped group In-Reply-To: References: <20150714055229.GE21928@redhat.com> <20150714064600.GF21928@redhat.com> Message-ID: <20150715211613.GG3407@hendrix> On Wed, Jul 15, 2015 at 01:09:42PM -0700, Angelo Pantano wrote: > SSSD is able to evaluate group membership, but if for instance I create a > view for my user and I add a ssh public key I can only use it to login > passwordless in the IPA server, not on an IPA client. The password still > works, but I see nothing in the sssd logs that explains why the pubkey was > rejected on the IPA client. Could be that the client is not really aware > that there is a view override? I thought that the external mapping would > facilitate this.. The views usage is new to me in this thread. Please note there was a number of bugs in the views functionality in 7.1 that were not fixes in a 7.1.z stream so far. If you have a test setup, then it would be best to try and reproduce the bug with the latest 1.12 packages from a COPR repo we have. Would that be possible? From lslebodn at redhat.com Thu Jul 16 07:29:21 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 16 Jul 2015 09:29:21 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> Message-ID: <20150716072920.GA7439@mail.corp.redhat.com> On (10/07/15 17:28), Alexandre Ellert wrote: > >> Le 30 juin 2015 ? 10:16, Alexandre Ellert a ?crit : >> >> >>> Could you please provide the content of logfile: >>> `/var/log/pki/pki-tomcat/ca/debug', around the time the error >>> occurs? >>> >>> Thanks, >>> Fraser >> >> When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug >> >> [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ >> [30/Jun/2015:10:02:13][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= >> [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs >> [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends >> [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException >> Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) >> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) >> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) >> at com.netscape.certsrv.apps.CMS.init(CMS.java:189) >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) >> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) >> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) >> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) >> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) >> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) >> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) >> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) >> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) >> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) >> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) >> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) >> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) >> at java.util.concurrent.FutureTask.run(FutureTask.java:262) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.java:745) >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine.shutdown() >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown >> [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown >> >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown >> [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown >> >> [30/Jun/2015:10:02:15][ajp-bio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. >> >> I checked that ns-slapd was running on port 636 >> # netstat -antp|grep 636 >> tcp6 0 0 :::636 :::* LISTEN 22855/ns-slapd >> >> After a quick search, I found this bug https://fedorahosted.org/freeipa/ticket/4666 is quite similar. >> Many workarounds are suggested there but I?m confused about which could be efficient for me. >> >Up plz. > I had a similar issue on fedora 21 or fedora 22. The workarounds from freeipa ticket #4666 did not help for me either. I found out that there was some problem with upgrading dogtag configuration. You can try up ru upgrade manually. It might help you. [root at vm-114 ~]# rpm -q --scripts pki-server postinstall scriptlet (using /bin/sh): ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new ## PKI deployment process echo "Upgrading server at `/bin/date`." >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 /sbin/pki-server-upgrade --silent >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 echo >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 systemctl daemon-reload In my case, it didn't help. So I updated freeipa to the latest version. then I install similar new freeipa on another machine. So I had functional dogtag. Then I tried to fix broken dogtag configuration using functional configuration from 2nd freeipa. I would definitely recommend to backup data from old freeipa before any manual updates. Maybe Fraser would have a better advice. LS From ellertalexandre at gmail.com Thu Jul 16 07:56:16 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Thu, 16 Jul 2015 09:56:16 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150716072920.GA7439@mail.corp.redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <20150716072920.GA7439@mail.corp.redhat.com> Message-ID: <2846732F-410C-45CE-91AA-35D1295AC849@gmail.com> > Le 16 juil. 2015 ? 09:29, Lukas Slebodnik a ?crit : > > I had a similar issue on fedora 21 or fedora 22. > The workarounds from freeipa ticket #4666 did not help for me either. > I found out that there was some problem with upgrading dogtag configuration. > > You can try up ru upgrade manually. It might help you. > [root at vm-114 ~]# rpm -q --scripts pki-server > postinstall scriptlet (using /bin/sh): > ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem > ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new > ## PKI deployment process > > echo "Upgrading server at `/bin/date`." >> > /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 > /sbin/pki-server-upgrade --silent >> > /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 > echo >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 > > systemctl daemon-reload > > > In my case, it didn't help. So I updated freeipa to the latest version. > then I install similar new freeipa on another machine. So I had functional > dogtag. Then I tried to fix broken dogtag configuration using functional > configuration from 2nd freeipa. I would definitely recommend to backup data > from old freeipa before any manual updates. > > Maybe Fraser would have a better advice. > > LS I tried the suggested solution with pki-server-upgrade script but it didn?t fix, the output was : # cat /var/log/pki/pki-server-upgrade-10.1.2.log Upgrading from version 10.1.2 to 10.1.2: 1. Add TLS Range Support Upgrade complete. I will try the second solution and install a fresh new IPA server to compare dogtag configuration. Do you know what files/directory I should check ? Thanks for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu Jul 16 08:32:59 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 16 Jul 2015 10:32:59 +0200 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <20150715170532.GB24682@dead.ccr.buffalo.edu> References: <20150713150532.GD15499@dead.ccr.buffalo.edu> <55A3D949.5030303@redhat.com> <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> <20150714185942.GD8394@dead.ccr.buffalo.edu> <55A65EAB.6020207@redhat.com> <20150715141005.GA24682@dead.ccr.buffalo.edu> <55A6750F.5000906@redhat.com> <20150715170532.GB24682@dead.ccr.buffalo.edu> Message-ID: <55A76C3B.4010305@redhat.com> Thank you for the data, I think I understand now what is going on. In the error logs we see only message like (from my test env): [16/Jul/2015:10:12:40 +0200] NSMMReplicationPlugin - agmt="cn=100-300" (localhost:9759): replay_update: modifys operation (dn="dc=example,dc=com" csn=55a82a29000100640000) not sent - empty [16/Jul/2015:10:12:40 +0200] NSMMReplicationPlugin - agmt="cn=100-300" (localhost:9759): replay_update: Consumer successfully sent operation with csn 55a82a29000100640000 [16/Jul/2015:10:12:40 +0200] NSMMReplicationPlugin - agmt="cn=100-300" (localhost:9759): Skipping update operation with no message_id (uniqueid 7507cb26-e8ac11e2-b2898005-8430f734, CSN 55a82a29000100640000): This happens if fractional replication is configured as IPA does and the changes affect only attributes which will NOT be replicated. So teh local RUV will be updated, but since no change is really sent, the consumer RUV is not updated and replciation will always set off from an very old starting csn. It is a rare scenario where a server receives only mods which are not replicated. I have opened a ticket for this: https://fedorahosted.org/389/ticket/48225 As a workaround can you try to apply a mod on m14-26 which will not be stripped, either create a dummy user or add a description attribute to an existing object. Repliciation will once again iterate thru all the changes (which can take a while), but then should replay this latest change and define a new offset Regards, Ludwig On 07/15/2015 07:05 PM, Andrew E. Bruno wrote: > On Wed, Jul 15, 2015 at 04:58:23PM +0200, Ludwig Krispenz wrote: >> On 07/15/2015 04:10 PM, Andrew E. Bruno wrote: >>> On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: >>>> On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: >>>>> On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: >>>>>> hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and >>>>>> Jul,7th - so it looks like it is iterating the changelog over and over >>>>>> again. >>>>>> Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master >>>>>> ? >>>>>> >>>>>> can you provide the result of the following search from >>>>>> m14-24.ccr.buffalo.edu adn the server with the high cpu: >>>>>> >>>>>> ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" >>>>>> "objectclass=nsds5replica" nsds50ruv >>>>> master is srv-m14-24.. here's the results of the ldapsearch: >>>>> >>>>> [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv >>>>> >>>>> # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config >>>>> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config >>>>> nsds50ruv: {replicageneration} 5527f711000000040000 >>>>> nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a55aed001000040000 >>>>> nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 5591a3d2000700050000 >>>>> nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 >>>> so this is really strange, the master m14-24 has the latest change from >>>> replica 5(m14-26) as: 5591a3d2000700050000 >>>> which corresponds to Mon, 29 Jun 2015 20:00:18 GMT >>>> so no update from 14-24 since that did arrive, or could not update the ruv. >>>> So m14-26 tries to replicate all the changes back from that time, but looks >>>> like iit has no success. >>>> is there anything in the logs of m14-24 ? can you see successful mods with >>>> csn=xxxxxxx00050000 ? >>> Here's what I could find from the logs on srv-m14-24: >>> >>> >>> [srv-m14-24 ~]# grep -r 00050000 /var/log/dirsrv/slapd-[domain]/* >>> access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f0005000040000 >> ok, so no update originating at replica 5 has been replicated (probably >> since June,29) did you experience data inconsistency between the servers ? >>> >>> And here's the last few lines the error log on srv-m14-24: >> one set of messages refers to the o=ipaca backend and seem to be transient, >> replication continues later. >> the other set of msg "No original tombstone .." is annoying (and it is fixed >> in ticket https://fedorahosted.org/389/ticket/47912) >> >> the next thing we can do to try to understand what is going on is to enable >> replication logging on m14-26, it will then not only consume all cpu, but >> write tons of messages to the error log. >> But it can be turned on and off: >> >> ldapmodify ... >> dn: cn=config >> replace: nsslapd-errorlog-level >> nsslapd-errorlog-level: 8192 >> >> and let it run for a while, then set it back to: 0 > I enabled replication logging and it's running now. I noticed the > default value for nsslapd-errorlog-level was set to 16384 (not 0). > > OK to send you the logs off list? Looks like they contain quite a bit of > sensitive data. > > Thanks again for all the help looking into this. > > Best, > > --Andrew > > > >>> [12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! >>> [12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! >>> [13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a406000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f2000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a41102000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b32000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:18:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4423a000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. >>> [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. >>> [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. >>> [14/Jul/2015:09:56:52 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat" (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a5152a000000600000): Operations error (1). Will retry later. >>> [14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552223,cn=changelog!! >>> [14/Jul/2015:10:11:21 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2552224,cn=changelog!! >>> [14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557315,cn=changelog!! >>> [14/Jul/2015:10:11:25 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2557318,cn=changelog!! >>> [14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561020,cn=changelog!! >>> [14/Jul/2015:10:11:28 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2561043,cn=changelog!! >>> [14/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2586022,cn=changelog!! >>> [14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598989,cn=changelog!! >>> [14/Jul/2015:10:11:59 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2598990,cn=changelog!! >>> [14/Jul/2015:10:12:01 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2600966,cn=changelog!! >>> [14/Jul/2015:10:12:03 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604037,cn=changelog!! >>> [14/Jul/2015:10:12:04 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2604054,cn=changelog!! >>> [14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629803,cn=changelog!! >>> [14/Jul/2015:10:12:24 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2629804,cn=changelog!! >>> >>> >>> >>> >>> >>>>> # replica, o\3Dipaca, mapping tree, config >>>>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >>>>> nsds50ruv: {replicageneration} 5527f74b000000600000 >>>>> nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 >>>>> nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 >>>>> nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 >>>>> >>>>> >>>>> server with high cpu load is srv-m14-26. here's the results of the ldapsearch >>>> >from this server: >>>>> [srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replica" nsds50ruv >>>>> >>>>> # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config >>>>> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config >>>>> nsds50ruv: {replicageneration} 5527f711000000040000 >>>>> nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c773000000050000 55a55b47000300050000 >>>>> nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f771000000040000 55a53eb0000a00040000 >>>>> nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda000000060000 55945378000200060000 >>>>> >>>>> # replica, o\3Dipaca, mapping tree, config >>>>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >>>>> nsds50ruv: {replicageneration} 5527f74b000000600000 >>>>> nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba0000005b0000 5582c7e40004005b0000 >>>>> nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f754000000600000 55a557f6000000600000 >>>>> nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e000000560000 55943e6f000100560000 >>>>> >>>>> >>>>> srv-m14-25-02 is our 3rd replicate which we recently added back in after it >>>>> failed (was added back in 7/1). >>>>> >>>>> Let me know if you need anything else. Thanks for the help. >>>>> >>>>> --Andrew >>>>> >>>>>> On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: >>>>>>> On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: >>>>>>>> On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: >>>>>>>>> On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: >>>>>>>>>> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: >>>>>>>>>>> On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: >>>>>>>>>>>> can you get a pstack of the slapd process along with a top -H to find th >>>>>>>>>>>> ethread with high cpu usage >>>>>>>>>>> Attached is the full stacktrace of the running ns-slapd proccess. top -H >>>>>>>>>>> shows this thread (2879) with high cpu usage: >>>>>>>>>>> >>>>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>>>>>> this thread is a replication thread sending updates, what is strange is that >>>>>>>>>> the current csn_str is quite old (july, 7th), I can't tell which agreeement >>>>>>>>>> this thread is handling, but looks like it is heavily reading the changeglog >>>>>>>>>> and sending updates. anything changed recently in replication setup ? >>>>>>>>> Yes, we had one replica fail on (6/19) which we removed (not this one >>>>>>>>> showing high CPU load). Had to perform some manual cleanup of the ipa-ca >>>>>>>>> RUVs. Then we added the replica back in on 7/1. Since then, replication >>>>>>>>> appears to have been running normally between the 3 replicas. We've been >>>>>>>>> monitoring utilization since 7/1 and only recently seen this spike (past >>>>>>>>> 24 hours or so). >>>>>>>> is it still in this state ? or was it a spike. >>>>>>> Yes same state. >>>>>>> >>>>>>>> if it still is high cpu consuming, could you >>>>>>>> - get a few pstack like the one before with some time in between, I would >>>>>>>> like to see if it is progressing with the csns or looping on the same one >>>>>>> Attached are a few stacktraces. The thread pegging the cpu is: >>>>>>> >>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>>> 2879 dirsrv 20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd >>>>>>> >>>>>>>> - check the consumer side. is there anything in the error log ? does the >>>>>>>> access log show replication activity from this server >>>>>>> Here's some errors showing up on the first master server rep1 (rep2 is the >>>>>>> server with pegged cpu): >>>>>>> >>>>>>> [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad6000000600000): Operations error (1). Will retry later. >>>>>>> [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f6000000600000): Operations error (1). Will retry later. >>>>>>> [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa000000600000): Operations error (1). Will retry later. >>>>>>> >>>>>>> >>>>>>> Here's some snips from the access log of the rep2: >>>>>>> >>>>>>> >>>>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [14/Jul/2015:08:22:31 -0400] conn=777787 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:22:33 -0400] conn=777787 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>>>> .. >>>>>>> [14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c000000050000 >>>>>>> .. >>>>>>> [14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [14/Jul/2015:08:24:03 -0400] conn=777787 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>>>> [14/Jul/2015:08:24:05 -0400] conn=777787 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [14/Jul/2015:08:24:08 -0400] conn=777787 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" >>>>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9814 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [14/Jul/2015:08:24:10 -0400] conn=777787 op=9815 RESULT err=0 tag=120 nentries=0 etime=0 >>>>>>> >>>>>>> and here's some from the error log: >>>>>>> >>>>>>> [13/Jul/2015:22:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2294859, dn = changenumber=2294859,cn=changelog: Operations error. >>>>>>> [13/Jul/2015:22:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>> [13/Jul/2015:23:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2296384,cn=changelog from entryrdn index (-30993) >>>>>>> [13/Jul/2015:23:56:50 -0400] - Operation error fetching changenumber=2296384,cn=changelog (null), error -30993. >>>>>>> [13/Jul/2015:23:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2296384, dn = changenumber=2296384,cn=changelog: Operations error. >>>>>>> [13/Jul/2015:23:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>> [14/Jul/2015:06:56:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2304418,cn=changelog from entryrdn index (-30993) >>>>>>> [14/Jul/2015:06:56:50 -0400] - Operation error fetching changenumber=2304418,cn=changelog (null), error -30993. >>>>>>> [14/Jul/2015:06:56:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2304418, dn = changenumber=2304418,cn=changelog: Operations error. >>>>>>> [14/Jul/2015:06:56:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>> >>>>>>> >>>>>>>> - eventually enable replication logging: nsslapd-errorlog-level: 8192 >>>>>>>>> On a side note, we get hit with this bug often: >>>>>>>>> >>>>>>>>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html >>>>>>>>> >>>>>>>>> (rouge sssd_be processing hammering a replica). >>>>>>>>> >>>>>>>>> This causes high ns-slapd utilization on the replica and restarting sssd >>>>>>>>> on the client host immediately fixes the issue. However, in this >>>>>>>>> case, we're not seeing this behavior. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: >>>>>>>>>>>>> We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and >>>>>>>>>>>>> 389-ds 1.3.3.1-16. >>>>>>>>>>>>> >>>>>>>>>>>>> Recently, the ns-slapd process on one of our replicas started showing higher >>>>>>>>>>>>> than normal CPU usage. ns-slapd is pegged at high CPU usage more or less >>>>>>>>>>>>> constantly. >>>>>>>>>>>>> >>>>>>>>>>>>> Seems very similar to this thread: >>>>>>>>>>>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html >>>>>>>>>>>>> >>>>>>>>>>>>> There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not >>>>>>>>>>>>> sure if these are related): >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) >>>>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. >>>>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. >>>>>>>>>>>>> [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. >>>>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) >>>>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. >>>>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. >>>>>>>>>>>>> [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> access logs seem to be showing normal activity. Here's the number of open >>>>>>>>>>>>> connections: >>>>>>>>>>>>> >>>>>>>>>>>>> # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l >>>>>>>>>>>>> 62 >>>>>>>>>>>>> >>>>>>>>>>>>> Note: the other two replicas have much higher open connections (>250) and low >>>>>>>>>>>>> cpu load avgs. >>>>>>>>>>>>> >>>>>>>>>>>>> Here's some output of logconv.pl from our most recent access log on the replica >>>>>>>>>>>>> with high cpu load: >>>>>>>>>>>>> >>>>>>>>>>>>> Start of Logs: 13/Jul/2015:04:49:18 >>>>>>>>>>>>> End of Logs: 13/Jul/2015:10:06:11 >>>>>>>>>>>>> >>>>>>>>>>>>> Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds >>>>>>>>>>>>> >>>>>>>>>>>>> Restarts: 0 >>>>>>>>>>>>> Total Connections: 2343 >>>>>>>>>>>>> - LDAP Connections: 2120 >>>>>>>>>>>>> - LDAPI Connections: 223 >>>>>>>>>>>>> - LDAPS Connections: 0 >>>>>>>>>>>>> - StartTLS Extended Ops: 45 >>>>>>>>>>>>> Secure Protocol Versions: >>>>>>>>>>>>> - TLS1.2 128-bit AES - 45 >>>>>>>>>>>>> >>>>>>>>>>>>> Peak Concurrent Connections: 22 >>>>>>>>>>>>> Total Operations: 111865 >>>>>>>>>>>>> Total Results: 111034 >>>>>>>>>>>>> Overall Performance: 99.3% >>>>>>>>>>>>> >>>>>>>>>>>>> Searches: 95585 (5.03/sec) (301.64/min) >>>>>>>>>>>>> Modifications: 3369 (0.18/sec) (10.63/min) >>>>>>>>>>>>> Adds: 0 (0.00/sec) (0.00/min) >>>>>>>>>>>>> Deletes: 0 (0.00/sec) (0.00/min) >>>>>>>>>>>>> Mod RDNs: 0 (0.00/sec) (0.00/min) >>>>>>>>>>>>> Compares: 0 (0.00/sec) (0.00/min) >>>>>>>>>>>>> Binds: 7082 (0.37/sec) (22.35/min) >>>>>>>>>>>>> >>>>>>>>>>>>> Proxied Auth Operations: 0 >>>>>>>>>>>>> Persistent Searches: 0 >>>>>>>>>>>>> Internal Operations: 0 >>>>>>>>>>>>> Entry Operations: 0 >>>>>>>>>>>>> Extended Operations: 5317 >>>>>>>>>>>>> Abandoned Requests: 416 >>>>>>>>>>>>> Smart Referrals Received: 0 >>>>>>>>>>>>> >>>>>>>>>>>>> VLV Operations: 96 >>>>>>>>>>>>> VLV Unindexed Searches: 0 >>>>>>>>>>>>> VLV Unindexed Components: 32 >>>>>>>>>>>>> SORT Operations: 64 >>>>>>>>>>>>> >>>>>>>>>>>>> Entire Search Base Queries: 0 >>>>>>>>>>>>> Paged Searches: 3882 >>>>>>>>>>>>> Unindexed Searches: 0 >>>>>>>>>>>>> Unindexed Components: 5 >>>>>>>>>>>>> >>>>>>>>>>>>> FDs Taken: 2566 >>>>>>>>>>>>> FDs Returned: 2643 >>>>>>>>>>>>> Highest FD Taken: 249 >>>>>>>>>>>>> >>>>>>>>>>>>> Broken Pipes: 0 >>>>>>>>>>>>> Connections Reset By Peer: 0 >>>>>>>>>>>>> Resource Unavailable: 0 >>>>>>>>>>>>> Max BER Size Exceeded: 0 >>>>>>>>>>>>> >>>>>>>>>>>>> Binds: 7082 >>>>>>>>>>>>> Unbinds: 2443 >>>>>>>>>>>>> - LDAP v2 Binds: 0 >>>>>>>>>>>>> - LDAP v3 Binds: 6859 >>>>>>>>>>>>> - AUTOBINDs: 223 >>>>>>>>>>>>> - SSL Client Binds: 0 >>>>>>>>>>>>> - Failed SSL Client Binds: 0 >>>>>>>>>>>>> - SASL Binds: 6814 >>>>>>>>>>>>> GSSAPI - 6591 >>>>>>>>>>>>> EXTERNAL - 223 >>>>>>>>>>>>> - Directory Manager Binds: 0 >>>>>>>>>>>>> - Anonymous Binds: 6591 >>>>>>>>>>>>> - Other Binds: 491 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> strace timing on the ns-slapd process: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> % time seconds usecs/call calls errors syscall >>>>>>>>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>>>>>>>> 94.40 0.346659 5977 58 poll >>>>>>>>>>>>> 4.10 0.015057 15057 1 restart_syscall >>>>>>>>>>>>> 0.91 0.003353 57 59 59 getpeername >>>>>>>>>>>>> 0.49 0.001796 150 12 futex >>>>>>>>>>>>> 0.10 0.000364 73 5 read >>>>>>>>>>>>> ------ ----------- ----------- --------- --------- ---------------- >>>>>>>>>>>>> 100.00 0.367229 135 59 total >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> top output (with threads 'H'): >>>>>>>>>>>>> >>>>>>>>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>>>>>>>>> 2879 dirsrv 20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd >>>>>>>>>>>>> 2895 dirsrv 20 0 3819252 1.962g 11680 R 34.1 3.1 115:10.62 ns-slapd >>>>>>>>>>>>> 2889 dirsrv 20 0 3819252 1.962g 11680 R 2.4 3.1 115:34.42 ns-slapd >>>>>>>>>>>>> 2917 dirsrv 20 0 3819252 1.962g 11680 S 2.4 3.1 115:26.87 ns-slapd >>>>>>>>>>>>> 2898 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 116:33.12 ns-slapd >>>>>>>>>>>>> 2904 dirsrv 20 0 3819252 1.962g 11680 S 2.1 3.1 115:08.56 ns-slapd >>>>>>>>>>>>> 2892 dirsrv 20 0 3819252 1.962g 11680 S 1.8 3.1 115:33.04 ns-slapd >>>>>>>>>>>>> 2897 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 114:54.28 ns-slapd >>>>>>>>>>>>> 2914 dirsrv 20 0 3819252 1.962g 11680 R 1.8 3.1 116:03.35 ns-slapd >>>>>>>>>>>>> 2907 dirsrv 20 0 3819252 1.962g 11680 S 1.5 3.1 115:42.25 ns-slapd >>>>>>>>>>>>> 2910 dirsrv 20 0 3819252 1.962g 11680 R 1.5 3.1 116:01.99 ns-slapd >>>>>>>>>>>>> 2870 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 611:30.22 ns-slapd >>>>>>>>>>>>> 2890 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:18.25 ns-slapd >>>>>>>>>>>>> 2891 dirsrv 20 0 3819252 1.962g 11680 S 1.2 3.1 115:22.24 ns-slapd >>>>>>>>>>>>> 2899 dirsrv 20 0 3819252 1.962g 11680 R 1.2 3.1 116:11.85 ns-slapd >>>>>>>>>>>>> 2888 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 114:51.19 ns-slapd >>>>>>>>>>>>> 2896 dirsrv 20 0 3819252 1.962g 11680 R 0.9 3.1 115:46.84 ns-slapd >>>>>>>>>>>>> 2915 dirsrv 20 0 3819252 1.962g 11680 S 0.9 3.1 115:49.34 ns-slapd >>>>>>>>>>>>> 2887 dirsrv 20 0 3819252 1.962g 11680 R 0.6 3.1 115:49.85 ns-slapd >>>>>>>>>>>>> 2894 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 115:58.02 ns-slapd >>>>>>>>>>>>> 2911 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 116:22.84 ns-slapd >>>>>>>>>>>>> 2913 dirsrv 20 0 3819252 1.962g 11680 S 0.6 3.1 114:43.56 ns-slapd >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ns-slapd stays pegged >99%. Trying to figure out what ns-slapd is doing? Any >>>>>>>>>>>>> pointers on where else to look? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks in advance. >>>>>>>>>>>>> >>>>>>>>>>>>> --Andrew >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>>>> >>>>>>>>>>>> >> From lslebodn at redhat.com Thu Jul 16 08:58:14 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 16 Jul 2015 10:58:14 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <2846732F-410C-45CE-91AA-35D1295AC849@gmail.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <20150716072920.GA7439@mail.corp.redhat.com> <2846732F-410C-45CE-91AA-35D1295AC849@gmail.com> Message-ID: <20150716085814.GD7439@mail.corp.redhat.com> On (16/07/15 09:56), Alexandre Ellert wrote: > >> Le 16 juil. 2015 ? 09:29, Lukas Slebodnik a ?crit : >> >> I had a similar issue on fedora 21 or fedora 22. >> The workarounds from freeipa ticket #4666 did not help for me either. >> I found out that there was some problem with upgrading dogtag configuration. >> >> You can try up ru upgrade manually. It might help you. >> [root at vm-114 ~]# rpm -q --scripts pki-server >> postinstall scriptlet (using /bin/sh): >> ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem >> ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new >> ## PKI deployment process >> >> echo "Upgrading server at `/bin/date`." >> >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 >> /sbin/pki-server-upgrade --silent >> >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 >> echo >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1 >> >> systemctl daemon-reload >> >> >> In my case, it didn't help. So I updated freeipa to the latest version. >> then I install similar new freeipa on another machine. So I had functional >> dogtag. Then I tried to fix broken dogtag configuration using functional >> configuration from 2nd freeipa. I would definitely recommend to backup data >> from old freeipa before any manual updates. >> >> Maybe Fraser would have a better advice. >> >> LS > >I tried the suggested solution with pki-server-upgrade script but it didn?t fix, the output was : ># cat /var/log/pki/pki-server-upgrade-10.1.2.log >Upgrading from version 10.1.2 to 10.1.2: >1. Add TLS Range Support > >Upgrade complete. > >I will try the second solution and install a fresh new IPA server to compare dogtag configuration. >Do you know what files/directory I should check ? > I filtered my bash history and here is an output. I hope the history contains all files. Please do not forget to backup all data. [root at vm-114 ~]# history | grep vimdiff 272 vimdiff pki/pki-tomcat/pki.policy /etc/pki/pki-tomcat/pki.policy 275 vimdiff pki/pki-tomcat/context.xml /etc/pki/pki-tomcat/context.xml 277 vimdiff pki/pki-tomcat/tomcat-users.xml pki/pki-tomcat/tomcat-users.xml 278 vimdiff pki/pki-tomcat/tomcat-users.xml /etc/pki/pki-tomcat/tomcat-users.xml 280 vimdiff pki/pki-tomcat/log4j.properties /etc/pki/pki-tomcat/log4j.properties 288 vimdiff pki/pki-tomcat/password.conf /etc/pki/pki-tomcat/password.conf 290 vimdiff pki/pki-tomcat/password.conf /etc/pki/pki-tomcat/password.conf 293 vimdiff pki/pki-tomcat/tomcat.conf /etc/pki/pki-tomcat/tomcat.conf 299 vimdiff pki/pki-tomcat/server.xml /etc/pki/pki-tomcat/server.xml 302 vimdiff pki/pki-tomcat/Catalina/localhost/ca.xml /etc/pki/pki-tomcat/Catalina/localhost/ca.xml 304 vimdiff pki/pki-tomcat/ca/vlvtasks.ldif /etc/pki/pki-tomcat/ca/vlvtasks.ldif 306 vimdiff pki/pki-tomcat/ca/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile 307 vimdiff pki/pki-tomcat/ca/acl.ldif /etc/pki/pki-tomcat/ca/acl.ldif 309 vimdiff pki/pki-tomcat/ca/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile 312 vimdiff pki/pki-tomcat/ca/database.ldif /etc/pki/pki-tomcat/ca/database.ldif 314 vimdiff pki/pki-tomcat/ca/db.ldif /etc/pki/pki-tomcat/ca/db.ldif 316 vimdiff pki/pki-tomcat/ca/index.ldif /etc/pki/pki-tomcat/ca/index.ldif 318 vimdiff pki/pki-tomcat/ca/manager.ldif /etc/pki/pki-tomcat/ca/manager.ldif 320 vimdiff pki/pki-tomcat/ca/proxy.conf /etc/pki/pki-tomcat/ca/proxy.conf 322 vimdiff pki/pki-tomcat/ca/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg 325 vimdiff pki/pki-tomcat/ca/schema.ldif /etc/pki/pki-tomcat/ca/schema.ldif 613 vimdiff pki/java/cacerts /etc/pki/java/cacerts 623 vimdiff pki/default.cfg /etc/pki/default.cfg 626 vimdiff pki/pki.version /etc/pki/pki.version 632 vimdiff pki/pki-tomcat/logging.properties /etc/pki/pki-tomcat/logging.properties 635 vimdiff pki/pki-tomcat/catalina.policy /etc/pki/pki-tomcat/catalina.policy 638 vimdiff pki/pki-tomcat/web.xml /etc/pki/pki-tomcat/web.xml 654 vimdiff pki/pki-tomcat/ca/CS.cfg /etc/pki/pki-tomcat/ca/CS.cfg 666 vimdiff pki/ca-trust/ca-legacy.conf /etc/pki/ca-trust/ca-legacy.conf 677 vimdiff pki/nssdb/pkcs11.txt /etc/pki/nssdb/pkcs11.txt 684 vimdiff pki/default.cfg /etc/pki/default.cfg 707 vimdiff pki/tls/openssl.cnf etc/pki/tls/openssl.cnf 708 vimdiff pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf 871 vimdiff slapd-IDM-EXAMPLE-COM/dse.ldif /etc/dirsrv/slapd-IDM-EXAMPLE-COM/dse.ldif 1005 vimdiff pki/pki-tomcat/ca/schema.ldif /etc/pki/pki-tomcat/ca/schema.ldif It is also possible that some certificates might be expired because dogtag was not functional for soem time. So please take a look into wiki: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal LS From canepa.n at mmfg.it Thu Jul 16 12:01:47 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 16 Jul 2015 14:01:47 +0200 Subject: [Freeipa-users] Problem in CLI after upgrade to 4.1.0 Message-ID: <55A79D2B.60804@mmfg.it> I upgraded from freeipa 4.0 to ipa-4.1.0 Users continue to be authenticated, and web GUI works, but from command line for every ipa command (after autheiticating with kinit), I get: > [root at ldap-01 ~]# ipa config-show > ipa: ERROR: cannot connect to 'https://ldap-01.mmfg.it/ipa/json': > (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, > unsupported format. Nicola -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From pvoborni at redhat.com Thu Jul 16 14:55:00 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Jul 2015 16:55:00 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> Message-ID: <55A7C5C4.20106@redhat.com> On 07/10/2015 05:28 PM, Alexandre Ellert wrote: > >> Le 30 juin 2015 ? 10:16, Alexandre Ellert a ?crit : >> >> >>> Could you please provide the content of logfile: >>> `/var/log/pki/pki-tomcat/ca/debug', around the time the error >>> occurs? >>> >>> Thanks, >>> Fraser >> >> When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug >> >> [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ >> [30/Jun/2015:10:02:13][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= >> [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log >> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs >> [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends >> [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException >> Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) >> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) >> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) >> at com.netscape.certsrv.apps.CMS.init(CMS.java:189) >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) >> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) >> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) >> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) >> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) >> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) >> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) >> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) >> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) >> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) >> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) >> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) >> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) >> at java.util.concurrent.FutureTask.run(FutureTask.java:262) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.java:745) >> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine.shutdown() >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown >> [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown >> >> [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown >> [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown >> >> [30/Jun/2015:10:02:15][ajp-bio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. >> >> I checked that ns-slapd was running on port 636 >> # netstat -antp|grep 636 >> tcp6 0 0 :::636 :::* LISTEN 22855/ns-slapd >> >> After a quick search, I found this bug https://fedorahosted.org/freeipa/ticket/4666 is quite similar. >> Many workarounds are suggested there but I?m confused about which could be efficient for me. >> > Up plz. > Is there anything related to the connection error in dirsrv logs? /var/log/dirsrv/slapd-EXAMPLE-COM/errors /var/log/dirsrv/slapd-EXAMPLE-COM/access -- Petr Vobornik From abokovoy at redhat.com Thu Jul 16 14:58:26 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jul 2015 17:58:26 +0300 Subject: [Freeipa-users] [QUERY] CentOS 7 repo for FreeIPA 4.2.0 testing Message-ID: <20150716145826.GR21928@redhat.com> Hello! FreeIPA team has recently released 4.2.0 version[1] which adds a number of features community members were asking for: - User certificates - Vault to store user secrets - One-way trust to Active Directory - User life-cycle management for integration with external process workflows - [many other enhancements and improvements] Development of these features required coordinating changes across multiple projects. We have provided the packages for Fedora through our COPR repository[2]. The repository includes multiple packages, and relies on multiple others updated in Fedora repositories since Fedora 22. FreeIPA and other teams at Red Hat are currently working on integrating FreeIPA 4.2 release into Red Hat Enterprise Linux 7 update. While traditionally CentOS users had to wait for a Red Hat Enterprise Linux release, in time for 7.1 update we tried something new with a COPR repository providing FreeIPA 4.1 for CentOS before Red Hat Enterprise Linux 7.1 was released. The repository proved to be a success -- both for quality of bug reports we've got and ability to reach out to you. With COPR repository for CentOS 7 we've also got experience to manage expectations of support and maintenance for the FreeIPA 4.1 packages in the view of upcoming Red Hat Enterprise Linux release. The packages in the COPR repository would expire when the Red Hat Enterprise Linux update comes to CentOS and to people who used the repository it would mean a need to handle upgrades. We are considering to repeat COPR experiment with FreeIPA 4.2 for CentOS 7. However, this time we also are relying on updated packages which are beyond the maintenance of FreeIPA, SSSD, Dogtag, and 389-ds teams. Some of the updates in those packages include ABI changes. Maintaining our own rebuilds of these packages in the COPR repository would put additional burden on the upstream developers and later on you -- when CentOS 7 updated versions of those packages would come through the official channels. Thus, we would like to ask you, whether having a separate COPR repository for FreeIPA 4.2 would make sense for CentOS 7 users. The repository will expire with the release of CentOS 7 updates and no upgrade path would be provided for the bits. Of course, FreeIPA replication should work and to move forward you would need to deploy replicas with formal CentOS bits into the same environment and phase out the replicas running bits coming from the COPR repository. This path is intended but not guaranteed. It might happen that further development would reveal issues and bugs that might make such migration path broken and impossible to fix. In this case upstream will make reasonable efforts but would provide no guarantee that the issue will be addressed. Does it make sense and worth proceeding with creating a CentOS COPR repo with upstream bits? Tell us! [1] http://www.freeipa.org/page/Releases/4.2.0 [2] https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2 -- / Alexander Bokovoy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From Kurt.Bendl at nrel.gov Thu Jul 16 16:58:50 2015 From: Kurt.Bendl at nrel.gov (Bendl, Kurt) Date: Thu, 16 Jul 2015 16:58:50 +0000 Subject: [Freeipa-users] OTP vs sudo Message-ID: I'm planning our implementation of IdM/IPA, and I'm unclear about how I can implement IPA's OTP for privileged access. I need to be able to set up systems so: * accounts can auth using traditional userid/password * privileged access (sudo) requires OTP We've done some testing, injecting a 3rd party OTP solution (PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's built-in mojo work, I'd prefer to keep it all in the family. Thanks, Kurt From nagemnna at gmail.com Thu Jul 16 19:32:37 2015 From: nagemnna at gmail.com (Megan .) Date: Thu, 16 Jul 2015 15:32:37 -0400 Subject: [Freeipa-users] sudo environmental variables Message-ID: Good Afternoon, I am struggling with sudo and environmental variables. I feel like i'm missing something silly and just need another set of eyes. I have a situation where i need a user(userA) to run a script using sudo as another user (userB). I want to use some environmental variables from userB (script owner) for the purpose of the script. Specifically $PATH and HTTP_PROXY. I have the PATH and HTTP_PROXY set in /home/userB/.bashrc but when userA uses sudo -u userB script it doesn't pickup those environmental variables. I tried using the sudo options and set env_keep+="HTTP_PROXY" and that still didn't work. The only thing i found worked so far was adding. i've also tried the sudo -i option and that fails. Thanks in advance. [megantest at tools-dit ~]$ sudo -ll Matching Defaults entries for megantest on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, passprompt="Enter RSA PIN+token:" User megantest may run the following commands on this host: SSSD Role: script_testing RunAsUsers: testuser Options: env_keep+="HTTP_PROXY" Commands: /home/testuser/script.sh -------------- next part -------------- An HTML attachment was scrubbed... URL: From nagemnna at gmail.com Thu Jul 16 19:45:38 2015 From: nagemnna at gmail.com (Megan .) Date: Thu, 16 Jul 2015 15:45:38 -0400 Subject: [Freeipa-users] sudo environmental variables In-Reply-To: References: Message-ID: I think i got the options confused. I tried using Options: always_set_home but this did not do anything either. On Thu, Jul 16, 2015 at 3:32 PM, Megan . wrote: > Good Afternoon, > > > I am struggling with sudo and environmental variables. I feel like i'm > missing something silly and just need another set of eyes. > > I have a situation where i need a user(userA) to run a script using sudo as > another user (userB). I want to use some environmental variables from userB > (script owner) for the purpose of the script. Specifically $PATH and > HTTP_PROXY. I have the PATH and HTTP_PROXY set in /home/userB/.bashrc but > when userA uses sudo -u userB script it doesn't pickup those environmental > variables. I tried using the sudo options and set env_keep+="HTTP_PROXY" > and that still didn't work. The only thing i found worked so far was > adding. i've also tried the sudo -i option and that fails. > > Thanks in advance. > > > > [megantest at tools-dit ~]$ sudo -ll > Matching Defaults entries for megantest on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME > HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR > USERNAME LANG > LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION > LC_MEASUREMENT > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER > LC_TELEPHONE", > env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, passprompt="Enter RSA > PIN+token:" > > User megantest may run the following commands on this host: > > SSSD Role: script_testing > RunAsUsers: testuser > Options: env_keep+="HTTP_PROXY" > Commands: > /home/testuser/script.sh > > > > > From canepa.n at mmfg.it Fri Jul 17 03:49:13 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Fri, 17 Jul 2015 05:49:13 +0200 Subject: [Freeipa-users] Problem in CLI after upgrade to 4.1.0 In-Reply-To: <55A79D2B.60804@mmfg.it> References: <55A79D2B.60804@mmfg.it> Message-ID: <4AA9CB49-4F00-47B2-9710-B9AF38436815@mmfg.it> I think the problem is the upgrade from freeipa-* to ipa-*, which does not run the scripts cortectly. Previously I had to run: /usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || : /bin/systemctl enable ipa.service Noe I also needed: python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' tempfile=$(mktemp) if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>>/var/log/ipaupgrade.log; then certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >>/var/log/ipaupgrade.log 2>&1 elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>>/var/log/ipaupgrade.log; then certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >>/var/log/ipaupgrade.log 2>&1 fi rm -f "$tempfile" And also the ipa commands work correctly. Nicola Il 16 Luglio 2015 14:01:47 CEST, Nicola Canepa ha scritto: >I upgraded from freeipa 4.0 to ipa-4.1.0 >Users continue to be authenticated, and web GUI works, but from command > >line for every ipa command (after autheiticating with kinit), I get: >> [root at ldap-01 ~]# ipa config-show >> ipa: ERROR: cannot connect to 'https://ldap-01.mmfg.it/ipa/json': >> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an >old, >> unsupported format. > >Nicola From pspacek at redhat.com Fri Jul 17 08:47:37 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jul 2015 10:47:37 +0200 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? Message-ID: <55A8C129.1030305@redhat.com> Hello users and developers, I wonder what do you think about naming inconsistency in FreeIPA packages. Packages in Fedora are prefixed with freeipa-* but in RHEL (and derivatives) the packages are named as ipa-*. Given that command line interface is in all cases 'ipa', it seems like a inconsistency. Are there any reasons not to rename freeipa-* *packages* to ipa-*? Naturally name of project would still be FreeIPA :-) This rename would remove the inconsistency which drives me crazy when I need to script something universally for RHEL and Fedora. Have a nice day! -- Petr^2 Spacek From abokovoy at redhat.com Fri Jul 17 08:57:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jul 2015 11:57:44 +0300 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? In-Reply-To: <55A8C129.1030305@redhat.com> References: <55A8C129.1030305@redhat.com> Message-ID: <20150717085744.GY21928@redhat.com> On Fri, 17 Jul 2015, Petr Spacek wrote: >Hello users and developers, > >I wonder what do you think about naming inconsistency in FreeIPA packages. > >Packages in Fedora are prefixed with freeipa-* but in RHEL (and derivatives) >the packages are named as ipa-*. Given that command line interface is in all >cases 'ipa', it seems like a inconsistency. > >Are there any reasons not to rename freeipa-* *packages* to ipa-*? > >Naturally name of project would still be FreeIPA :-) > >This rename would remove the inconsistency which drives me crazy when I need >to script something universally for RHEL and Fedora. Not again. ;) It was 'ipa' package in Fedora first few years and got renamed to freeipa. -- / Alexander Bokovoy From christopher.lamb at ch.ibm.com Fri Jul 17 09:10:45 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 17 Jul 2015 11:10:45 +0200 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? In-Reply-To: <55A8C129.1030305@redhat.com> References: <55A8C129.1030305@redhat.com> Message-ID: Consistency sounds good. How would the name change affect yum update? Chris From: Petr Spacek To: freeipa-users at redhat.com Date: 17.07.2015 10:49 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? Sent by: freeipa-users-bounces at redhat.com Hello users and developers, I wonder what do you think about naming inconsistency in FreeIPA packages. Packages in Fedora are prefixed with freeipa-* but in RHEL (and derivatives) the packages are named as ipa-*. Given that command line interface is in all cases 'ipa', it seems like a inconsistency. Are there any reasons not to rename freeipa-* *packages* to ipa-*? Naturally name of project would still be FreeIPA :-) This rename would remove the inconsistency which drives me crazy when I need to script something universally for RHEL and Fedora. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jpazdziora at redhat.com Fri Jul 17 09:15:46 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 17 Jul 2015 11:15:46 +0200 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? In-Reply-To: <55A8C129.1030305@redhat.com> References: <55A8C129.1030305@redhat.com> Message-ID: <20150717091546.GE6322@redhat.com> On Fri, Jul 17, 2015 at 10:47:37AM +0200, Petr Spacek wrote: > > This rename would remove the inconsistency which drives me crazy when I need > to script something universally for RHEL and Fedora. Wouldn't rpm Provides solve this particular issue? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From canepa.n at mmfg.it Fri Jul 17 09:33:53 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Fri, 17 Jul 2015 11:33:53 +0200 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? In-Reply-To: References: <55A8C129.1030305@redhat.com> Message-ID: <55A8CC01.1020406@mmfg.it> Regarding this, I think the upgrade from freeipa to ipa should be looked into carefully, since I experienced problem o post-upgrade script not being run upon upgrade from freeipa-*-4.0 to ipa-*-4.1 Nicola Il 17/07/15 11:10, Christopher Lamb ha scritto: > Consistency sounds good. > > How would the name change affect yum update? > > Chris > > > > From: Petr Spacek > To: freeipa-users at redhat.com > Date: 17.07.2015 10:49 > Subject: [Freeipa-users] Rename or not to rename (packages only)? > freeipa-server -> ipa-server? > Sent by: freeipa-users-bounces at redhat.com > > > > Hello users and developers, > > I wonder what do you think about naming inconsistency in FreeIPA packages. > > Packages in Fedora are prefixed with freeipa-* but in RHEL (and > derivatives) > the packages are named as ipa-*. Given that command line interface is in > all > cases 'ipa', it seems like a inconsistency. > > Are there any reasons not to rename freeipa-* *packages* to ipa-*? > > Naturally name of project would still be FreeIPA :-) > > This rename would remove the inconsistency which drives me crazy when I > need > to script something universally for RHEL and Fedora. > > Have a nice day! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From lslebodn at redhat.com Fri Jul 17 10:38:32 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 17 Jul 2015 12:38:32 +0200 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? In-Reply-To: <20150717091546.GE6322@redhat.com> References: <55A8C129.1030305@redhat.com> <20150717091546.GE6322@redhat.com> Message-ID: <20150717103832.GC26053@mail.corp.redhat.com> On (17/07/15 11:15), Jan Pazdziora wrote: >On Fri, Jul 17, 2015 at 10:47:37AM +0200, Petr Spacek wrote: >> >> This rename would remove the inconsistency which drives me crazy when I need >> to script something universally for RHEL and Fedora. > >Wouldn't rpm Provides solve this particular issue? > I would prefer this way as well. and BTW packages in debian use names: freeipa-* https://packages.debian.org/search?suite=sid&searchon=names&keywords=freeipa LS From holger at layer-acht.org Fri Jul 17 11:57:43 2015 From: holger at layer-acht.org (Holger Levsen) Date: Fri, 17 Jul 2015 13:57:43 +0200 Subject: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? In-Reply-To: <55A8C129.1030305@redhat.com> References: <55A8C129.1030305@redhat.com> Message-ID: <201507171357.50349.holger@layer-acht.org> Hi, (writing this offline, so maybe my reply is moot...) On Freitag, 17. Juli 2015, Petr Spacek wrote: > Are there any reasons not to rename freeipa-* *packages* to ipa-*? yes: in Debian and Ubuntu the packages are named freeipa-* as well, so let me phrase your question differently: are there any reasons not to rename ipa-* *packages* to freeipa-*? :-) > Naturally name of project would still be FreeIPA :-) which would also have the nice benefit of matching the project name! cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From aebruno2 at buffalo.edu Sat Jul 18 01:23:44 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Fri, 17 Jul 2015 21:23:44 -0400 Subject: [Freeipa-users] ns-slapd high cpu usage In-Reply-To: <55A76C3B.4010305@redhat.com> References: <20150713163620.GF15499@dead.ccr.buffalo.edu> <55A4F585.3040207@redhat.com> <20150714123507.GB8394@dead.ccr.buffalo.edu> <55A5221A.6050607@redhat.com> <20150714185942.GD8394@dead.ccr.buffalo.edu> <55A65EAB.6020207@redhat.com> <20150715141005.GA24682@dead.ccr.buffalo.edu> <55A6750F.5000906@redhat.com> <20150715170532.GB24682@dead.ccr.buffalo.edu> <55A76C3B.4010305@redhat.com> Message-ID: <20150718012344.GB6722@dead.ccr.buffalo.edu> On Thu, Jul 16, 2015 at 10:32:59AM +0200, Ludwig Krispenz wrote: > Thank you for the data, I think I understand now what is going on. > > In the error logs we see only message like (from my test env): > > [16/Jul/2015:10:12:40 +0200] NSMMReplicationPlugin - agmt="cn=100-300" > (localhost:9759): replay_update: modifys operation (dn="dc=example,dc=com" > csn=55a82a29000100640000) not sent - empty > [16/Jul/2015:10:12:40 +0200] NSMMReplicationPlugin - agmt="cn=100-300" > (localhost:9759): replay_update: Consumer successfully sent operation with > csn 55a82a29000100640000 > [16/Jul/2015:10:12:40 +0200] NSMMReplicationPlugin - agmt="cn=100-300" > (localhost:9759): Skipping update operation with no message_id (uniqueid > 7507cb26-e8ac11e2-b2898005-8430f734, CSN 55a82a29000100640000): > > This happens if fractional replication is configured as IPA does and the > changes affect only attributes which will NOT be replicated. So teh local > RUV will be updated, but since no change is really sent, the consumer RUV is > not updated and replciation will always set off from an very old starting > csn. It is a rare scenario where a server receives only mods which are not > replicated. > > I have opened a ticket for this: https://fedorahosted.org/389/ticket/48225 > > As a workaround can you try to apply a mod on m14-26 which will not be > stripped, either create a dummy user or add a description attribute to an > existing object. Repliciation will once again iterate thru all the changes > (which can take a while), but then should replay this latest change and > define a new offset > Excellent. I can confirm your workaround fixed the issue. I updated a users email address (on m14-26) and the load came down back to normal within a few minutes. Thanks very much for all your help debugging this. Best, --Andrew > Regards, > Ludwig > > From tde3000 at gmail.com Sun Jul 19 04:41:59 2015 From: tde3000 at gmail.com (John Stein) Date: Sun, 19 Jul 2015 04:41:59 +0000 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: <55A67C2C.6070006@redhat.com> References: <55914D1F.4050704@redhat.com> <559CF263.6020300@redhat.com> <55A50624.4050507@redhat.com> <55A67C2C.6070006@redhat.com> Message-ID: Hi, Does that mean deleting the NS record on AD and creating an A record instead? Thanks, John On Wed, Jul 15, 2015, 18:28 Petr Spacek wrote: > On 14.7.2015 15:19, John Stein wrote: > > Hi, > > > > What I meant was that the IPA server is managing two zones: > > > > Linux.john.com > > Which has these records > > Ipa1 A 192.168.0.140 > > client1 A 192.168.0.11 > > > > 0.168.192.in-addr.arpa. > > Which has these records > > 11 PTR client1.linux.john.com > > @ NS ipa1.linux.john.com > > > > In the AD > > forward lookup zones > >> John.com > >>> linux > > (Same as parent folder) NS ipa1.linux.john.com > > > > Anything more that's unclear? > > This is enough. > > You have the same 'master' zone configured on IPA and AD, which does not > make > sense from DNS point of view. > > You need to move all records to one server and configure 'forward' zone on > the > other server. In AD terminology you need to create 'conditional forwarder'. > > Petr^2 Spacek > > > > > Thank you very much! > > John > > > > On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > > > >> On 14.7.2015 14:49, John Stein wrote: > >>> I ran the above commands exactly as I told you on the IPA server. I > also > >>> set the IPA server as a global forwarder in the AD. > >>> > >>> On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > >>> > >>>>> On 5.7.2015 08:38, John Stein wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I ran these commands in the IdM server > >>>>>>> > >>>>>>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > >> JOHN.COM > >>>>>>> krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > >>>>>>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >>>>>>> > >>>>>>> At the Active Directory I have A and PTR records for the IdM > >> server and > >>>>> it > >>>>>>> is configured as a global forwarder. > >>>>>>> At the IdM server there are A and PTR records for both the IdM > >> server and > >>>>>>> another client. > >> > >> Can you explain what you did, exactly? I do not know what 'I have A and > PTR > >> records for the IdM server' exactly means. We need to know exactly what > you > >> typed in and where you clicked in AD. > >> > >> The original information is not sufficient, that is why I asking for > more > >> details. > >> > >> Petr^2 Spacek > >> > >>>>>>> However this setup does not work. > >>>>>>> From the IdM and linux client every record is resolvable, however > >> from > >>>>> the > >>>>>>> AD only the IdM is resolvable and the client is not. > >>>>>>> > >>>>>>> Maybe there's another thing I need to configure in the AD in order > >> to > >>>>>>> enable forwarding that I'm missing? > >>>>> > >>>>> I'm not sure I understand you. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Sun Jul 19 15:58:53 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 19 Jul 2015 17:58:53 +0200 Subject: [Freeipa-users] access control Message-ID: <35938771.mlPKtxLVZd@techz> Hello, can any help me to create a access control for a user? Background: I have created a user like this from a FreeIPA site # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D now I have to create a access control rule for this user that he can read the userPassword atribute like this? # access to attribute=userPassword # by dn="" read # add this # by anonymous auth # by self write # by * none I can't found a example for this Problem and so I have no correct working Mailserver :-(. Please Help and tanks for a answer. -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Sun Jul 19 17:23:05 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Sun, 19 Jul 2015 19:23:05 +0200 Subject: [Freeipa-users] access control In-Reply-To: <35938771.mlPKtxLVZd@techz> References: <35938771.mlPKtxLVZd@techz> Message-ID: Hi Gunther, Typically one would use the freeipa tools to create users. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-users.html#adding-users As with any application. Modifying the database underneath is not recommended. Thanks, Andrew On 19 July 2015 at 17:58, G?nther J. wrote: > Hello, > > > > can any help me to create a access control for a user? > > > > Background: > > I have created a user like this from a FreeIPA site > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > ^D > > now I have to create a access control rule for this user that he can read > the userPassword atribute like this? > > > > > > # access to attribute=userPassword > > # by dn="" read # add this > > # by anonymous auth > > # by self write > > # by * none > > > > > > I can't found a example for this Problem and so I have no correct working > Mailserver :-(. > > > > Please Help and tanks for a answer. > > -- > > mit freundlichen Gr?ssen / best regards, > > > > G?nther J. Niederwimmer > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Jul 20 06:57:34 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jul 2015 08:57:34 +0200 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55A6AD1E.2070604@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> <55A6AD1E.2070604@cora.nwra.com> Message-ID: <55AC9BDE.4020505@redhat.com> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): > On 07/14/2015 11:53 PM, Jan Cholasta wrote: >> Hi, >> >> Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a): >>> On 07/08/2015 11:31 AM, Orion Poplawski wrote: >>>> But then when I go to make a replica: >>>> >>>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >>>> Directory Manager (existing master) password: >>>> >>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>> >>>> Which looks like others are experiencing (with not resolution that I could >>>> see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html >> >> Unfortunately this error code can mean almost anything, NSS isn't particularly >> helpful with errors. >> >>>> >>>> Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. >>>> >>> >>> Filed https://fedorahosted.org/freeipa/ticket/5117 >>> >> >> Without ipa-replica-prepare log or pk12util output it's really hard to tell >> what's going on. Could you provide the output of the following commands: >> >> # pk12util -l nwra.com.p12 > > Certificate(has private key): > Data: > Version: 3 (0x2) > Serial Number: > 00:d1:3f:8c:79:cf:1c:87:53:f0:05:7c:f6:56:18:3a: > 5c > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA > Limited,L=Salford,ST=Greater Manchester,C=GB" > Validity: > Not Before: Thu Oct 11 00:00:00 2012 > Not After : Sun Jan 10 23:59:59 2016 > Subject: "CN=*.nwra.com,OU=PositiveSSL Wildcard,OU=Domain Control Val > idated" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > d8:08:80:96:8f:f0:80:86:cd:f0:e7:6a:11:7f:8e:fb: > 4b:95:6a:42:93:c7:cf:c3:76:80:bd:a6:cc:6c:fd:e2: > 89:1a:3f:97:c1:3d:2d:fe:e4:4a:90:c5:aa:33:97:b3: > 54:cc:67:73:57:2d:cb:9f:d0:27:ea:f0:d8:9b:5d:24: > 94:2f:f5:84:06:d4:04:e8:83:c5:b2:40:b1:59:2c:f8: > 4f:73:9c:41:fc:8d:46:3d:be:46:e7:9f:15:5d:8c:a5: > 47:23:de:e2:cf:b3:be:97:ed:0c:82:3e:00:29:b7:8b: > a0:86:92:ec:07:00:8b:35:77:1c:27:ba:c8:a0:80:dc: > 9a:69:dd:99:89:df:b4:70:f6:f6:8c:23:8b:f9:1d:bf: > ba:07:32:36:17:bc:25:e7:fb:7a:b0:11:86:de:88:59: > 51:ed:e5:de:5e:14:e5:c0:28:ce:d3:5b:92:38:de:fa: > 4b:15:9d:62:13:69:31:5a:0d:21:6e:2e:a6:c6:ae:30: > 94:95:ce:e6:6c:dc:22:71:b4:1a:3a:f9:ec:4b:72:e4: > 9d:82:ba:6b:a5:46:b0:b7:5a:23:22:d3:92:57:5b:bf: > 55:fd:70:df:36:13:9c:a9:df:50:6e:62:43:23:13:eb: > f5:ef:ee:c7:15:e0:46:37:21:9b:3d:86:ea:2c:c7:01 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4: > 3a:28:da:e7 > > Name: Certificate Subject Key ID > Data: > e9:88:f0:50:0f:f6:09:89:5c:3d:53:70:38:ca:82:22: > 42:7e:21:e3 > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Key Encipherment > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: Certificate Policies > Data: > Policy Name: OID.1.3.6.1.4.1.6449.1.2.2.7 > Policy Qualifier Name: PKIX CPS Pointer Qualifier > Policy Qualifier Data: "https://secure.comodo.com/CPS" > Policy Name: OID.2.23.140.1.2.1 > > Name: CRL Distribution Points > Distribution point: > URI: "http://crl.comodoca.com/COMODORSADomainValidationSecure > ServerCA.crl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: "http://crt.comodoca.com/COMODORSADomainValidationSecure > ServerCA.crt" > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://ocsp.comodoca.com" > > Name: Certificate Subject Alt Name > DNS name: "*.nwra.com" > DNS name: "nwra.com" > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 54:10:0f:42:9a:1f:42:df:1d:4e:e2:b8:bb:9f:c2:fc: > e1:d7:b7:02:c5:9f:ed:5a:f1:d7:b4:58:23:ab:3c:a7: > d3:9a:8d:71:f5:f4:a1:8b:02:0f:ce:ec:79:30:90:09: > 41:fe:03:0d:0a:ee:44:ea:f0:9b:c0:e4:92:16:da:fd: > b3:aa:bf:1d:30:7d:2d:40:33:cb:e5:a3:cc:a5:8f:0e: > b3:40:8f:aa:1f:f5:74:40:95:5d:8f:5a:83:9a:3b:1f: > ab:de:47:0a:e1:31:f8:ff:6e:85:89:4d:64:77:fb:7c: > 45:fa:5f:82:59:cc:d8:d0:64:78:e9:19:53:26:3c:fb: > da:08:27:50:be:63:6e:05:cc:f1:88:72:d2:1b:74:f3: > c1:d1:7f:6b:8d:26:7f:82:5b:ca:2a:d8:bd:3d:c5:e3: > 50:e3:ff:65:50:38:9c:dd:3c:12:ed:f2:69:e2:3f:99: > 8e:8f:4f:a7:4e:0a:4a:8c:1a:c7:13:7b:a7:a6:36:f7: > f4:5d:15:92:b3:24:61:bd:a7:e4:d9:bf:ad:33:ff:0f: > 11:a0:5d:02:f6:e0:03:2d:54:f2:8f:5b:5d:27:a7:ec: > 7b:39:0b:ca:4c:36:f8:45:6a:71:33:1b:ef:7a:9b:45: > c7:fa:8c:de:7d:af:fd:a7:9a:b8:c0:5d:67:e8:5b:a7 > Fingerprint (SHA-256): > > F0:50:7E:1A:AA:26:ED:D2:2C:D4:ED:3C:55:16:5B:49:2D:F4:52:1E:FD:8C:EA:70:1F:59:E3:5C:0E:D2:97:E2 > Fingerprint (SHA1): > 7C:19:10:39:E2:35:52:F8:36:89:38:01:A6:1B:8B:1A:DC:D2:26:86 > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07 > Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption > Issuer: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L= > Salford,ST=Greater Manchester,C=GB" > Validity: > Not Before: Wed Feb 12 00:00:00 2014 > Not After : Sun Feb 11 23:59:59 2029 > Subject: "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO C > A Limited,L=Salford,ST=Greater Manchester,C=GB" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > 8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd:01:d0: > d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0:c0:0c:02: > 7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86:f9:e3:06:9c: > 3e:0b:81:8a:9b:49:1b:ad:03:be:fa:4b:db:8c:20:ed: > d5:ce:5e:65:8e:3e:0d:af:4c:c2:b0:b7:45:5e:52:2f: > 34:de:48:24:64:b4:41:ae:00:97:f7:be:67:de:9e:d0: > 7a:a7:53:80:3b:7c:ad:f5:96:55:6f:97:47:0a:7c:85: > 8b:22:97:8d:b3:84:e0:96:57:d0:70:18:60:96:8f:ee: > 2d:07:93:9d:a1:ba:ca:d1:cd:7b:e9:c4:2a:9a:28:21: > 91:4d:6f:92:4f:25:a5:f2:7a:35:dd:26:dc:46:a5:d0: > ac:59:35:8c:ff:4e:91:43:50:3f:59:93:1e:6c:51:21: > ee:58:14:ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b: > 98:bc:e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27: > 51:45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8: > cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2:41: > 0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85:82:a5 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec: > d9:32:32:d4 > > Name: Certificate Subject Key ID > Data: > 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4: > 3a:28:da:e7 > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Certificate Signing > CRL Signing > > Name: Certificate Basic Constraints > Critical: True > Data: Is a CA with a maximum path length of 0. > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: Certificate Policies > Data: > Policy Name: Certificate Policies AnyPolicy > Policy Name: OID.2.23.140.1.2.1 > > Name: CRL Distribution Points > Distribution point: > URI: "http://crl.comodoca.com/COMODORSACertificationAuthority > .crl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt" > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://ocsp.comodoca.com" > > Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption > Signature: > 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c: > d6:44:9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2: > 35:bc:fa:f6:dd:95:8e:99:35:98:0e:36:18:75:b1:dd: > dd:50:72:7c:ae:dc:77:88:ce:0f:f7:90:20:ca:a3:67: > 2e:1f:56:7f:7b:e1:44:ea:42:95:c4:5d:0d:01:50:46: > 15:f2:81:89:59:6c:8a:dd:8c:f1:12:a1:8d:3a:42:8a: > 98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b:72:9d:63:74: > 58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37:ef:10: > 45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c: > 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77: > 68:96:d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04: > 43:28:e9:16:fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b: > 6c:72:a2:94:f8:42:1a:df:ed:6f:06:8c:45:c2:06:00: > aa:e4:e8:dc:d9:b5:e1:73:78:ec:f6:23:dc:d1:dd:6c: > 8e:1a:8f:a5:ea:54:7c:96:b7:c3:fe:55:8e:8d:49:5e: > fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0:48:f1:62:82: > 10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f:94:05: > 96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8: > a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a: > fb:97:e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31: > e5:0e:57:2d:5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6: > b5:39:c1:f5:98:43:ff:ee:f9:a7:a7:fd:ee:ca:24:3d: > 80:16:c4:17:8f:8a:c1:60:a1:0c:ae:5b:43:47:91:4b: > d5:9a:17:5f:f9:d4:87:c1:c2:8c:b7:e7:e2:0f:30:19: > 37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae:fd:0f:24:51: > 94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed:0e:dd: > ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5: > 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66: > 24:37:90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28: > 6a:44:70:26:23:62:a9:9f:86:6f:bf:ba:90:70:d2:56: > 77:85:78:ef:ea:25:a9:17:ce:50:72:8c:00:3a:aa:e3: > db:63:34:9f:f8:06:71:01:e2:82:20:d4:fe:6f:bd:b1 > Fingerprint (SHA-256): > > 02:AB:57:E4:E6:7A:0C:B4:8D:D2:FF:34:83:0E:8A:C4:0F:44:76:FB:08:CA:6B:E3:F5:CD:84:6F:64:68:40:F0 > Fingerprint (SHA1): > 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39 > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 > Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption > Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ > k,O=AddTrust AB,C=SE" > Validity: > Not Before: Tue May 30 10:48:38 2000 > Not After : Sat May 30 10:48:38 2020 > Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L > =Salford,ST=Greater Manchester,C=GB" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > 91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:44:67: > 74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:c4:fa:2a: > 12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:7f:c9:4b:0f: > 17:a7:3d:e3:b0:04:61:ee:ff:11:97:c7:f4:86:3e:0a: > fa:3e:5c:f9:93:e6:34:7a:d9:14:6b:e7:9c:b3:85:a0: > 82:7a:76:af:71:90:d7:ec:fd:0d:fa:9c:6c:fa:df:b0: > 82:f4:14:7e:f9:be:c4:a6:2f:4f:7f:99:7f:b5:fc:67: > 43:72:bd:0c:00:d6:89:eb:6b:2c:d3:ed:8f:98:1c:14: > ab:7e:e5:e3:6e:fc:d8:a8:e4:92:24:da:43:6b:62:b8: > 55:fd:ea:c1:bc:6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69: > 99:f8:78:48:30:45:d5:ad:e1:0d:3c:45:60:fc:32:96: > 51:27:bc:67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1: > 1f:65:de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8: > cc:81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c: > 22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:3e: > 99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:b6:5c: > af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:af:45:99: > e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:ff:49:58:be: > f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:f4:0b:3a:f9:e8: > 43:42:1e:89:d8:84:cb:13:f1:d9:bb:e1:89:60:b8:8c: > 28:56:ac:14:1d:9c:0a:e7:71:eb:cf:0e:dd:3d:a9:96: > a1:48:bd:3c:f7:af:b5:0d:22:4c:c0:11:81:ec:56:3b: > f6:d3:a2:e2:5b:b7:b2:04:22:52:95:80:93:69:e8:8e: > 4c:65:f1:91:03:2d:70:74:02:ea:8b:67:15:29:69:52: > 02:bb:d7:df:50:6a:55:46:bf:a0:a3:28:61:7f:70:d0: > c3:a2:aa:2c:21:aa:47:ce:28:9c:06:45:76:bf:82:18: > 27:b4:d5:ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6: > df:16:86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a: > 2e:5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7: > 31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:98: > aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:e5:ed: > 1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:e5:84:53 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: > 24:cb:54:1a > > Name: Certificate Subject Key ID > Data: > bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec: > d9:32:32:d4 > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Certificate Signing > CRL Signing > > Name: Certificate Basic Constraints > Critical: True > Data: Is a CA with no maximum path length. > > Name: Certificate Policies > Data: > Policy Name: Certificate Policies AnyPolicy > > Name: CRL Distribution Points > Distribution point: > URI: "http://crl.usertrust.com/AddTrustExternalCARoot.crl" > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://ocsp.usertrust.com" > > Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption > Signature: > 64:bf:83:f1:5f:9a:85:d0:cd:b8:a1:29:57:0d:e8:5a: > f7:d1:e9:3e:f2:76:04:6e:f1:52:70:bb:1e:3c:ff:4d: > 0d:74:6a:cc:81:82:25:d3:c3:a0:2a:5d:4c:f5:ba:8b: > a1:6d:c4:54:09:75:c7:e3:27:0e:5d:84:79:37:40:13: > 77:f5:b4:ac:1c:d0:3b:ab:17:12:d6:ef:34:18:7e:2b: > e9:79:d3:ab:57:45:0c:af:28:fa:d0:db:e5:50:95:88: > bb:df:85:57:69:7d:92:d8:52:ca:73:81:bf:1c:f3:e6: > b8:6e:66:11:05:b3:1e:94:2d:7f:91:95:92:59:f1:4c: > ce:a3:91:71:4c:7c:47:0c:3b:0b:19:f6:a1:b1:6c:86: > 3e:5c:aa:c4:2e:82:cb:f9:07:96:ba:48:4d:90:f2:94: > c8:a9:73:a2:eb:06:7b:23:9d:de:a2:f3:4d:55:9f:7a: > 61:45:98:18:68:c7:5e:40:6b:23:f5:79:7a:ef:8c:b5: > 6b:8b:b7:6f:46:f4:7b:f1:3d:4b:04:d8:93:80:59:5a: > e0:41:24:1d:b2:8f:15:60:58:47:db:ef:6e:46:fd:15: > f5:d9:5f:9a:b3:db:d8:b8:e4:40:b3:cd:97:39:ae:85: > bb:1d:8e:bc:dc:87:9b:d1:a6:ef:f1:3b:6f:10:38:6f > Fingerprint (SHA-256): > > 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA > Fingerprint (SHA1): > F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0 > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ > k,O=AddTrust AB,C=SE" > Validity: > Not Before: Tue May 30 10:48:38 2000 > Not After : Sat May 30 10:48:38 2020 > Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo > rk,O=AddTrust AB,C=SE" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:1f:bc: > 6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:a4:29:4c: > 7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:cf:e5:6d:50: > 5a:d6:97:29:94:5a:80:b0:49:7a:db:2e:95:fd:b8:ca: > bf:37:38:2d:1e:3e:91:41:ad:70:56:c7:f0:4f:3f:e8: > 32:9e:74:ca:c8:90:54:e9:c6:5f:0f:78:9d:9a:40:3c: > 0e:ac:61:aa:5e:14:8f:9e:87:a1:6a:50:dc:d7:9a:4e: > af:05:b3:a6:71:94:9c:71:b3:50:60:0a:c7:13:9d:38: > 07:86:02:a8:e9:a8:69:26:18:90:ab:4c:b0:4f:23:ab: > 3a:4f:84:d8:df:ce:9f:e1:69:6f:bb:d7:42:d7:6b:44: > e4:c7:ad:ee:6d:41:5f:72:5a:71:08:37:b3:79:65:a4: > 59:a0:94:37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db: > 14:a8:45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44: > b7:c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7: > a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:b6: > d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:5a:27 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: > 24:cb:54:1a > > Name: Certificate Key Usage > Usages: Certificate Signing > CRL Signing > > Name: Certificate Basic Constraints > Critical: True > Data: Is a CA with no maximum path length. > > Name: Certificate Authority Key Identifier > Key ID: > ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: > 24:cb:54:1a > Issuer: > Directory Name: "CN=AddTrust External CA Root,OU=AddTrust Ext > ernal TTP Network,O=AddTrust AB,C=SE" > Serial Number: 1 (0x1) > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98: > 9c:d9:84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8: > 77:bb:ac:41:6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6: > 26:13:c7:80:16:a5:bf:5a:fc:87:cf:78:79:89:21:9a: > e2:4c:07:0a:86:35:bc:f2:de:51:c4:d2:96:b7:dc:7e: > 4e:ee:70:fd:1c:39:eb:0c:02:51:14:2d:8e:bd:16:e0: > c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:93:70:10:67: > ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:63:d1: > e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b: > a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05: > 51:d4:45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c: > bd:24:d8:a9:91:17:73:88:3f:56:1b:31:38:18:b4:71: > 0f:9a:cd:c8:0e:9e:8e:2e:1b:e1:8c:98:83:cb:1f:31: > f1:44:4c:c6:04:73:49:76:60:0f:c7:f8:bd:17:80:6b: > 2e:e9:cc:4c:0e:5a:9a:79:0f:20:0a:2e:d5:9e:63:26: > 1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:8f:4e:86:04 > Fingerprint (SHA-256): > > 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2 > Fingerprint (SHA1): > 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 > > Key(shrouded): > Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC > Parameters: > Salt: > b3:e3:41:6a:fb:9f:08:8b > Iteration Count: 2048 (0x800) > > >> >> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX > > Directory Manager (existing master) password: > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > Not much :( > > Seems to be very early. > > I can't find an ipa-replica-prepare.log file. That's weird, there should be ~50 lines of output before ipa-replica-prepare prompts you for directory manager password. I didn't have any luck in reproducing the issue so far. Could you please try this: $ mkdir tmpdb $ certutil -N -d tmpdb $ pk12util -i nwra.com.p12 $ certutil -L -d tmpdb # look for nickname of certificate which has trust attributes of u,u,u $ certutil -O -d tmpdb -n nickname # use the nickname from above I would like to see the output of the last 2 commands. -- Jan Cholasta From christopher.lamb at ch.ibm.com Mon Jul 20 13:41:18 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 20 Jul 2015 15:41:18 +0200 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <20150428183655.GF26437@redhat.com> References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> Message-ID: Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct versions of OEL 7.1 and SSSD), it seems to require the Windows clients to be members of an Active Diretory trusted by IPA. Unfortunately there is no AD in our architecture - our Windows and OSX clients are effectively islands. That would seem to leave us stuck with sambaPwdLastSet. After a user has had his password reset via the IPA WebUi to a temporary value, the user then logs on using the temporary password, and is asked to enter a new password. At his point sambaPwdLastSet should be set to a positive value. However our testing indicates that it is not. We have tried 3 techniques: 1) User connects to LDAP server via remote ssh. 2) kinit 3) su - over an existing ssh session with another user (e.g. mine) In all three cases the user is able to set their password, but sambaPwdLastSet remains set to 0. As a workaround we use Apache Directory Studio to manually set sambaPwdLastSet once the user has changed his password. Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM at IBMCH Date: 28.04.2015 20:37 Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet On Tue, 28 Apr 2015, Christopher Lamb wrote: >Hi Alexander > >one of those days? > >I have just snapshotted the VM running FreeIPA, and will give your >suggestion a whirl, and then report back to the list. > >I am running both FreeIPA and Samba on the same VM, which should make >things easier. > >All the bits required are either already installed or in the yum repo, so I >am ready to go... Here is the problem. In the case of Samba running on IPA master you really really want to use freeipa-server-trust-ad (or ipa-server-trust-ad in RHEL/CentOS) package and use ipa-adtrust-install to configure it. We have done a lot of work to make sure IPA masters can work as 'AD DCs' of sorts for cross-forest trusts to Active Directory. Part of it includes specialized PDB module (ipasam) and appropriate management around it. The solution about using SSSD libwbclient parts is built around that too -- you are expected to configure your IPA masters with ipa-adtrust-install and then run Samba file server on an IPA client with SSSD. If you want to have shares on IPA master directly, all you need to do is to run ipa-adtrust-install to configure Samba and then use 'net conf addshare' to configure shares. Using 'net conf' is a key here because we use registry to store smb.conf and things in /etc/samba/smb.conf will be ignored. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for examples. > >Must get off the train now ... > >thanks > >chris > > > >From: Alexander Bokovoy >To: Christopher Lamb/Switzerland/IBM at IBMCH >Cc: freeipa-users at redhat.com >Date: 28.04.2015 20:11 >Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > >Resending it to the right list. :) Not my evening. > >On Tue, 28 Apr 2015, Alexander Bokovoy wrote: >>On Tue, 28 Apr 2015, Christopher Lamb wrote: >>> >>>Hi All >>> >>>I wish to pick your brains on the attribute sambaPwdLastSet >>> >>>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from >an >>>old 3.0.0 instance. >>> >>>We are also running Samba to share files to Windows and OSX users. This >>>means that all the FreeIPA user accounts have the attribute >>>sambaPwdLastSet. >>> >>>If this has the value 0, our users cannot map Samba shares, so we need to >>>make sure the value is a positive integer. >>> >>>In an attempt to do this, I modified user.py, adding the attribute to the >>>takes_params for the class user as follows: >>> >>>class user(LDAPObject): >>> . . . >>> takes_params = ( >>> . . . >>> Int('sambapwdlastset?', >>> label=_('sambaPwdLastSet'), >>> doc=_('Date as an integer when the samba password was last >set' >>>), >>> default=1, >>> autofill=True, >>> ), >>> . . . >>> >>>This works fine if I create a user via the CLI. >>> >>>However if I create a user via the Web UI, or use the Web UI to reset a >>>user's password, then the attribute sambaPwdLastSet is set to zero. >>> >>>So what scripts do I need to change to make sure the Web UI sets >>>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify >>>scripts, or have to use Apache Directory Studio to hack the db..) >>> >>>Or is there an altogether better approach to handling this field? >>Yes, there is. >> >>Given that you are running FreeIPA 4.1, you now can use SSSD as your >>libwbclient provider to be able to run Samba on IPA client against IPA >>database. There will be no dependency on sambaPwdLastSet anymore. >> >>See >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >>This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA >>client. It does not work though with non-Kerberos (NTLM) logins. >> >>However, if you insist on using sambaPwdLastSet attribute, then user >>password change rule is applying: >> >>- if admin changes user password, sambaPwdLastSet is cleared to 0 to >> force users to change their passwords also via Samba >> >>If user changes the password him/herself, sambaPwdLastSet is set to the >>current time (i.e. not 0). >> >>This really goes into enforcing privacy of user passwords -- if admins >>change user passwords, the password is not really secret anymore and >>cannot be considered secure, so it is only used once. >> >>See also https://www.freeipa.org/page/Self-Service_Password_Reset and >>https://www.freeipa.org/page/New_Passwords_Expired >> >>-- >>/ Alexander Bokovoy > >-- >/ Alexander Bokovoy > > > > -- / Alexander Bokovoy From rcritten at redhat.com Mon Jul 20 13:47:32 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jul 2015 09:47:32 -0400 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> Message-ID: <55ACFBF4.4090707@redhat.com> Christopher Lamb wrote: > Hi Alexander > > This issue got overtaken by others, and slipped off my radar for a bit... > > While the solution suggested earlier in this thread at > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > sounds interesting (and we are running the correct versions of OEL 7.1 and > SSSD), it seems to require the Windows clients to be members of an Active > Diretory trusted by IPA. > > Unfortunately there is no AD in our architecture - our Windows and OSX > clients are effectively islands. That would seem to leave us stuck with > sambaPwdLastSet. > > After a user has had his password reset via the IPA WebUi to a temporary > value, the user then logs on using the temporary password, and is asked to > enter a new password. At his point sambaPwdLastSet should be set to a > positive value. However our testing indicates that it is not. We have tried > 3 techniques: > > 1) User connects to LDAP server via remote ssh. > > 2) kinit > > 3) su - over an existing ssh session with another user (e.g. mine) > > In all three cases the user is able to set their password, but > sambaPwdLastSet remains set to 0. > > As a workaround we use Apache Directory Studio to manually set > sambaPwdLastSet once the user has changed his password. > > Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? rob From abokovoy at redhat.com Mon Jul 20 13:52:32 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jul 2015 16:52:32 +0300 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <55ACFBF4.4090707@redhat.com> References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> <55ACFBF4.4090707@redhat.com> Message-ID: <20150720135232.GH21928@redhat.com> On Mon, 20 Jul 2015, Rob Crittenden wrote: >Christopher Lamb wrote: >>Hi Alexander >> >>This issue got overtaken by others, and slipped off my radar for a bit... >> >>While the solution suggested earlier in this thread at >>http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>sounds interesting (and we are running the correct versions of OEL 7.1 and >>SSSD), it seems to require the Windows clients to be members of an Active >>Diretory trusted by IPA. >> >>Unfortunately there is no AD in our architecture - our Windows and OSX >>clients are effectively islands. That would seem to leave us stuck with >>sambaPwdLastSet. >> >>After a user has had his password reset via the IPA WebUi to a temporary >>value, the user then logs on using the temporary password, and is asked to >>enter a new password. At his point sambaPwdLastSet should be set to a >>positive value. However our testing indicates that it is not. We have tried >>3 techniques: >> >>1) User connects to LDAP server via remote ssh. >> >>2) kinit >> >>3) su - over an existing ssh session with another user (e.g. mine) >> >>In all three cases the user is able to set their password, but >>sambaPwdLastSet remains set to 0. >> >>As a workaround we use Apache Directory Studio to manually set >>sambaPwdLastSet once the user has changed his password. >> >>Chris > >AFAICT the user needs the sambaSamAccount objectclass in order for >this to work. Is that the case? Yes, exactly. This object class is not used by IPA integration with Samba, so we don't give it to users by default. The code in IPA password plugin checks if there is an object class named SambaSamAccount on the user entry and then manipulates sambaPwdLastSet as required. -- / Alexander Bokovoy From christopher.lamb at ch.ibm.com Mon Jul 20 13:56:50 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 20 Jul 2015 15:56:50 +0200 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <55ACFBF4.4090707@redhat.com> References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> <55ACFBF4.4090707@redhat.com> Message-ID: Hi Rob The users do have the sambaSamAccount ObjectClass. Or to be more precise, some have sambasamaccount (all lower case), and some have sambaSAMAccount (mixed case) Are objectclasses case sensitive? Chris From: Rob Crittenden To: Christopher Lamb/Switzerland/IBM at IBMCH, Alexander Bokovoy Cc: freeipa-users at redhat.com Date: 20.07.2015 15:47 Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Christopher Lamb wrote: > Hi Alexander > > This issue got overtaken by others, and slipped off my radar for a bit... > > While the solution suggested earlier in this thread at > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > sounds interesting (and we are running the correct versions of OEL 7.1 and > SSSD), it seems to require the Windows clients to be members of an Active > Diretory trusted by IPA. > > Unfortunately there is no AD in our architecture - our Windows and OSX > clients are effectively islands. That would seem to leave us stuck with > sambaPwdLastSet. > > After a user has had his password reset via the IPA WebUi to a temporary > value, the user then logs on using the temporary password, and is asked to > enter a new password. At his point sambaPwdLastSet should be set to a > positive value. However our testing indicates that it is not. We have tried > 3 techniques: > > 1) User connects to LDAP server via remote ssh. > > 2) kinit > > 3) su - over an existing ssh session with another user (e.g. mine) > > In all three cases the user is able to set their password, but > sambaPwdLastSet remains set to 0. > > As a workaround we use Apache Directory Studio to manually set > sambaPwdLastSet once the user has changed his password. > > Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? rob From rmeggins at redhat.com Mon Jul 20 14:22:57 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2015 08:22:57 -0600 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> <55ACFBF4.4090707@redhat.com> Message-ID: <55AD0441.6060505@redhat.com> On 07/20/2015 07:56 AM, Christopher Lamb wrote: > Hi Rob > > The users do have the sambaSamAccount ObjectClass. > > Or to be more precise, some have sambasamaccount (all lower case), and some > have sambaSAMAccount (mixed case) > > Are objectclasses case sensitive? No, unless there is a bug in the objectclass matching/comparison code. > > Chris > > > > From: Rob Crittenden > To: Christopher Lamb/Switzerland/IBM at IBMCH, Alexander Bokovoy > > Cc: freeipa-users at redhat.com > Date: 20.07.2015 15:47 > Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > > Christopher Lamb wrote: >> Hi Alexander >> >> This issue got overtaken by others, and slipped off my radar for a bit... >> >> While the solution suggested earlier in this thread at >> > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> sounds interesting (and we are running the correct versions of OEL 7.1 > and >> SSSD), it seems to require the Windows clients to be members of an Active >> Diretory trusted by IPA. >> >> Unfortunately there is no AD in our architecture - our Windows and OSX >> clients are effectively islands. That would seem to leave us stuck with >> sambaPwdLastSet. >> >> After a user has had his password reset via the IPA WebUi to a temporary >> value, the user then logs on using the temporary password, and is asked > to >> enter a new password. At his point sambaPwdLastSet should be set to a >> positive value. However our testing indicates that it is not. We have > tried >> 3 techniques: >> >> 1) User connects to LDAP server via remote ssh. >> >> 2) kinit >> >> 3) su - over an existing ssh session with another user (e.g. mine) >> >> In all three cases the user is able to set their password, but >> sambaPwdLastSet remains set to 0. >> >> As a workaround we use Apache Directory Studio to manually set >> sambaPwdLastSet once the user has changed his password. >> >> Chris > AFAICT the user needs the sambaSamAccount objectclass in order for this > to work. Is that the case? > > rob > > > > From ellertalexandre at gmail.com Mon Jul 20 14:31:45 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Mon, 20 Jul 2015 16:31:45 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <55A7C5C4.20106@redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> Message-ID: > > Is there anything related to the connection error in dirsrv logs? > > /var/log/dirsrv/slapd-EXAMPLE-COM/errors > /var/log/dirsrv/slapd-EXAMPLE-COM/access > -- > Petr Vobornik Yes, there are errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors when I try to start with ipactl -f start: ==> errors <== [20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [20/Jul/2015:16:28:06 +0200] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. [20/Jul/2015:16:28:06 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [20/Jul/2015:16:28:06 +0200] - SSL alert: Configured NSS Ciphers [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [20/Jul/2015:16:28:06 +0200] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [20/Jul/2015:16:28:06 +0200] - WARNING: cache too small, increasing to 500K bytes [20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [20/Jul/2015:16:28:06 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 1384448B; We recommend to increase the entry cache size nsslapd-cachememsize. [20/Jul/2015:16:28:06 +0200] - WARNING: ipaca: entry cache size 512000B is less than db size 20013056B; We recommend to increase the entry cache size nsslapd-cachememsize. [20/Jul/2015:16:28:06 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 9314304B; We recommend to increase the entry cache size nsslapd-cachememsize. [20/Jul/2015:16:28:06 +0200] - I'm resizing my cache now...cache was 320000 and is now 400000 [20/Jul/2015:16:28:07 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=numeezy,dc=fr [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist [20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [20/Jul/2015:16:28:07 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [20/Jul/2015:16:28:07 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [20/Jul/2015:16:28:07 +0200] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [20/Jul/2015:16:28:07 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jul/2015:16:28:07 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [20/Jul/2015:16:28:07 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [20/Jul/2015:16:28:07 +0200] NSMMReplicationPlugin - agmt="cn=meToinf-ipa.numeezy.fr" (inf-ipa:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [20/Jul/2015:16:28:07 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [20/Jul/2015:16:28:10 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jul/2015:16:28:10 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [20/Jul/2015:16:28:10 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [20/Jul/2015:16:28:10 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [20/Jul/2015:16:28:11 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jul/2015:16:28:11 +0200] - Listening on All Interfaces port 636 for LDAPS requests [20/Jul/2015:16:28:11 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests [20/Jul/2015:16:28:16 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [20/Jul/2015:16:28:16 +0200] NSMMReplicationPlugin - agmt="cn=meToinf-ipa.numeezy.fr" (inf-ipa:389): Replication bind with GSSAPI auth resumed [20/Jul/2015:16:28:17 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [20/Jul/2015:16:28:17 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [20/Jul/2015:16:28:28 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 20 14:38:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jul 2015 17:38:41 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> Message-ID: <20150720143841.GI21928@redhat.com> On Mon, 20 Jul 2015, Alexandre Ellert wrote: > >> >> Is there anything related to the connection error in dirsrv logs? >> >> /var/log/dirsrv/slapd-EXAMPLE-COM/errors >> /var/log/dirsrv/slapd-EXAMPLE-COM/access >> -- >> Petr Vobornik > >Yes, there are errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors when I try to start with ipactl -f start: > >==> errors <== >[20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >[20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] Can you please show output from fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema and definitions of 'dc' attribute from there. 'dc' attribute is defined in 00core.ldif as attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) Note that syntax is 1.3.6.1.4.1.1466.115.121.1.26 (IA5String) while yours is 1.3.6.1.4.1.1466.115.121.1.15 (DirectoryString), they are not the same. What modifications did you do to the schema? -- / Alexander Bokovoy From christopher.lamb at ch.ibm.com Mon Jul 20 14:38:51 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 20 Jul 2015 16:38:51 +0200 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <55AD0441.6060505@redhat.com> References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> <55ACFBF4.4090707@redhat.com> <55AD0441.6060505@redhat.com> Message-ID: ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSamAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSAMAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambasamaccount)(uid=bilbo))" all give me a result, indicating case is not important. From: Rich Megginson To: freeipa-users at redhat.com Date: 20.07.2015 16:24 Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Sent by: freeipa-users-bounces at redhat.com On 07/20/2015 07:56 AM, Christopher Lamb wrote: > Hi Rob > > The users do have the sambaSamAccount ObjectClass. > > Or to be more precise, some have sambasamaccount (all lower case), and some > have sambaSAMAccount (mixed case) > > Are objectclasses case sensitive? No, unless there is a bug in the objectclass matching/comparison code. > > Chris > > > > From: Rob Crittenden > To: Christopher Lamb/Switzerland/IBM at IBMCH, Alexander Bokovoy > > Cc: freeipa-users at redhat.com > Date: 20.07.2015 15:47 > Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > > Christopher Lamb wrote: >> Hi Alexander >> >> This issue got overtaken by others, and slipped off my radar for a bit... >> >> While the solution suggested earlier in this thread at >> > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> sounds interesting (and we are running the correct versions of OEL 7.1 > and >> SSSD), it seems to require the Windows clients to be members of an Active >> Diretory trusted by IPA. >> >> Unfortunately there is no AD in our architecture - our Windows and OSX >> clients are effectively islands. That would seem to leave us stuck with >> sambaPwdLastSet. >> >> After a user has had his password reset via the IPA WebUi to a temporary >> value, the user then logs on using the temporary password, and is asked > to >> enter a new password. At his point sambaPwdLastSet should be set to a >> positive value. However our testing indicates that it is not. We have > tried >> 3 techniques: >> >> 1) User connects to LDAP server via remote ssh. >> >> 2) kinit >> >> 3) su - over an existing ssh session with another user (e.g. mine) >> >> In all three cases the user is able to set their password, but >> sambaPwdLastSet remains set to 0. >> >> As a workaround we use Apache Directory Studio to manually set >> sambaPwdLastSet once the user has changed his password. >> >> Chris > AFAICT the user needs the sambaSamAccount objectclass in order for this > to work. Is that the case? > > rob > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From ellertalexandre at gmail.com Mon Jul 20 15:11:44 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Mon, 20 Jul 2015 17:11:44 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150720143841.GI21928@redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> Message-ID: > Can you please show output from > fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif: MUST dc /etc/dirsrv/slapd-NUMEEZY-FR/schema/05rfc4524.ldif: MUST dc /etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.22 NAME ( 'mgrpAllowedBroadcaster' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.788 NAME ( 'mgrpBroadcasterPolicy' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC 'Netscape Messaging Server 4.x defined objectclass' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) X-ORIGIN 'Netscape Messaging Server 4.x' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/60trust.ldif:# dc=com?sub?objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=server) /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST d /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: UST dc MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Ad /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: dBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolic /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: bTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbP /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbSer /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALIT /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.788 NAME 'mgrpBroadcasterPolicy' DESC /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.22 NAME 'mgrpAllowedBroadcaster' DESC /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:##### (FDNs of the krbKdcService objects). /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:##### Example: cn=kdc - server 1, ou=uvw, o=xyz /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:##### krbKdcService, krbAdmService and krbPwdService derive from this class. /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) ) > > and definitions of 'dc' attribute from there. > > 'dc' attribute is defined in 00core.ldif as > attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > EQUALITY caseIgnoreIA5Match > SUBSTR caseIgnoreIA5SubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE > X-ORIGIN 'RFC 4519' > X-DEPRECATED 'domaincomponent? ) In 00core.ldif, I have : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) > > Note that syntax is 1.3.6.1.4.1.1466.115.121.1.26 (IA5String) while yours is > 1.3.6.1.4.1.1466.115.121.1.15 (DirectoryString), they are not the same. > > What modifications did you do to the schema? As far as I remember, the only modification I made was to disable read-only access without authentication. I don?t need any other special customization. > > -- > / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 20 15:17:50 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jul 2015 18:17:50 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> Message-ID: <20150720151750.GJ21928@redhat.com> On Mon, 20 Jul 2015, Alexandre Ellert wrote: > >> Can you please show output from >> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema > ># fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema This is original 'dc' definition: >/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) This is the offending one: >/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >In 00core.ldif, I have : >attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > EQUALITY caseIgnoreIA5Match > SUBSTR caseIgnoreIA5SubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE > X-ORIGIN 'RFC 4519' > X-DEPRECATED 'domaincomponent' ) If you look into 99user.ldif, you'll see the wrong definition there. 99user.ldif accumulates definitions coming from replication or updates. You can check other IPA masters, do they have 'dc' attribute defined in a wrong way? >As far as I remember, the only modification I made was to disable >read-only access without authentication. I don?t need any other >special customization. Something brought the wrong definition into your IPA masters. May be someone tried to add support for some old application? -- / Alexander Bokovoy From rmeggins at redhat.com Mon Jul 20 15:24:12 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2015 09:24:12 -0600 Subject: [Freeipa-users] Sync useradd from IPA to AD In-Reply-To: References: <55A696DE.2040604@redhat.com> Message-ID: <55AD129C.7050505@redhat.com> On 07/20/2015 07:02 AM, Email wrote: > Hi Rich, thanks for the reply. Here is the link I working with > https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory-trust.html > > > I'm looking at both options, the cross forest trust and winsync. For > my project FreeIPA needs to be authoritative wherever possible. Users > need one domain account that works on Linux and Windows. Why would > trusts be a better solution that winsync? Thanks for your help. Please keep replies on-list. In general, any time you don't have to copy information around, and ensure that it is in sync, and remains in sync, that is a better solution. Trusts does not copy/sync information, so in general it is preferred. In your case, it seems that you want FreeIPA to be the authoritative source of information? And you want to create new users/groups in FreeIPA, and use that information in the AD/Windows environment? Is that correct? > > Tony > > On Wednesday, July 15, 2015, Rich Megginson > wrote: > > On 07/15/2015 09:42 AM, Email wrote: >> Hi everyone, my name is Tony and this is my first post, so it's >> nice to meet all of you. I've been tasked with creating an AD and >> FreeIPA environment, and I'm looking into the sync between the >> two. It looks like creating a user in AD causes that user to be >> created in IPA, but not the other way around. But if I create >> them in IPA they will not be auto created in AD. I'm wondering >> why this is. > > This is intentional. If you are using FreeIPA and windows sync, > it is assumed you want AD to be the provisioning system for new > users, and not FreeIPA. > > I would seriously consider using trusts instead of windows sync. > >> See section 8.1 of the fedora documentation as a reference. > > Link please? We may need to clarify the language. > >> Thanks in advance! >> >> ~Tony >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Mon Jul 20 15:58:56 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 20 Jul 2015 17:58:56 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150720151750.GJ21928@redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> Message-ID: <55AD1AC0.1040609@redhat.com> On 07/20/2015 05:17 PM, Alexander Bokovoy wrote: > On Mon, 20 Jul 2015, Alexandre Ellert wrote: >> >>> Can you please show output from >>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >> >> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema > > This is original 'dc' definition: >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > > This is the offending one: >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D > >> In 00core.ldif, I have : >> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' >> 'domaincomponent' ) >> EQUALITY caseIgnoreIA5Match >> SUBSTR caseIgnoreIA5SubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> SINGLE-VALUE >> X-ORIGIN 'RFC 4519' >> X-DEPRECATED 'domaincomponent' ) > If you look into 99user.ldif, you'll see the wrong definition there. > > 99user.ldif accumulates definitions coming from replication or updates. > You can check other IPA masters, do they have 'dc' attribute defined in > a wrong way? > >> As far as I remember, the only modification I made was to disable >> read-only access without authentication. I don?t need any other >> special customization. > Something brought the wrong definition into your IPA masters. > May be someone tried to add support for some old application? > Probably caused by migration from 6.6 to 7.x. See https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause any issue but looks scary. I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the time the following CA error happened (could be new start). [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org -- Petr Vobornik From ellertalexandre at gmail.com Mon Jul 20 16:59:45 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Mon, 20 Jul 2015 18:59:45 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <55AD1AC0.1040609@redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <55AD1AC0.1040609@redhat.com> Message-ID: <1A112E00-6520-465E-A8CB-4CFECA6CE3D3@gmail.com> > Le 20 juil. 2015 ? 17:58, Petr Vobornik a ?crit : > > On 07/20/2015 05:17 PM, Alexander Bokovoy wrote: >> On Mon, 20 Jul 2015, Alexandre Ellert wrote: >>> >>>> Can you please show output from >>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >>> >>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema >> >> This is original 'dc' definition: >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> >> This is the offending one: >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >> >>> In 00core.ldif, I have : >>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' >>> 'domaincomponent' ) >>> EQUALITY caseIgnoreIA5Match >>> SUBSTR caseIgnoreIA5SubstringsMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>> SINGLE-VALUE >>> X-ORIGIN 'RFC 4519' >>> X-DEPRECATED 'domaincomponent' ) >> If you look into 99user.ldif, you'll see the wrong definition there. >> >> 99user.ldif accumulates definitions coming from replication or updates. >> You can check other IPA masters, do they have 'dc' attribute defined in >> a wrong way? >> >>> As far as I remember, the only modification I made was to disable >>> read-only access without authentication. I don?t need any other >>> special customization. >> Something brought the wrong definition into your IPA masters. >> May be someone tried to add support for some old application? >> > > Probably caused by migration from 6.6 to 7.x. See https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause any issue but looks scary. I confirm this was a migration from CentOS 6.6 to 7.1. Every thing else worked just fine following the RedHat migration procedure (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html ) > > I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the time the following CA error happened (could be new start). > > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException > Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org I restarted IPA : /var/log/pki/pki-tomcat/ca/debug : [20/Jul/2015:18:12:17][localhost-startStop-1]: CMS:Caught EBaseException /var/log/krb5kdc.log : otp: Loaded Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): setting up network... Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 9: udp fe80::250:56ff:fe93:357e%ens160.88 krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 11: tcp 0.0.0.0.88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 10: tcp ::.88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): set up 4 sockets Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16636](info): commencing operation Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408709, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408709, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:13:00 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (4 etypes {18 17 16 23}) 188.165.154.171: ISSUE: authtime 1437408779, etypes {rep=18 tkt=18 ses=18}, host/mut-web-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR Jul 20 18:17:02 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (4 etypes {18 17 16 23}) 37.59.203.170: ISSUE: authtime 1437409022, etypes {rep=18 tkt=18 ses=18}, host/ded-web-8.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR Jul 20 18:17:05 inf-ipa-2.numeezy.fr krb5kdc[16636](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Jul 20 18:17:05 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (4 etypes {18 17 16 23}) 188.165.154.171: PREAUTH_FAILED: admin at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Decrypt integrity check failed Thanks for your investigation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From orion at cora.nwra.com Mon Jul 20 17:52:48 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 20 Jul 2015 11:52:48 -0600 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55AC9BDE.4020505@redhat.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> <55A6AD1E.2070604@cora.nwra.com> <55AC9BDE.4020505@redhat.com> Message-ID: <55AD3570.8020400@cora.nwra.com> On 07/20/2015 12:57 AM, Jan Cholasta wrote: > Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): >> On 07/14/2015 11:53 PM, Jan Cholasta wrote: >>> >>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >> >> Directory Manager (existing master) password: >> >> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> >> Not much :( >> >> Seems to be very early. >> >> I can't find an ipa-replica-prepare.log file. > > That's weird, there should be ~50 lines of output before ipa-replica-prepare > prompts you for directory manager password. > > I didn't have any luck in reproducing the issue so far. > > Could you please try this: > > $ mkdir tmpdb > $ certutil -N -d tmpdb > $ pk12util -i nwra.com.p12 > $ certutil -L -d tmpdb # look for nickname of certificate > which has trust attributes of u,u,u > $ certutil -O -d tmpdb -n nickname # use the nickname from above > > I would like to see the output of the last 2 commands. > [root at europa ~]# pk12util -i nwra.com.p12 -d tmpdb Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: no nickname for cert in PKCS12 file. pk12util: using nickname: *.nwra.com - COMODO CA Limited pk12util: PKCS12 IMPORT SUCCESSFUL [root at europa ~]# certutil -L -d tmpdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,, AddTrust External CA Root - AddTrust AB ,, *.nwra.com - COMODO CA Limited u,u,u COMODO RSA Certification Authority - AddTrust AB ,, [root at europa ~]# certutil -O -d tmpdb -n '*.nwra.com - COMODO CA Limited' "AddTrust External CA Root - AddTrust AB" [CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE] "COMODO RSA Certification Authority - AddTrust AB" [CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB] "COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited" [CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB] "*.nwra.com - COMODO CA Limited" [CN=*.nwra.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated] -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From brian.topping at gmail.com Mon Jul 20 22:15:11 2015 From: brian.topping at gmail.com (Brian Topping) Date: Mon, 20 Jul 2015 16:15:11 -0600 Subject: [Freeipa-users] Client Certificates not in backlog Message-ID: <3BE3C215-6767-4D2C-ACDD-E9D341BB04FB@gmail.com> Hi I was just looking at http://www.freeipa.org/page/User_certificate_use_cases and was trying to do some self-service to see when it might get scheduled. Unless I am mistaken, it doesn't even seem to exist in the backlog. Is that intentional? The reason I started to look at this again is I have been getting persistent password cracking attacks against public endpoints such as IMAP and SMTP. Client certificates would be an ideal solution and would work with mobile devices as well. I know many are using host certificates for this kind of thing, but it seems like there would be leakage if a user account were disabled and the respective hosts were not. Most of the developers here use OS X, although maybe that needs to be revisited. I opened issue 21908279 on https://bugreport.apple.com to see if we could get any traction on making http://linsec.ca/Using_FreeIPA_for_User_Authentication easier, but bugreport.apple.com is a black hole and not much escapes. Anyway, I thought these use cases might be interesting to others and it seems client certs are a great way to solve the problem. Would love to hear how others have solved these issues! Cheers, Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From wgraboyes at cenic.org Mon Jul 20 22:35:42 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Mon, 20 Jul 2015 15:35:42 -0700 Subject: [Freeipa-users] FreeRadius Authentications (mschapv2) Message-ID: <55AD77BE.2000104@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi List, I have run into a snag, I figured I would start here and move forward. I have been searching around for the past 3 or 4 hours looking for some solution to this the issue that I am having. We are doing 802.1x against our freeipa servers. While Kerberos auth is working perfectly fine (when used from an android or linux device) however when it comes to Macs (they strive to be different -_-) when using EAP-TTLS (which everything else is perfectly happy to use chap or pap) Mac only uses mschapv2 when using EAP-TTLS. I don't have an active directory to run against, nor do I have samba services running (why would I, there are a total of 5 windows boxes in the entire environment. I was wondering if there was some form of a FreeIPA solution to this form of problem (something I may be missing) that will handle the NTLM auth on a linux system. I have found some things that are brutishly old, like kcrap, but nothing seems to fit the bill. I am not against installing samba somewhere (even on the radius servers) to handle this form of authentication, I am just no sure which direction to go for handling this form of auth against FreeIPA. I would much prefer to use PAM or Kerberos, it just doesn't look like that is going to work in this situation. Thanks, Bill CENIC -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVrXe+AAoJEJFMz73A1+zrHssP/jLvj1FTEtLDmmqEF98/4nDG hOqUFTSLLL0AnJtw6MTHOFc6sUjQ4N16CQU9m7fmISWyLK+ZlkWAxGicpuubucAO GflmlGkMCgyvkkl1BOOaJtk7psus0pqV4+SGxnHmDFxGWegoYpv529C7sBY5dkr6 H8euF4L8Ykc00EflXzVgxbgewOyPtFbmd0FlYnI+ljq8ZgC9T7qZgQLjrc6Eenl3 NEa/4AA5y7aAkcnrlkrLfhDNhvoLI/0qw4x1Rs5GuWZ7HUWaNCIGvjXcgPTT66h3 udQTewlThNT7H2Ztxtbl8v4pp4Gm7kW8JY9qrHfq80eyakV3ujScPkdznKuctuvk 0fIiOWK+8GIsWE8FXu+smsQfL6KxvAJQ6CR9zIKrcJ+xhtM/mv93gkCc3fOXZTxu Ul8K/vpZAGQMKCw2p3/44/Db/8vMT10M7PyDvVF7cA/kVnj64xIQdffeDIHBluqn KDjgLYIp/E9YywEwzdkVhNhrbrrZMXTjdhZ+jFdWHryoZjZkzBvxgHMCLn3PPJji pr4egmAEV6+URmWX7BVG8wCsNAk3zPXhZlixgfch/moGxY7RF8X9WCAWphxPyalH /ZpkNu9DvmVJmqu0rzRUt32AELaRK8X33QFQHmax1hwM4STVeFldZOU/Udb2x2RV X/duQhu0+Nfjxk3g5166 =gVX9 -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Jul 20 22:44:30 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jul 2015 18:44:30 -0400 Subject: [Freeipa-users] Client Certificates not in backlog In-Reply-To: <3BE3C215-6767-4D2C-ACDD-E9D341BB04FB@gmail.com> References: <3BE3C215-6767-4D2C-ACDD-E9D341BB04FB@gmail.com> Message-ID: <55AD79CE.7020300@redhat.com> Brian Topping wrote: > Hi I was just looking at http://www.freeipa.org/page/User_certificate_use_cases and was trying to do some self-service to see when it might get scheduled. Unless I am mistaken, it doesn't even seem to exist in the backlog. Is that intentional? > > The reason I started to look at this again is I have been getting persistent password cracking attacks against public endpoints such as IMAP and SMTP. Client certificates would be an ideal solution and would work with mobile devices as well. I know many are using host certificates for this kind of thing, but it seems like there would be leakage if a user account were disabled and the respective hosts were not. > > Most of the developers here use OS X, although maybe that needs to be revisited. I opened issue 21908279 on https://bugreport.apple.com to see if we could get any traction on making http://linsec.ca/Using_FreeIPA_for_User_Authentication easier, but bugreport.apple.com is a black hole and not much escapes. > > Anyway, I thought these use cases might be interesting to others and it seems client certs are a great way to solve the problem. Would love to hear how others have solved these issues! > > Cheers, Brian > > > It is in FreeIPA 4.2: https://www.redhat.com/archives/freeipa-interest/2015-July/msg00002.html rob From brian.topping at gmail.com Mon Jul 20 23:22:27 2015 From: brian.topping at gmail.com (Brian Topping) Date: Mon, 20 Jul 2015 17:22:27 -0600 Subject: [Freeipa-users] Client Certificates not in backlog In-Reply-To: <55AD79CE.7020300@redhat.com> References: <3BE3C215-6767-4D2C-ACDD-E9D341BB04FB@gmail.com> <55AD79CE.7020300@redhat.com> Message-ID: Oh wow, thanks guys! Will watch for it to show up in the CentOS repos! best, Brian > On Jul 20, 2015, at 16:44, Rob Crittenden wrote: > > Brian Topping wrote: >> Hi I was just looking at http://www.freeipa.org/page/User_certificate_use_cases and was trying to do some self-service to see when it might get scheduled. Unless I am mistaken, it doesn't even seem to exist in the backlog. Is that intentional? >> >> The reason I started to look at this again is I have been getting persistent password cracking attacks against public endpoints such as IMAP and SMTP. Client certificates would be an ideal solution and would work with mobile devices as well. I know many are using host certificates for this kind of thing, but it seems like there would be leakage if a user account were disabled and the respective hosts were not. >> >> Most of the developers here use OS X, although maybe that needs to be revisited. I opened issue 21908279 on https://bugreport.apple.com to see if we could get any traction on making http://linsec.ca/Using_FreeIPA_for_User_Authentication easier, but bugreport.apple.com is a black hole and not much escapes. >> >> Anyway, I thought these use cases might be interesting to others and it seems client certs are a great way to solve the problem. Would love to hear how others have solved these issues! >> >> Cheers, Brian > > It is in FreeIPA 4.2: https://www.redhat.com/archives/freeipa-interest/2015-July/msg00002.html > > rob From gjn at gjn.priv.at Tue Jul 21 08:22:01 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 21 Jul 2015 10:22:01 +0200 Subject: [Freeipa-users] EMail Address in Certificate Message-ID: <5729934.Ag4jnhmsxp@techz> Hello, Is it possible to add a Email -Address to a user Certificate (Subject Alternative Name) I mean I have read something but I can't found again? Thanks for a Answer, -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer From Markus.Moj at mc.ingenico.com Tue Jul 21 09:37:08 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Tue, 21 Jul 2015 09:37:08 +0000 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi Cristopher, thanks for your help. As you?ve described everything works properly and runs smoothly. Many thanks for your help. Cheers, Markus -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Dienstag, 7. Juli 2015 19:15 An: Moj, Markus; freeipa-users at redhat.com Betreff: Re: AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus I can now replicate FreeIPA groups / group membership to Jira Local Directory /var/log/dirsrv/slapd-*/access showed me the queries Jira is performing to get the groups. Comparing this to the FreeIPA structure using Apache Directory Studio gave the answer. Under Group Schema Settings, change * Group Object Class from groupOfUniqueNames to groupOfNames * Group Object Filter from (objectclass=groupOfUniqueNames) to (objectclass=groupOfNames) Under Membership Schema Setting change * Group Members Attribute from uniqueMember to Member Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 06.07.2015 08:00 Subject: AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Chris, thanks for your help. Now we are able to login and have our mails delivered. Do you maybe know which configuration objects needs to be used in Jira to be able to use the FreeIPA groups? We have configured all necessary Jira Groups in FreeIPA but it doesn?t work as it should. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Mittwoch, 1. Juli 2015 09:31 An: Moj, Markus; abokovoy at redhat.com; mkosek at redhat.com Cc: freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM at IBMCH, , Cc: Date: 01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Tue Jul 21 18:16:36 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 21 Jul 2015 21:16:36 +0300 Subject: [Freeipa-users] FreeRadius Authentications (mschapv2) In-Reply-To: <55AD77BE.2000104@cenic.org> References: <55AD77BE.2000104@cenic.org> Message-ID: <20150721181636.GR21928@redhat.com> On Mon, 20 Jul 2015, William Graboyes wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >Hi List, > > >I have run into a snag, I figured I would start here and move forward. > I have been searching around for the past 3 or 4 hours looking for >some solution to this the issue that I am having. > >We are doing 802.1x against our freeipa servers. While Kerberos auth >is working perfectly fine (when used from an android or linux device) >however when it comes to Macs (they strive to be different -_-) when >using EAP-TTLS (which everything else is perfectly happy to use chap >or pap) Mac only uses mschapv2 when using EAP-TTLS. > >I don't have an active directory to run against, nor do I have samba >services running (why would I, there are a total of 5 windows boxes in >the entire environment. > >I was wondering if there was some form of a FreeIPA solution to this >form of problem (something I may be missing) that will handle the NTLM >auth on a linux system. > >I have found some things that are brutishly old, like kcrap, but >nothing seems to fit the bill. I am not against installing samba >somewhere (even on the radius servers) to handle this form of >authentication, I am just no sure which direction to go for handling >this form of auth against FreeIPA. I would much prefer to use PAM or >Kerberos, it just doesn't look like that is going to work in this >situation. Check this blog post: http://firstyear.id.au/entry/22 -- / Alexander Bokovoy From wgraboyes at cenic.org Tue Jul 21 20:28:40 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Tue, 21 Jul 2015 13:28:40 -0700 Subject: [Freeipa-users] FreeRadius Authentications (mschapv2) In-Reply-To: <20150721181636.GR21928@redhat.com> References: <55AD77BE.2000104@cenic.org> <20150721181636.GR21928@redhat.com> Message-ID: <55AEAB78.9030502@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Alexander, List, I followed the steps on that blog post, however I am unable to retrieve the ipaNTHash attribute either as that service account, nor as the admin. Am I missing something? ldapsearch -Y GSSAPI uid=admin ipaNTHash SASL/GSSAPI authentication started SASL username: radius/edurad2.foo.bar at FOO.BAR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: uid=admin # requesting: ipaNTHash # # admin, users, compat, foo.bar dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar # admin, users, accounts, foo.bar dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 ldapsearch -Y GSSAPI uid=admin ipaNTHash SASL/GSSAPI authentication started SASL username: admin at FOO.BAR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: uid=admin # requesting: ipaNTHash # # admin, users, compat, foo.bar dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar # admin, users, accounts, foo.bar dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks, Bill Graboyes On 7/21/15 11:16 AM, Alexander Bokovoy wrote: > On Mon, 20 Jul 2015, William Graboyes wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> Hi List, >> >> >> I have run into a snag, I figured I would start here and move >> forward. I have been searching around for the past 3 or 4 hours >> looking for some solution to this the issue that I am having. >> >> We are doing 802.1x against our freeipa servers. While Kerberos >> auth is working perfectly fine (when used from an android or >> linux device) however when it comes to Macs (they strive to be >> different -_-) when using EAP-TTLS (which everything else is >> perfectly happy to use chap or pap) Mac only uses mschapv2 when >> using EAP-TTLS. >> >> I don't have an active directory to run against, nor do I have >> samba services running (why would I, there are a total of 5 >> windows boxes in the entire environment. >> >> I was wondering if there was some form of a FreeIPA solution to >> this form of problem (something I may be missing) that will >> handle the NTLM auth on a linux system. >> >> I have found some things that are brutishly old, like kcrap, but >> nothing seems to fit the bill. I am not against installing >> samba somewhere (even on the radius servers) to handle this form >> of authentication, I am just no sure which direction to go for >> handling this form of auth against FreeIPA. I would much prefer >> to use PAM or Kerberos, it just doesn't look like that is going >> to work in this situation. > Check this blog post: http://firstyear.id.au/entry/22 > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVrqt4AAoJEJFMz73A1+zrskwP/iBNfTH1TpoZFWITf8xlCheO 7Yk99V1/4gGgFttc1V92OMRDAHVHvD5B2apqPRd6ObWVd5sdFzfjVNWGNzLp8/N8 HkxSezd4BiNZCagVQXCdbr26ATSI/jTD2exEchpUPv1UtH2snId/1ZaCyFu3Cj0h OuY+AVJc93WE0VlpY0N+drhr5aNb6CKZ3lTyvxVJ8FaLND6Pb5quFOP//S1SCqJl QVO5V5hi0IAYZ/f+eZG4Z6ZtF2n5TYaqYD3sax8khdIqpSL4q28TvGUcAAOa3DmX cg3sV+a2foB/Al9stzQ4Qo9i48JlesjOZMX6JfmpBzMXxCItnz3ArnWyIwAFa2xF f9BnFzq5zqdx94Ee5nDiLiiisn8uHkUlzNx4HbKSQ60ulSWih2S/qDyFNxN0O59c bn8MLxATUiDMGhJ4dgljxs8ZRuzh97z7B2MhMRHVjlo8oIWvjOpDJ+9I7GzUZrtO rS4r78adYwLBcXsaOFlC+ZSeirH1muD6Lx/s+/znaCWHE54a6MONhrA3wSSM73qk Czv+y5qG09QJJEztDWTVU8dhsCnXnd/5AUXhsscBc8lNqma3eCmnpOK1ngmLQwxt 8RP5ijK1J7sdAald5TW/buN1tHQH3H8vzYbL0r/GdVTsnfp2NXh9NuZJsFVL7Db1 h9cMHUo4NzVwAxcWP5jS =x9GB -----END PGP SIGNATURE----- From ftweedal at redhat.com Wed Jul 22 01:09:58 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 22 Jul 2015 11:09:58 +1000 Subject: [Freeipa-users] EMail Address in Certificate In-Reply-To: <5729934.Ag4jnhmsxp@techz> References: <5729934.Ag4jnhmsxp@techz> Message-ID: <20150722010958.GC20599@dhcp-40-8.bne.redhat.com> On Tue, Jul 21, 2015 at 10:22:01AM +0200, G?nther J. Niederwimmer wrote: > Hello, > > Is it possible to add a Email -Address to a user Certificate (Subject > Alternative Name) > > I mean I have read something but I can't found again? > > Thanks for a Answer, > > -- > mit freundlichen Gr?ssen / best regards, > > G?nther J. Niederwimmer > Hi G?nther, This is supported in FreeIPA 4.2, using the default profile. When you include an rfc822Name in the subjectAltName request extension it will be verified that it matches the user principal and then included in final certificate. Unfortunately there is not yet a way to automatically include an rfc822Name SAN based on the user's email. Cheers, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From harenberg at physik.uni-wuppertal.de Wed Jul 22 09:06:53 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 22 Jul 2015 11:06:53 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day Message-ID: <55AF5D2D.2090002@physik.uni-wuppertal.de> Dear community, we just moved our infrastructure (about 200 node cluster plus about 30 workstations) from NIS to FreeIPA (version 4.1.4 on FC 21). We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on Xen4). Approx once a day, the Kerberos service on the primary server suddenly stops working and I am unable to re-start the service. Only a "full" reboot helps and during that, the Kerberos shutdown takes about 2 minutes (unsure if it really finishes or if it's the final timeout of the shutdown script). Trying to collect as many log messages as possible: Jul 22 10:52:06 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): AS_REQ (4 etypes {18 17 16 23}) 132.195.124.213: LOOKING_UP_CLIENT: host/proton.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): AS_REQ (4 etypes {18 17 16 23}) 132.195.125.171: LOOKING_UP_CLIENT: host/wn161.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error [root at ipa ~]# systemctl status krb5kdc.service ? krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) Active: failed (Result: exit-code) since Mi 2015-07-22 10:54:22 CEST; 10s ago Process: 11910 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) Main PID: 1114 (code=exited, status=0/SUCCESS) Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de krb5kdc[11910]: krb5kdc: cannot initialize realm PLEIADES.UNI-WUPPERTAL.DE - see log file for details Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: krb5kdc.service: control process exited, code=exited status=1 Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Failed to start Kerberos 5 KDC. Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Unit krb5kdc.service entered failed state. Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: krb5kdc.service failed. [root at ipa ~]# tail -f /var/log/krb5kdc.log Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): closing down fd 13 Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): DISPATCH: repeated (retransmitted?) request from 132.195.124.213, resending previous response Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): DISPATCH: repeated (retransmitted?) request from 132.195.125.171, resending previous response Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](debug): Got signal to request exit Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): closing down fd 10 Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): closing down fd 11 Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): closing down fd 9 Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): closing down fd 8 Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm PLEIADES.UNI-WUPPERTAL.DE [root at ipa ~]# journalctl -xe Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen and drop on 1 v6wildcard :: UDP 123 Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen normally on 3 eth0 132.195.124.12 UDP 123 Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen normally on 4 lo ::1 UDP 123 Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen normally on 5 eth0 fe80::216:3eff:fe14:c27a UDP 123 Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listening on routing socket on fd #22 for interface updates Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de systemd[1]: Started Network Time Service. -- Subject: Unit ntpd.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ntpd.service has finished starting up. -- -- The start-up result is done. Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: 0.0.0.0 c016 06 restart Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: 0.0.0.0 c012 02 freq_set ntpd -23.557 PPM Jul 22 10:53:16 ipa.pleiades.uni-wuppertal.de ntpd[11903]: 0.0.0.0 c615 05 clock_sync Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de systemd[1]: Stopping Kerberos 5 KDC... -- Subject: Unit krb5kdc.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit krb5kdc.service has begun shutting down. Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de systemd[1]: Starting Kerberos 5 KDC... -- Subject: Unit krb5kdc.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit krb5kdc.service has begun starting up. Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de krb5kdc[11910]: krb5kdc: cannot initialize realm PLEIADES.UNI-WUPPERTAL.DE - see log file for details Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: krb5kdc.service: control process exited, code=exited status=1 Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Failed to start Kerberos 5 KDC. -- Subject: Unit krb5kdc.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit krb5kdc.service has failed. -- -- The result is failed. Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Unit krb5kdc.service entered failed state. Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: krb5kdc.service failed. [root at ipa ~]# [root at ipa ~]# rpm -qi freeipa-server Name : freeipa-server Version : 4.1.4 Release : 1.fc21 Architecture: x86_64 Install Date: Di 28 Apr 2015 14:30:33 CEST Group : System Environment/Base Size : 4521059 License : GPLv3+ Signature : RSA/SHA256, Do 26 M?r 2015 23:58:02 CET, Key ID 89ad4e8795a43f54 Source RPM : freeipa-4.1.4-1.fc21.src.rpm Build Date : Do 26 M?r 2015 16:16:19 CET Build Host : buildhw-07.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.freeipa.org/ Summary : The IPA authentication server Description : IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). If you are installing an IPA server you need to install this package (in other words, most people should NOT install this package). [root at ipa ~]# We already enlarged the capacity of the primary server (now two exclusive CPU cores and 8 GB RAM). Any idea is appreciated, we are pretty new to IPA. Kind regards, Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From sbose at redhat.com Wed Jul 22 09:21:20 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Jul 2015 11:21:20 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AF5D2D.2090002@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> Message-ID: <20150722092120.GF7078@p.redhat.com> On Wed, Jul 22, 2015 at 11:06:53AM +0200, Torsten Harenberg wrote: > Dear community, > > we just moved our infrastructure (about 200 node cluster plus about 30 > workstations) from NIS to FreeIPA (version 4.1.4 on FC 21). > > We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on > Xen4). > > Approx once a day, the Kerberos service on the primary server suddenly > stops working and I am unable to re-start the service. Only a "full" > reboot helps and during that, the Kerberos shutdown takes about 2 > minutes (unsure if it really finishes or if it's the final timeout of > the shutdown script). > > Trying to collect as many log messages as possible: > > > Jul 22 10:52:06 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > AS_REQ (4 etypes {18 17 16 23}) 132.195.124.213: LOOKING_UP_CLIENT: > host/proton.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error > Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > AS_REQ (4 etypes {18 17 16 23}) 132.195.125.171: LOOKING_UP_CLIENT: > host/wn161.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error Looks like there are issues getting the needed data from the local LDAP server. The message below about the master key points into the same direction. Can you check the 389ds logs? bye, Sumit > > > [root at ipa ~]# systemctl status krb5kdc.service > ? krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) > Active: failed (Result: exit-code) since Mi 2015-07-22 10:54:22 CEST; > 10s ago > Process: 11910 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > Main PID: 1114 (code=exited, status=0/SUCCESS) > > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de krb5kdc[11910]: krb5kdc: > cannot initialize realm PLEIADES.UNI-WUPPERTAL.DE - see log file for details > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: > krb5kdc.service: control process exited, code=exited status=1 > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Failed to > start Kerberos 5 KDC. > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Unit > krb5kdc.service entered failed state. > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: > krb5kdc.service failed. > [root at ipa ~]# tail -f /var/log/krb5kdc.log > Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > closing down fd 13 > Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > DISPATCH: repeated (retransmitted?) request from 132.195.124.213, > resending previous response > Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > DISPATCH: repeated (retransmitted?) request from 132.195.125.171, > resending previous response > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](debug): Got > signal to request exit > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > closing down fd 10 > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > closing down fd 11 > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > closing down fd 9 > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > closing down fd 8 > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): > shutting down > krb5kdc: Server error - while fetching master key K/M for realm > PLEIADES.UNI-WUPPERTAL.DE > > > [root at ipa ~]# journalctl -xe > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen and > drop on 1 v6wildcard :: UDP 123 > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen > normally on 2 lo 127.0.0.1 UDP 123 > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen > normally on 3 eth0 132.195.124.12 UDP 123 > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen > normally on 4 lo ::1 UDP 123 > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listen > normally on 5 eth0 fe80::216:3eff:fe14:c27a UDP 123 > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: Listening on > routing socket on fd #22 for interface updates > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de systemd[1]: Started > Network Time Service. > -- Subject: Unit ntpd.service has finished start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit ntpd.service has finished starting up. > -- > -- The start-up result is done. > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: 0.0.0.0 c016 > 06 restart > Jul 22 10:53:15 ipa.pleiades.uni-wuppertal.de ntpd[11903]: 0.0.0.0 c012 > 02 freq_set ntpd -23.557 PPM > Jul 22 10:53:16 ipa.pleiades.uni-wuppertal.de ntpd[11903]: 0.0.0.0 c615 > 05 clock_sync > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de systemd[1]: Stopping > Kerberos 5 KDC... > -- Subject: Unit krb5kdc.service has begun shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit krb5kdc.service has begun shutting down. > Jul 22 10:54:12 ipa.pleiades.uni-wuppertal.de systemd[1]: Starting > Kerberos 5 KDC... > -- Subject: Unit krb5kdc.service has begun with start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit krb5kdc.service has begun starting up. > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de krb5kdc[11910]: krb5kdc: > cannot initialize realm PLEIADES.UNI-WUPPERTAL.DE - see log file for details > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: > krb5kdc.service: control process exited, code=exited status=1 > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Failed to > start Kerberos 5 KDC. > -- Subject: Unit krb5kdc.service has failed > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit krb5kdc.service has failed. > -- > -- The result is failed. > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: Unit > krb5kdc.service entered failed state. > Jul 22 10:54:22 ipa.pleiades.uni-wuppertal.de systemd[1]: > krb5kdc.service failed. > [root at ipa ~]# > > > [root at ipa ~]# rpm -qi freeipa-server > Name : freeipa-server > Version : 4.1.4 > Release : 1.fc21 > Architecture: x86_64 > Install Date: Di 28 Apr 2015 14:30:33 CEST > Group : System Environment/Base > Size : 4521059 > License : GPLv3+ > Signature : RSA/SHA256, Do 26 M?r 2015 23:58:02 CET, Key ID > 89ad4e8795a43f54 > Source RPM : freeipa-4.1.4-1.fc21.src.rpm > Build Date : Do 26 M?r 2015 16:16:19 CET > Build Host : buildhw-07.phx2.fedoraproject.org > Relocations : (not relocatable) > Packager : Fedora Project > Vendor : Fedora Project > URL : http://www.freeipa.org/ > Summary : The IPA authentication server > Description : > IPA is an integrated solution to provide centrally managed Identity > (machine, > user, virtual machines, groups, authentication credentials), Policy > (configuration settings, access control information) and Audit (events, > logs, analysis thereof). If you are installing an IPA server you need > to install this package (in other words, most people should NOT install > this package). > [root at ipa ~]# > > We already enlarged the capacity of the primary server (now two > exclusive CPU cores and 8 GB RAM). > > Any idea is appreciated, we are pretty new to IPA. > > Kind regards, > > Torsten > > > -- > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > <> <> > <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> > <> Bergische Universitaet <> > <> FB C - Physik Tel.: +49 (0)202 439-3521 <> > <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> > <> 42097 Wuppertal <> > <> <> > <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Wed Jul 22 09:22:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 12:22:41 +0300 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AF5D2D.2090002@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> Message-ID: <20150722092240.GU21928@redhat.com> On Wed, 22 Jul 2015, Torsten Harenberg wrote: >Dear community, > >we just moved our infrastructure (about 200 node cluster plus about 30 >workstations) from NIS to FreeIPA (version 4.1.4 on FC 21). > >We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on >Xen4). > >Approx once a day, the Kerberos service on the primary server suddenly >stops working and I am unable to re-start the service. Only a "full" >reboot helps and during that, the Kerberos shutdown takes about 2 >minutes (unsure if it really finishes or if it's the final timeout of >the shutdown script). > >Trying to collect as many log messages as possible: > > >Jul 22 10:52:06 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): >AS_REQ (4 etypes {18 17 16 23}) 132.195.124.213: LOOKING_UP_CLIENT: >host/proton.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for >krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error >Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info): >AS_REQ (4 etypes {18 17 16 23}) 132.195.125.171: LOOKING_UP_CLIENT: >host/wn161.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for >krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error Looking at the Kerberos KDC code I see that LOOKING_UP_CLIENT is shown when DAL driver returns something different than 'entry does not exist': errcode = krb5_db_get_principal(kdc_context, state->request->client, state->c_flags, &state->client); if (errcode == KRB5_KDB_CANTLOCK_DB) errcode = KRB5KDC_ERR_SVC_UNAVAILABLE; if (errcode == KRB5_KDB_NOENTRY) { state->status = "CLIENT_NOT_FOUND"; if (vague_errors) errcode = KRB5KRB_ERR_GENERIC; else errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto errout; } else if (errcode) { state->status = "LOOKING_UP_CLIENT"; goto errout; } Our DAL driver may return KRB5_KDB_DBNOTINITED, KRB5_KDB_SERVER_INTERNAL_ERR, or KRB5_KDB_INTERNAL_ERROR which all may point towards 389-ds failures. Do you have 389-ds actually operating? If you would install debuginfo packages, what does 'pstack ' print? -- / Alexander Bokovoy From harenberg at physik.uni-wuppertal.de Wed Jul 22 09:39:25 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 22 Jul 2015 11:39:25 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <20150722092240.GU21928@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> Message-ID: <55AF64CD.6010306@physik.uni-wuppertal.de> Dear Alexander, dear Sumit, thank you very much indeed for the quick replies. Am 22.07.15 um 11:21 schrieb Sumit Bose: > Looks like there are issues getting the needed data from the local LDAP > server. The message below about the master key points into the same > direction. Can you check the 389ds logs? I have attached the /var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors file to the end of the mail, it's a bit larger. There are some "ticket expired" messages, could that point to the source of the problem? Am 22.07.15 um 11:22 schrieb Alexander Bokovoy: > Do you have 389-ds actually operating? If you would install debuginfo > packages, what does 'pstack ' print? here is the output: [root at ipa log]# ps ax | grep slapd 800 ? Sl 0:33 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE -i /var/run/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE.pid -w /var/run/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE.startpid 1596 pts/0 S+ 0:00 grep --color=auto slapd [root at ipa log]# pstack 800 Thread 47 (Thread 0x7fb843ae3700 (LWP 841)): #0 0x00007fb853bcdae3 in select () from /lib64/libc.so.6 #1 0x00007fb856145a99 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fb847d15987 in deadlock_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 46 (Thread 0x7fb8432e2700 (LWP 842)): #0 0x00007fb853bcdae3 in select () from /lib64/libc.so.6 #1 0x00007fb856145a99 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fb847d19a4e in checkpoint_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 45 (Thread 0x7fb842ae1700 (LWP 843)): #0 0x00007fb853bcdae3 in select () from /lib64/libc.so.6 #1 0x00007fb856145a99 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fb847d15c0f in trickle_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 44 (Thread 0x7fb8422e0700 (LWP 844)): #0 0x00007fb853bcdae3 in select () from /lib64/libc.so.6 #1 0x00007fb856145a99 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fb847d10667 in perf_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 43 (Thread 0x7fb841adf700 (LWP 924)): #0 0x00007fb853bcbc8d in poll () from /lib64/libc.so.6 #1 0x00007fb84720b1ab in dispatch_thread () from /usr/lib64/dirsrv/plugins/nisserver-plugin.so #2 0x00007fb84721a7b7 in wrap_pthread_starter () from /usr/lib64/dirsrv/plugins/nisserver-plugin.so #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 42 (Thread 0x7fb8410d5700 (LWP 971)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb856135c68 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fb84c8145be in cos_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libcos-plugin.so #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 41 (Thread 0x7fb8408d4700 (LWP 973)): #0 0x00007fb853bcbc8d in poll () from /lib64/libc.so.6 #1 0x00007fb84a193440 in ipa_cldap_worker () from /usr/lib64/dirsrv/plugins/libipa_cldap.so #2 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #3 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 40 (Thread 0x7fb85671c700 (LWP 1072)): #0 0x00007fb853ea0939 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f4ef8 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fb8544f53be in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fb847a71e84 in _cl5TrimMain () from /usr/lib64/dirsrv/plugins/libreplication-plugin.so #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 39 (Thread 0x7fb833fff700 (LWP 1073)): #0 0x00007fb853ea0939 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f4ef8 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fb8544f53be in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fb847a888d4 in protocol_sleep () from /usr/lib64/dirsrv/plugins/libreplication-plugin.so #4 0x00007fb847a8b158 in repl5_inc_run () from /usr/lib64/dirsrv/plugins/libreplication-plugin.so #5 0x00007fb847a8f421 in prot_thread_main () from /usr/lib64/dirsrv/plugins/libreplication-plugin.so #6 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #7 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #8 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 38 (Thread 0x7fb8333da700 (LWP 1074)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb856135c68 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fb845d69f5d in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 37 (Thread 0x7fb832bd9700 (LWP 1075)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb856135c68 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fb845d69f5d in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 36 (Thread 0x7fb8323d8700 (LWP 1076)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb856135c68 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fb845d69f5d in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 35 (Thread 0x7fb8319d3700 (LWP 1077)): #0 0x00007fb853ea0939 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f4ef8 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fb8544f53be in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fb8565ed773 in housecleaning () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 34 (Thread 0x7fb8311d2700 (LWP 1078)): #0 0x00007fb853ea0939 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f4ef8 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fb8544f53be in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fb8560dc576 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 33 (Thread 0x7fb823fff700 (LWP 1080)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 32 (Thread 0x7fb8237fe700 (LWP 1081)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 31 (Thread 0x7fb822ffd700 (LWP 1082)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 30 (Thread 0x7fb8227fc700 (LWP 1083)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 29 (Thread 0x7fb821ffb700 (LWP 1084)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 28 (Thread 0x7fb8217fa700 (LWP 1085)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 27 (Thread 0x7fb820ff9700 (LWP 1086)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 26 (Thread 0x7fb8207f8700 (LWP 1087)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 25 (Thread 0x7fb81fff7700 (LWP 1088)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 24 (Thread 0x7fb81f7f6700 (LWP 1089)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 23 (Thread 0x7fb81eff5700 (LWP 1090)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 22 (Thread 0x7fb81e7f4700 (LWP 1091)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 21 (Thread 0x7fb81dff3700 (LWP 1092)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 20 (Thread 0x7fb81d7f2700 (LWP 1093)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 19 (Thread 0x7fb81cff1700 (LWP 1094)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 18 (Thread 0x7fb81c7f0700 (LWP 1095)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 17 (Thread 0x7fb81bfef700 (LWP 1096)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 16 (Thread 0x7fb81b7ee700 (LWP 1097)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 15 (Thread 0x7fb81afed700 (LWP 1098)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 14 (Thread 0x7fb81a7ec700 (LWP 1099)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 13 (Thread 0x7fb819feb700 (LWP 1100)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 12 (Thread 0x7fb8197ea700 (LWP 1101)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 11 (Thread 0x7fb818fe9700 (LWP 1102)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 10 (Thread 0x7fb8187e8700 (LWP 1103)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 9 (Thread 0x7fb817fe7700 (LWP 1104)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 8 (Thread 0x7fb8177e6700 (LWP 1105)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 7 (Thread 0x7fb816fe5700 (LWP 1106)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 6 (Thread 0x7fb8167e4700 (LWP 1107)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 5 (Thread 0x7fb815fe3700 (LWP 1108)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 4 (Thread 0x7fb8157e2700 (LWP 1109)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565e3b9e in connection_wait_for_new_work () #3 0x00007fb8565e4dc9 in connection_threadmain () #4 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #5 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #6 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 3 (Thread 0x7fb814fe1700 (LWP 1110)): #0 0x00007fb853bcdae3 in select () from /lib64/libc.so.6 #1 0x00007fb856145a99 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fb8565e6855 in time_thread () #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 2 (Thread 0x7fb7eeffe700 (LWP 1404)): #0 0x00007fb853ea0590 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fb8565f19a5 in ps_send_results () #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 Thread 1 (Thread 0x7fb856808800 (LWP 800)): #0 0x00007fb853bcbc8d in poll () from /lib64/libc.so.6 #1 0x00007fb8544f6da8 in _pr_poll_with_poll () from /lib64/libnspr4.so #2 0x00007fb8565e9b11 in slapd_daemon () #3 0x00007fb8565dc4f4 in main () [root at ipa log]# Best regards and thanks again Torsten /var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors: [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# cat errors 389-Directory/1.3.3.8 B2015.036.047 ipa.pleiades.uni-wuppertal.de:636 (/etc/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE) [20/Jul/2015:16:48:26 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [20/Jul/2015:16:48:26 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [20/Jul/2015:16:48:26 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [20/Jul/2015:16:48:26 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [20/Jul/2015:16:48:30 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [20/Jul/2015:16:48:30 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [20/Jul/2015:16:48:30 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [20/Jul/2015:16:48:36 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [20/Jul/2015:16:48:36 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [20/Jul/2015:16:48:36 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [20/Jul/2015:16:48:48 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth resumed [21/Jul/2015:14:41:05 +0200] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [50088] into an unused SID. [21/Jul/2015:14:41:05 +0200] ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. [21/Jul/2015:16:51:28 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:28 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:28 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:28 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:28 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:51:28 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [21/Jul/2015:16:51:31 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:31 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:31 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:31 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:31 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:51:37 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:37 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:37 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:37 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:37 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:51:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:51:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:51:49 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:52:13 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:52:13 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:52:13 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:52:13 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:52:13 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:53:01 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:53:01 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:53:01 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:53:01 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:53:01 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:54:37 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:54:37 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:54:37 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:54:37 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:54:37 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:16:57:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:57:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:57:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:16:57:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:16:57:49 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:17:02:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:02:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:17:02:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:02:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:17:02:49 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:17:07:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:07:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:17:07:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:07:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:17:07:49 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:17:12:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:12:49 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:17:12:49 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:12:50 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [21/Jul/2015:17:12:50 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:17:13:16 +0200] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 99 max work q stack size 5 [21/Jul/2015:17:13:16 +0200] - slapd shutting down - waiting for 30 threads to terminate [21/Jul/2015:17:15:20 +0200] nis-plugin - error connecting rpcbind client socket to the service [21/Jul/2015:17:15:21 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [21/Jul/2015:17:15:21 +0200] - SSL alert: Configured NSS Ciphers [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [21/Jul/2015:17:15:21 +0200] - 389-Directory/1.3.3.8 B2015.036.047 starting up [21/Jul/2015:17:15:21 +0200] - WARNING: cache too small, increasing to 500K bytes [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 4177920B; We recommend to increase the entry cache size nsslapd-cachememsize. [21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 18096128B; We recommend to increase the entry cache size nsslapd-cachememsize. [21/Jul/2015:17:15:21 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [21/Jul/2015:17:15:21 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byaddr [21/Jul/2015:17:15:21 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byname [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with portmap service [21/Jul/2015:17:15:24 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de [21/Jul/2015:17:15:24 +0200] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [21/Jul/2015:17:15:25 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [21/Jul/2015:17:15:25 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [21/Jul/2015:17:15:27 +0200] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=pleiades,dc=uni-wuppertal,dc=de. Check if DB RUV needs to be updated [21/Jul/2015:17:15:27 +0200] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55ae7baf00a100040000 [21/Jul/2015:17:15:27 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [21/Jul/2015:17:15:27 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [21/Jul/2015:17:15:27 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [21/Jul/2015:17:15:27 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [21/Jul/2015:17:15:27 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [21/Jul/2015:17:15:28 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [21/Jul/2015:17:15:28 +0200] - Listening on All Interfaces port 636 for LDAPS requests [21/Jul/2015:17:15:28 +0200] - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [21/Jul/2015:17:15:31 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth resumed [22/Jul/2015:09:42:27 +0200] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [50091] into an unused SID. [22/Jul/2015:09:42:27 +0200] ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. [22/Jul/2015:11:01:26 +0200] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 260 max work q stack size 97 [22/Jul/2015:11:01:26 +0200] - slapd shutting down - waiting for 30 threads to terminate [22/Jul/2015:11:03:30 +0200] nis-plugin - error connecting rpcbind client socket to the service [22/Jul/2015:11:03:31 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [22/Jul/2015:11:03:31 +0200] - SSL alert: Configured NSS Ciphers [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [22/Jul/2015:11:03:31 +0200] - 389-Directory/1.3.3.8 B2015.036.047 starting up [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 4218880B; We recommend to increase the entry cache size nsslapd-cachememsize. [22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 27992064B; We recommend to increase the entry cache size nsslapd-cachememsize. [22/Jul/2015:11:03:31 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [22/Jul/2015:11:03:32 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byaddr [22/Jul/2015:11:03:32 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byname [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with portmap service [22/Jul/2015:11:03:34 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de [22/Jul/2015:11:03:34 +0200] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [22/Jul/2015:11:03:35 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=pleiades,dc=uni-wuppertal,dc=de. Check if DB RUV needs to be updated [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55af7af3000e00040000 [22/Jul/2015:11:03:39 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [22/Jul/2015:11:03:39 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [22/Jul/2015:11:03:39 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [22/Jul/2015:11:03:39 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [22/Jul/2015:11:03:39 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [22/Jul/2015:11:03:39 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jul/2015:11:03:39 +0200] - Listening on All Interfaces port 636 for LDAPS requests [22/Jul/2015:11:03:39 +0200] - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [22/Jul/2015:11:03:43 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth resumed -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From abokovoy at redhat.com Wed Jul 22 10:32:33 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 13:32:33 +0300 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AF64CD.6010306@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> Message-ID: <20150722103233.GV21928@redhat.com> On Wed, 22 Jul 2015, Torsten Harenberg wrote: >Dear Alexander, dear Sumit, > >thank you very much indeed for the quick replies. > >Am 22.07.15 um 11:21 schrieb Sumit Bose: >> Looks like there are issues getting the needed data from the local LDAP >> server. The message below about the master key points into the same >> direction. Can you check the 389ds logs? > >I have attached the >/var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors file to the end >of the mail, it's a bit larger. > >There are some "ticket expired" messages, could that point to the source >of the problem? No. It is, in a sense, a chicken-and-egg problem -- something caused KDC to fail its connection to LDAP server and those LDAP server plugins that needed Kerberos authentication (replication, for example), attempted to obtain a ticket but failed because KDC failed. The backtrace is also showing no problems as it is. Most threads are simply in a wait state until clients come. Also, sidgen plugin has issues: >[21/Jul/2015:14:41:05 +0200] find_sid_for_ldap_entry - [file >ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [50088] into an >unused SID. >[21/Jul/2015:14:41:05 +0200] ipa_sidgen_add_post_op - [file >ipa_sidgen.c, line 149]: Cannot add SID to new entry. I'm slightly worried with the slapi-nis plugin reporting issues of talking to rpcbind to register itself. >[21/Jul/2015:17:15:20 +0200] nis-plugin - error connecting rpcbind >client socket to the service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to >portmap or rpcbind on 9: Connection refused >[21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with >portmap service -- / Alexander Bokovoy From sbose at redhat.com Wed Jul 22 10:44:17 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Jul 2015 12:44:17 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AF64CD.6010306@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> Message-ID: <20150722104417.GG7078@p.redhat.com> On Wed, Jul 22, 2015 at 11:39:25AM +0200, Torsten Harenberg wrote: > Dear Alexander, dear Sumit, > > thank you very much indeed for the quick replies. > > Am 22.07.15 um 11:21 schrieb Sumit Bose: > > Looks like there are issues getting the needed data from the local LDAP > > server. The message below about the master key points into the same > > direction. Can you check the 389ds logs? > > I have attached the > /var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors file to the end > of the mail, it's a bit larger. > > There are some "ticket expired" messages, could that point to the source > of the problem? > > > Am 22.07.15 um 11:22 schrieb Alexander Bokovoy: > > Do you have 389-ds actually operating? If you would install debuginfo > > packages, what does 'pstack ' print? > > here is the output: Thank you for the logs. It looks like the KDC cannot talk to the LDAP server and the LDAP server cannot talk to the KDC to renew a Kerberos ticket. So we have to find out which came first. To rule out KDC lookup issues it would be good if you can send the content for /etc/krb5.conf and /var/lib/sss/pubconf/kdcinfo.* . Feel free to send it to Alexander and me by private mail if you do not want to disclose details of your environment on a public list. bye, Sumit From aebruno2 at buffalo.edu Wed Jul 22 13:40:10 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 22 Jul 2015 09:40:10 -0400 Subject: [Freeipa-users] dnssec support in 4.1 Message-ID: <20150722134010.GA18036@dead.ccr.buffalo.edu> Apologies if this has been answered before but we're interested in dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18 and following the docs here: https://www.freeipa.org/page/Howto/DNSSEC and http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support # ipa-dns-install --dnssec-master Usage: ipa-dns-install [options] ipa-dns-install: error: no such option: --dnssec-master Is this not supported in 4.1.0? If not, is there a manual way to get zone signing to work? Thanks, --Andrew From abokovoy at redhat.com Wed Jul 22 13:48:33 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 16:48:33 +0300 Subject: [Freeipa-users] dnssec support in 4.1 In-Reply-To: <20150722134010.GA18036@dead.ccr.buffalo.edu> References: <20150722134010.GA18036@dead.ccr.buffalo.edu> Message-ID: <20150722134833.GW21928@redhat.com> On Wed, 22 Jul 2015, Andrew E. Bruno wrote: >Apologies if this has been answered before but we're interested in >dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18 >and following the docs here: >https://www.freeipa.org/page/Howto/DNSSEC > >and > >http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support > ># ipa-dns-install --dnssec-master >Usage: ipa-dns-install [options] > >ipa-dns-install: error: no such option: --dnssec-master > > >Is this not supported in 4.1.0? If not, is there a manual way to get >zone signing to work? DNSSEC support is switched off in RHEL 7.1 (and CentOS 7.1) but is available in Fedora 21+/upstream bits. We plan to bring DNSSEC support to next RHEL 7 update, thanks to stabilization work done after RHEL 7.1 release. -- / Alexander Bokovoy From aebruno2 at buffalo.edu Wed Jul 22 13:52:19 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 22 Jul 2015 09:52:19 -0400 Subject: [Freeipa-users] dnssec support in 4.1 In-Reply-To: <20150722134833.GW21928@redhat.com> References: <20150722134010.GA18036@dead.ccr.buffalo.edu> <20150722134833.GW21928@redhat.com> Message-ID: <20150722135219.GB18036@dead.ccr.buffalo.edu> On Wed, Jul 22, 2015 at 04:48:33PM +0300, Alexander Bokovoy wrote: > On Wed, 22 Jul 2015, Andrew E. Bruno wrote: > >Apologies if this has been answered before but we're interested in > >dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18 > >and following the docs here: > >https://www.freeipa.org/page/Howto/DNSSEC > > > >and > > > >http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support > > > ># ipa-dns-install --dnssec-master > >Usage: ipa-dns-install [options] > > > >ipa-dns-install: error: no such option: --dnssec-master > > > > > >Is this not supported in 4.1.0? If not, is there a manual way to get > >zone signing to work? > DNSSEC support is switched off in RHEL 7.1 (and CentOS 7.1) but is > available in Fedora 21+/upstream bits. > > We plan to bring DNSSEC support to next RHEL 7 update, thanks to > stabilization work done after RHEL 7.1 release. Sounds great. Thanks. Looking forward to the next update. > -- > / Alexander Bokovoy > > From ellertalexandre at gmail.com Wed Jul 22 14:53:40 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Wed, 22 Jul 2015 16:53:40 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150720151750.GJ21928@redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> Message-ID: <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> > Le 20 juil. 2015 ? 17:17, Alexander Bokovoy a ?crit : > > On Mon, 20 Jul 2015, Alexandre Ellert wrote: >> >>> Can you please show output from >>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >> >> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema > > This is original 'dc' definition: >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > > This is the offending one: >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D > >> In 00core.ldif, I have : >> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> EQUALITY caseIgnoreIA5Match >> SUBSTR caseIgnoreIA5SubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> SINGLE-VALUE >> X-ORIGIN 'RFC 4519' >> X-DEPRECATED 'domaincomponent' ) > If you look into 99user.ldif, you'll see the wrong definition there. > > 99user.ldif accumulates definitions coming from replication or updates. > You can check other IPA masters, do they have 'dc' attribute defined in > a wrong way? I have a second IPA master and here is the occurence of ? domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : In 00core.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent? ) In 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) This two definition are exactly the same on both IPA masters. I don?t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? > >> As far as I remember, the only modification I made was to disable >> read-only access without authentication. I don?t need any other >> special customization. > Something brought the wrong definition into your IPA masters. > May be someone tried to add support for some old application? Nobody else never have access read/write to the IPA servers. I?m the only admin. From rmeggins at redhat.com Wed Jul 22 15:03:20 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Jul 2015 09:03:20 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AF64CD.6010306@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> Message-ID: <55AFB0B8.4010002@redhat.com> On 07/22/2015 03:39 AM, Torsten Harenberg wrote: > Dear Alexander, dear Sumit, > > thank you very much indeed for the quick replies. > > Am 22.07.15 um 11:21 schrieb Sumit Bose: >> Looks like there are issues getting the needed data from the local LDAP >> server. The message below about the master key points into the same >> direction. Can you check the 389ds logs? > I have attached the > /var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors file to the end > of the mail, it's a bit larger. > > There are some "ticket expired" messages, could that point to the source > of the problem? > > > Am 22.07.15 um 11:22 schrieb Alexander Bokovoy: >> Do you have 389-ds actually operating? If you would install debuginfo >> packages, what does 'pstack ' print? > here is the output: > It might be helpful to do a # debuginfo-install 389-ds-base ipa-server slapi-nis and follow the directions at http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs to get a full stack trace > /lib64/libpthread.so.0 > #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fb8565f19a5 in ps_send_results () > #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so > #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 What is the client here that is doing a persistent search or syncrepl? Is it BIND? > Thread 1 (Thread 0x7fb856808800 (LWP 800)): > #0 0x00007fb853bcbc8d in poll () from /lib64/libc.so.6 > #1 0x00007fb8544f6da8 in _pr_poll_with_poll () from /lib64/libnspr4.so > #2 0x00007fb8565e9b11 in slapd_daemon () > #3 0x00007fb8565dc4f4 in main () > [root at ipa log]# > > Best regards and thanks again > > Torsten > > > /var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors: > > [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# cat errors > 389-Directory/1.3.3.8 B2015.036.047 > ipa.pleiades.uni-wuppertal.de:636 > (/etc/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE) > > [20/Jul/2015:16:48:26 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [20/Jul/2015:16:48:26 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [20/Jul/2015:16:48:26 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [20/Jul/2015:16:48:26 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Ticket expired)) > [20/Jul/2015:16:48:30 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [20/Jul/2015:16:48:30 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [20/Jul/2015:16:48:30 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [20/Jul/2015:16:48:36 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [20/Jul/2015:16:48:36 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [20/Jul/2015:16:48:36 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [20/Jul/2015:16:48:48 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth resumed > [21/Jul/2015:14:41:05 +0200] find_sid_for_ldap_entry - [file > ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [50088] into an > unused SID. > [21/Jul/2015:14:41:05 +0200] ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 149]: Cannot add SID to new entry. > [21/Jul/2015:16:51:28 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:28 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:28 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:28 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:28 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:51:28 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Ticket expired)) > [21/Jul/2015:16:51:31 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:31 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:31 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:31 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:31 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:51:37 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:37 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:37 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:37 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:37 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:51:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:51:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:51:49 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:52:13 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:52:13 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:52:13 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:52:13 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:52:13 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:53:01 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:53:01 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:53:01 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:53:01 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:53:01 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:54:37 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:54:37 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:54:37 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:54:37 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:54:37 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:16:57:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:57:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:57:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:16:57:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:16:57:49 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:17:02:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:02:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:17:02:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:02:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:17:02:49 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:17:07:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:07:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:17:07:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:07:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:17:07:49 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:17:12:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:12:49 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:17:12:49 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:12:50 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired)) > errno 2 (No such file or directory) > [21/Jul/2015:17:12:50 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:17:13:16 +0200] - slapd shutting down - signaling operation > threads - op stack size 0 max work q size 99 max work q stack size 5 > [21/Jul/2015:17:13:16 +0200] - slapd shutting down - waiting for 30 > threads to terminate > [21/Jul/2015:17:15:20 +0200] nis-plugin - error connecting rpcbind > client socket to the service > [21/Jul/2015:17:15:21 +0200] SSL Initialization - Configured SSL version > range: min: TLS1.0, max: TLS1.2 > [21/Jul/2015:17:15:21 +0200] - SSL alert: Configured NSS Ciphers > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: > enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: > enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > [21/Jul/2015:17:15:21 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: > enabled > [21/Jul/2015:17:15:21 +0200] - 389-Directory/1.3.3.8 B2015.036.047 > starting up > [21/Jul/2015:17:15:21 +0200] - WARNING: cache too small, increasing to > 500K bytes > [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache size > 512000B is less than db size 4177920B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache size > 512000B is less than db size 18096128B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [21/Jul/2015:17:15:21 +0200] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [21/Jul/2015:17:15:21 +0200] nis-plugin - warning: no entries in > domain=pleiades.uni-wuppertal.de,map=ethers.byaddr > [21/Jul/2015:17:15:21 +0200] nis-plugin - warning: no entries in > domain=pleiades.uni-wuppertal.de,map=ethers.byname > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [21/Jul/2015:17:15:24 +0200] nis-plugin - timeout registering with > portmap service > [21/Jul/2015:17:15:24 +0200] schema-compat-plugin - warning: no entries > set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de > [21/Jul/2015:17:15:24 +0200] schema-compat-plugin - warning: no entries > set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=keys,cn=sec,cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=groups,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=computers,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=ng,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=users,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de > does not exist > [21/Jul/2015:17:15:24 +0200] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de > does not exist > [21/Jul/2015:17:15:25 +0200] NSACLPlugin - The ACL target cn=automember > rebuild membership,cn=tasks,cn=config does not exist > [21/Jul/2015:17:15:25 +0200] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates > found, which should be added before the CoS Definition. > [21/Jul/2015:17:15:27 +0200] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: disordely shutdown for replica > dc=pleiades,dc=uni-wuppertal,dc=de. Check if DB RUV needs to be updated > [21/Jul/2015:17:15:27 +0200] NSMMReplicationPlugin - Force update of > database RUV (from CL RUV) -> 55ae7baf00a100040000 > [21/Jul/2015:17:15:27 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [21/Jul/2015:17:15:27 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [21/Jul/2015:17:15:27 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [21/Jul/2015:17:15:27 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (No Kerberos credentials available)) > [21/Jul/2015:17:15:27 +0200] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates > found, which should be added before the CoS Definition. > [21/Jul/2015:17:15:28 +0200] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [21/Jul/2015:17:15:28 +0200] - Listening on All Interfaces port 636 for > LDAPS requests > [21/Jul/2015:17:15:28 +0200] - Listening on > /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests > [21/Jul/2015:17:15:31 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth resumed > [22/Jul/2015:09:42:27 +0200] find_sid_for_ldap_entry - [file > ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [50091] into an > unused SID. > [22/Jul/2015:09:42:27 +0200] ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 149]: Cannot add SID to new entry. > [22/Jul/2015:11:01:26 +0200] - slapd shutting down - signaling operation > threads - op stack size 1 max work q size 260 max work q stack size 97 > [22/Jul/2015:11:01:26 +0200] - slapd shutting down - waiting for 30 > threads to terminate > [22/Jul/2015:11:03:30 +0200] nis-plugin - error connecting rpcbind > client socket to the service > [22/Jul/2015:11:03:31 +0200] SSL Initialization - Configured SSL version > range: min: TLS1.0, max: TLS1.2 > [22/Jul/2015:11:03:31 +0200] - SSL alert: Configured NSS Ciphers > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: > enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: > enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > [22/Jul/2015:11:03:31 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: > enabled > [22/Jul/2015:11:03:31 +0200] - 389-Directory/1.3.3.8 B2015.036.047 > starting up > [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 > -- rounding up > [22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache size > 512000B is less than db size 4218880B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache size > 512000B is less than db size 27992064B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [22/Jul/2015:11:03:31 +0200] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [22/Jul/2015:11:03:32 +0200] nis-plugin - warning: no entries in > domain=pleiades.uni-wuppertal.de,map=ethers.byaddr > [22/Jul/2015:11:03:32 +0200] nis-plugin - warning: no entries in > domain=pleiades.uni-wuppertal.de,map=ethers.byname > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [22/Jul/2015:11:03:34 +0200] nis-plugin - timeout registering with > portmap service > [22/Jul/2015:11:03:34 +0200] schema-compat-plugin - warning: no entries > set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de > [22/Jul/2015:11:03:34 +0200] schema-compat-plugin - warning: no entries > set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=keys,cn=sec,cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=groups,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=computers,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=ng,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=users,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de > does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de > does not exist > [22/Jul/2015:11:03:35 +0200] NSACLPlugin - The ACL target cn=automember > rebuild membership,cn=tasks,cn=config does not exist > [22/Jul/2015:11:03:35 +0200] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates > found, which should be added before the CoS Definition. > [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: disordely shutdown for replica > dc=pleiades,dc=uni-wuppertal,dc=de. Check if DB RUV needs to be updated > [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - Force update of > database RUV (from CL RUV) -> 55af7af3000e00040000 > [22/Jul/2015:11:03:39 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [22/Jul/2015:11:03:39 +0200] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates > found, which should be added before the CoS Definition. > [22/Jul/2015:11:03:39 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [22/Jul/2015:11:03:39 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [22/Jul/2015:11:03:39 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (No Kerberos credentials available)) > [22/Jul/2015:11:03:39 +0200] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [22/Jul/2015:11:03:39 +0200] - Listening on All Interfaces port 636 for > LDAPS requests > [22/Jul/2015:11:03:39 +0200] - Listening on > /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests > [22/Jul/2015:11:03:43 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth resumed > > From abokovoy at redhat.com Wed Jul 22 15:09:33 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 18:09:33 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> Message-ID: <20150722150933.GX21928@redhat.com> On Wed, 22 Jul 2015, Alexandre Ellert wrote: > >> Le 20 juil. 2015 ? 17:17, Alexander Bokovoy a ?crit : >> >> On Mon, 20 Jul 2015, Alexandre Ellert wrote: >>> >>>> Can you please show output from >>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >>> >>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema >> >> This is original 'dc' definition: >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> >> This is the offending one: >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >> >>> In 00core.ldif, I have : >>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> EQUALITY caseIgnoreIA5Match >>> SUBSTR caseIgnoreIA5SubstringsMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>> SINGLE-VALUE >>> X-ORIGIN 'RFC 4519' >>> X-DEPRECATED 'domaincomponent' ) >> If you look into 99user.ldif, you'll see the wrong definition there. >> >> 99user.ldif accumulates definitions coming from replication or updates. >> You can check other IPA masters, do they have 'dc' attribute defined in >> a wrong way? > >I have a second IPA master and here is the occurence of ? domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : >In 00core.ldif : >attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > EQUALITY caseIgnoreIA5Match > SUBSTR caseIgnoreIA5SubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE > X-ORIGIN 'RFC 4519' > X-DEPRECATED 'domaincomponent? ) >In 99user.ldif : >attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D > ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn > oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI > GIN ( 'RFC 2247' 'user defined' ) ) > >This two definition are exactly the same on both IPA masters. > >I don?t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? The correct definition is in the 00core.ldif. The one in 99user.ldif is wrong. I think you can remove it from 99user.ldif on both servers but you need to shut down dirsrv instances on both to do that. -- / Alexander Bokovoy From ellertalexandre at gmail.com Wed Jul 22 15:30:24 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Wed, 22 Jul 2015 17:30:24 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150722150933.GX21928@redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> Message-ID: <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> > Le 22 juil. 2015 ? 17:09, Alexander Bokovoy a ?crit : > > On Wed, 22 Jul 2015, Alexandre Ellert wrote: >> >>> Le 20 juil. 2015 ? 17:17, Alexander Bokovoy a ?crit : >>> >>> On Mon, 20 Jul 2015, Alexandre Ellert wrote: >>>> >>>>> Can you please show output from >>>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >>>> >>>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema >>> >>> This is original 'dc' definition: >>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> >>> This is the offending one: >>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >>> >>>> In 00core.ldif, I have : >>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> EQUALITY caseIgnoreIA5Match >>>> SUBSTR caseIgnoreIA5SubstringsMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>> SINGLE-VALUE >>>> X-ORIGIN 'RFC 4519' >>>> X-DEPRECATED 'domaincomponent' ) >>> If you look into 99user.ldif, you'll see the wrong definition there. >>> >>> 99user.ldif accumulates definitions coming from replication or updates. >>> You can check other IPA masters, do they have 'dc' attribute defined in >>> a wrong way? >> >> I have a second IPA master and here is the occurence of ? domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : >> In 00core.ldif : >> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> EQUALITY caseIgnoreIA5Match >> SUBSTR caseIgnoreIA5SubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> SINGLE-VALUE >> X-ORIGIN 'RFC 4519' >> X-DEPRECATED 'domaincomponent? ) >> In 99user.ldif : >> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn >> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI >> GIN ( 'RFC 2247' 'user defined' ) ) >> >> This two definition are exactly the same on both IPA masters. >> >> I don?t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? > The correct definition is in the 00core.ldif. The one in 99user.ldif is > wrong. > > I think you can remove it from 99user.ldif on both servers but you need > to shut down dirsrv instances on both to do that. > -- > / Alexander Bokovoy I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif : > attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D > ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn > oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI > GIN ( 'RFC 2247' 'user defined' ) ) But still have the same behavior (pki-tomcatd don?t start, same errors in logs). Do you have another idea ? Thanks for your support -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jul 22 15:43:39 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 18:43:39 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> References: <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> Message-ID: <20150722154339.GY21928@redhat.com> On Wed, 22 Jul 2015, Alexandre Ellert wrote: > >> Le 22 juil. 2015 ? 17:09, Alexander Bokovoy a ?crit : >> >> On Wed, 22 Jul 2015, Alexandre Ellert wrote: >>> >>>> Le 20 juil. 2015 ? 17:17, Alexander Bokovoy a ?crit : >>>> >>>> On Mon, 20 Jul 2015, Alexandre Ellert wrote: >>>>> >>>>>> Can you please show output from >>>>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >>>>> >>>>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema >>>> >>>> This is original 'dc' definition: >>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> >>>> This is the offending one: >>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >>>> >>>>> In 00core.ldif, I have : >>>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>> EQUALITY caseIgnoreIA5Match >>>>> SUBSTR caseIgnoreIA5SubstringsMatch >>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>>> SINGLE-VALUE >>>>> X-ORIGIN 'RFC 4519' >>>>> X-DEPRECATED 'domaincomponent' ) >>>> If you look into 99user.ldif, you'll see the wrong definition there. >>>> >>>> 99user.ldif accumulates definitions coming from replication or updates. >>>> You can check other IPA masters, do they have 'dc' attribute defined in >>>> a wrong way? >>> >>> I have a second IPA master and here is the occurence of ? domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : >>> In 00core.ldif : >>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> EQUALITY caseIgnoreIA5Match >>> SUBSTR caseIgnoreIA5SubstringsMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>> SINGLE-VALUE >>> X-ORIGIN 'RFC 4519' >>> X-DEPRECATED 'domaincomponent? ) >>> In 99user.ldif : >>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >>> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn >>> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI >>> GIN ( 'RFC 2247' 'user defined' ) ) >>> >>> This two definition are exactly the same on both IPA masters. >>> >>> I don?t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? >> The correct definition is in the 00core.ldif. The one in 99user.ldif is >> wrong. >> >> I think you can remove it from 99user.ldif on both servers but you need >> to shut down dirsrv instances on both to do that. >> -- >> / Alexander Bokovoy > >I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif : >> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn >> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI >> GIN ( 'RFC 2247' 'user defined' ) ) > >But still have the same behavior (pki-tomcatd don?t start, same errors >in logs). Do you have another idea ? We need to find out where the definition comes from. Can you give me output of # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv from both servers? With correct setup IPA 4.x should show: /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) I.e. there are two lines -- in the default schema and in the IPA instance schema. -- / Alexander Bokovoy From ellertalexandre at gmail.com Wed Jul 22 16:00:18 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Wed, 22 Jul 2015 18:00:18 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150722154339.GY21928@redhat.com> References: <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> Message-ID: <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> > Le 22 juil. 2015 ? 17:43, Alexander Bokovoy a ?crit : > > On Wed, 22 Jul 2015, Alexandre Ellert wrote: >> >>> Le 22 juil. 2015 ? 17:09, Alexander Bokovoy a ?crit : >>> >>> On Wed, 22 Jul 2015, Alexandre Ellert wrote: >>>> >>>>> Le 20 juil. 2015 ? 17:17, Alexander Bokovoy a ?crit : >>>>> >>>>> On Mon, 20 Jul 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Can you please show output from >>>>>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >>>>>> >>>>>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema >>>>> >>>>> This is original 'dc' definition: >>>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>> >>>>> This is the offending one: >>>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >>>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >>>>> >>>>>> In 00core.ldif, I have : >>>>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>>> EQUALITY caseIgnoreIA5Match >>>>>> SUBSTR caseIgnoreIA5SubstringsMatch >>>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>>>> SINGLE-VALUE >>>>>> X-ORIGIN 'RFC 4519' >>>>>> X-DEPRECATED 'domaincomponent' ) >>>>> If you look into 99user.ldif, you'll see the wrong definition there. >>>>> >>>>> 99user.ldif accumulates definitions coming from replication or updates. >>>>> You can check other IPA masters, do they have 'dc' attribute defined in >>>>> a wrong way? >>>> >>>> I have a second IPA master and here is the occurence of ? domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : >>>> In 00core.ldif : >>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> EQUALITY caseIgnoreIA5Match >>>> SUBSTR caseIgnoreIA5SubstringsMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>> SINGLE-VALUE >>>> X-ORIGIN 'RFC 4519' >>>> X-DEPRECATED 'domaincomponent? ) >>>> In 99user.ldif : >>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >>>> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn >>>> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI >>>> GIN ( 'RFC 2247' 'user defined' ) ) >>>> >>>> This two definition are exactly the same on both IPA masters. >>>> >>>> I don?t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? >>> The correct definition is in the 00core.ldif. The one in 99user.ldif is >>> wrong. >>> >>> I think you can remove it from 99user.ldif on both servers but you need >>> to shut down dirsrv instances on both to do that. >>> -- >>> / Alexander Bokovoy >> >> I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif : >>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >>> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn >>> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI >>> GIN ( 'RFC 2247' 'user defined' ) ) >> >> But still have the same behavior (pki-tomcatd don?t start, same errors >> in logs). Do you have another idea ? > We need to find out where the definition comes from. > > Can you give me output of > # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv > from both servers? Server 1: # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) Server 2 : # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > > With correct setup IPA 4.x should show: > /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > > I.e. there are two lines -- in the default schema and in the IPA > instance schema. ? Seems to be good ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jul 22 16:08:02 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 19:08:02 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> References: <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> Message-ID: <20150722160802.GA21928@redhat.com> On Wed, 22 Jul 2015, Alexandre Ellert wrote: >> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >> from both servers? > >Server 1: ># fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > >Server 2 : ># fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > >> >> With correct setup IPA 4.x should show: >> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> >> I.e. there are two lines -- in the default schema and in the IPA >> instance schema. ? > >Seems to be good ? Yes. Can you get a new set of logs on 'ipactl start'? -- / Alexander Bokovoy From ellertalexandre at gmail.com Wed Jul 22 16:18:47 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Wed, 22 Jul 2015 18:18:47 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150722160802.GA21928@redhat.com> References: <55A7C5C4.20106@redhat.com> <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> Message-ID: > Le 22 juil. 2015 ? 18:08, Alexander Bokovoy a ?crit : > > On Wed, 22 Jul 2015, Alexandre Ellert wrote: >>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>> from both servers? >> >> Server 1: >> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> >> Server 2 : >> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> >>> >>> With correct setup IPA 4.x should show: >>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> >>> I.e. there are two lines -- in the default schema and in the IPA >>> instance schema. ? >> >> Seems to be good ? > Yes. Can you get a new set of logs on 'ipactl start'? > > -- > / Alexander Bokovoy Sorry, the log is very long?I can format differently if you need. # tail -f /var/log/pki/pki-tomcat/localhost.2015-07-22.log /var/log/pki/pki-tomcat/ca/debug /var/log/krb5kdc.log /var/log/dirsrv/slapd-NUMEEZY-FR/access /var/log/dirsrv/slapd-NUMEEZY-FR/errors [22/Jul/2015:18:14:53 +0200] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. [22/Jul/2015:18:14:53 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [22/Jul/2015:18:14:53 +0200] - SSL alert: Configured NSS Ciphers [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [22/Jul/2015:18:14:53 +0200] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [22/Jul/2015:18:14:53 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:18:14:53 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:18:14:53 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:18:14:53 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:18:14:53 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:18:14:53 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [22/Jul/2015:18:14:53 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 1384448B; We recommend to increase the entry cache size nsslapd-cachememsize. [22/Jul/2015:18:14:53 +0200] - WARNING: ipaca: entry cache size 512000B is less than db size 20013056B; We recommend to increase the entry cache size nsslapd-cachememsize. [22/Jul/2015:18:14:53 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 9306112B; We recommend to increase the entry cache size nsslapd-cachememsize. [22/Jul/2015:18:14:53 +0200] - I'm resizing my cache now...cache was 400000 and is now 320000 [22/Jul/2015:18:14:53 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=numeezy,dc=fr [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist [22/Jul/2015:18:14:54 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [22/Jul/2015:18:14:54 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [22/Jul/2015:18:14:54 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [22/Jul/2015:18:14:54 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [22/Jul/2015:18:14:54 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [22/Jul/2015:18:14:54 +0200] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [22/Jul/2015:18:14:54 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [22/Jul/2015:18:14:54 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [22/Jul/2015:18:14:54 +0200] NSMMReplicationPlugin - agmt="cn=meToinf-ipa.numeezy.fr" (inf-ipa:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [22/Jul/2015:18:14:54 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for LDAPS requests [22/Jul/2015:18:14:54 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests ==> /var/log/krb5kdc.log <== otp: Loaded Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): setting up network... Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): skipping unrecognized local address family 17 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): listening on fd 9: udp fe80::250:56ff:fe93:357e%ens160.88 krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): listening on fd 11: tcp 0.0.0.0.88 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): listening on fd 10: tcp ::.88 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11588](info): set up 4 sockets Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): commencing operation Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437581695, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437581695, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437581695, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437581695, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR Jul 22 18:14:55 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 ==> /var/log/dirsrv/slapd-NUMEEZY-FR/errors <== [22/Jul/2015:18:14:57 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) ==> /var/log/krb5kdc.log <== Jul 22 18:14:57 inf-ipa-2.numeezy.fr krb5kdc[11589](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required Jul 22 18:14:57 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:57 inf-ipa-2.numeezy.fr krb5kdc[11589](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437581697, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR Jul 22 18:14:57 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 Jul 22 18:14:57 inf-ipa-2.numeezy.fr krb5kdc[11589](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437581697, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR Jul 22 18:14:57 inf-ipa-2.numeezy.fr krb5kdc[11589](info): closing down fd 12 ==> /var/log/dirsrv/slapd-NUMEEZY-FR/errors <== [22/Jul/2015:18:14:58 +0200] NSMMReplicationPlugin - agmt="cn=meToinf-ipa.numeezy.fr" (inf-ipa:389): Replication bind with GSSAPI auth resumed [22/Jul/2015:18:15:04 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [22/Jul/2015:18:15:15 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) ==> /var/log/dirsrv/slapd-NUMEEZY-FR/access <== [22/Jul/2015:18:14:54 +0200] conn=1 fd=69 slot=69 connection from ::1 to ::1 [22/Jul/2015:18:14:54 +0200] conn=1 op=-1 fd=69 closed - B1 [22/Jul/2015:18:14:54 +0200] conn=2 fd=69 slot=69 connection from local to /var/run/slapd-NUMEEZY-FR.socket [22/Jul/2015:18:14:54 +0200] conn=3 fd=70 slot=70 connection from local to /var/run/slapd-NUMEEZY-FR.socket [22/Jul/2015:18:14:54 +0200] conn=2 op=-1 fd=69 closed - B1 [22/Jul/2015:18:14:54 +0200] conn=3 AUTOBIND dn="cn=Directory Manager" [22/Jul/2015:18:14:54 +0200] conn=3 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL [22/Jul/2015:18:14:54 +0200] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager" [22/Jul/2015:18:14:54 +0200] conn=3 op=1 SRCH base="cn=inf-ipa-2.numeezy.fr,cn=masters,cn=ipa,cn=etc,dc=numeezy,dc=fr" scope=2 filter="(ipaConfigString=enabledService)" attrs="ipaConfigString cn" [22/Jul/2015:18:14:54 +0200] conn=3 op=1 RESULT err=0 tag=101 nentries=7 etime=0 notes=U [22/Jul/2015:18:14:54 +0200] conn=3 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [22/Jul/2015:18:14:54 +0200] conn=3 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=4 fd=69 slot=69 connection from local to /var/run/slapd-NUMEEZY-FR.socket [22/Jul/2015:18:14:54 +0200] conn=4 AUTOBIND dn="cn=Directory Manager" [22/Jul/2015:18:14:54 +0200] conn=4 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL [22/Jul/2015:18:14:54 +0200] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager" [22/Jul/2015:18:14:54 +0200] conn=4 op=1 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs=ALL [22/Jul/2015:18:14:54 +0200] conn=4 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=4 op=2 SRCH base="cn=ipaConfig,cn=etc,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [22/Jul/2015:18:14:54 +0200] conn=4 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=4 op=3 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(objectClass=ipaNTDomainAttrs)" attrs="ipaNTFlatName ipaNTFallbackPrimaryGroup ipaNTSecurityIdentifier" [22/Jul/2015:18:14:54 +0200] conn=4 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:54 +0200] conn=4 op=4 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(krbMKey=*)" attrs="krbMKey" [22/Jul/2015:18:14:54 +0200] conn=4 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=4 op=5 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=K/M at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:54 +0200] conn=4 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=5 fd=73 slot=73 connection from local to /var/run/slapd-NUMEEZY-FR.socket [22/Jul/2015:18:14:54 +0200] conn=5 AUTOBIND dn="cn=Directory Manager" [22/Jul/2015:18:14:54 +0200] conn=5 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL [22/Jul/2015:18:14:54 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager" [22/Jul/2015:18:14:54 +0200] conn=5 op=1 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs=ALL [22/Jul/2015:18:14:54 +0200] conn=5 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=5 op=2 SRCH base="cn=ipaConfig,cn=etc,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [22/Jul/2015:18:14:54 +0200] conn=5 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=5 op=3 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(objectClass=ipaNTDomainAttrs)" attrs="ipaNTFlatName ipaNTFallbackPrimaryGroup ipaNTSecurityIdentifier" [22/Jul/2015:18:14:54 +0200] conn=5 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:54 +0200] conn=5 op=4 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(krbMKey=*)" attrs="krbMKey" [22/Jul/2015:18:14:54 +0200] conn=5 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:54 +0200] conn=5 op=5 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=K/M at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:54 +0200] conn=5 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=6 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=7 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=7 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=8 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=9 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=10 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=11 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=12 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=13 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=13 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=14 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=15 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=16 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=16 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=17 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=17 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=18 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=18 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=19 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=19 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=20 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/admin at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=20 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=21 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=21 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=22 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=22 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=23 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=23 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=24 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=24 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=25 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=25 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=26 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=26 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=27 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=28 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=28 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=29 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=29 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=30 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=30 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=31 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=31 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=32 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=32 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=33 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=33 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=34 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=34 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=35 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=35 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=36 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=5 op=36 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=5 op=37 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=5 op=37 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=6 fd=74 slot=74 connection from 37.59.203.176 to 37.59.203.176 [22/Jul/2015:18:14:55 +0200] conn=6 op=0 UNPROCESSED OPERATION - Anonymous access not allowed [22/Jul/2015:18:14:55 +0200] conn=6 op=0 RESULT err=48 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=6 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/inf-ipa-2.numeezy.fr at NUMEEZY.FR)(krbPrincipalName=host/inf-ipa-2.numeezy.fr at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=7 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=7 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=8 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=9 SRCH base="cn=global_policy,cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [22/Jul/2015:18:14:55 +0200] conn=4 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=10 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/inf-ipa-2.numeezy.fr at NUMEEZY.FR)(krbPrincipalName=host/inf-ipa-2.numeezy.fr at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=11 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=12 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=13 SRCH base="cn=global_policy,cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [22/Jul/2015:18:14:55 +0200] conn=4 op=13 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=14 SRCH base="fqdn=inf-ipa-2.numeezy.fr,cn=computers,cn=accounts,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [22/Jul/2015:18:14:55 +0200] conn=4 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=15 SRCH base="cn=inf-ipa-2.numeezy.fr,cn=masters,cn=ipa,cn=etc,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs=ALL [22/Jul/2015:18:14:55 +0200] conn=4 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=16 MOD dn="fqdn=inf-ipa-2.numeezy.fr,cn=computers,cn=accounts,dc=numeezy,dc=fr" [22/Jul/2015:18:14:55 +0200] conn=4 op=16 RESULT err=0 tag=103 nentries=0 etime=0 csn=55afc181000000030000 [22/Jul/2015:18:14:55 +0200] conn=4 op=17 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=17 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=18 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR)(krbPrincipalName=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=18 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=19 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=19 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=20 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=20 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=21 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=21 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=6 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=6 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [22/Jul/2015:18:14:55 +0200] conn=6 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=6 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [22/Jul/2015:18:14:55 +0200] conn=6 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=6 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=inf-ipa-2.numeezy.fr,cn=computers,cn=accounts,dc=numeezy,dc=fr" [22/Jul/2015:18:14:55 +0200] conn=6 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci" [22/Jul/2015:18:14:55 +0200] conn=6 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=6 op=5 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=named)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:55 +0200] conn=6 op=5 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=22 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=22 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=23 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=23 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=24 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=24 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=25 SRCH base="cn=global_policy,cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [22/Jul/2015:18:14:55 +0200] conn=4 op=25 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=26 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=26 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=27 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=28 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=28 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=29 SRCH base="cn=global_policy,cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [22/Jul/2015:18:14:55 +0200] conn=4 op=29 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=30 SRCH base="krbprincipalname=DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR,cn=services,cn=accounts,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [22/Jul/2015:18:14:55 +0200] conn=4 op=30 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=31 MOD dn="krbprincipalname=DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR,cn=services,cn=accounts,dc=numeezy,dc=fr" [22/Jul/2015:18:14:55 +0200] conn=4 op=31 RESULT err=0 tag=103 nentries=0 etime=0 csn=55afc181000200030000 [22/Jul/2015:18:14:55 +0200] conn=7 fd=77 slot=77 connection from local to /var/run/slapd-NUMEEZY-FR.socket [22/Jul/2015:18:14:55 +0200] conn=4 op=32 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=32 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=33 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR)(krbPrincipalName=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=33 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=34 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=34 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=35 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:55 +0200] conn=4 op=35 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=4 op=36 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:55 +0200] conn=4 op=36 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:55 +0200] conn=7 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=7 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [22/Jul/2015:18:14:55 +0200] conn=7 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=7 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [22/Jul/2015:18:14:55 +0200] conn=7 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=7 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=dns/inf-ipa-2.numeezy.fr at numeezy.fr,cn=services,cn=accounts,dc=numeezy,dc=fr" [22/Jul/2015:18:14:55 +0200] conn=8 fd=78 slot=78 connection from local to /var/run/slapd-NUMEEZY-FR.socket [22/Jul/2015:18:14:55 +0200] conn=8 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=8 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [22/Jul/2015:18:14:55 +0200] conn=8 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=8 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [22/Jul/2015:18:14:55 +0200] conn=8 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Jul/2015:18:14:55 +0200] conn=8 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=dns/inf-ipa-2.numeezy.fr at numeezy.fr,cn=services,cn=accounts,dc=numeezy,dc=fr" [22/Jul/2015:18:14:55 +0200] conn=7 op=3 SRCH base="cn=dns,dc=numeezy,dc=fr" scope=2 filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" attrs=ALL [22/Jul/2015:18:14:55 +0200] conn=8 op=3 MOD dn="idnsname=numeezy.fr.,cn=dns,dc=numeezy,dc=fr" [22/Jul/2015:18:14:55 +0200] conn=8 op=3 RESULT err=0 tag=103 nentries=0 etime=0 csn=55afc181000500030000 [22/Jul/2015:18:14:55 +0200] conn=7 op=3 RESULT err=309 tag=121 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=6 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=6 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=7 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=7 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=8 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=8 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=9 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=9 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=10 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=10 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=11 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=11 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=12 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=12 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:56 +0200] conn=6 op=13 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=pkiuser)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:14:56 +0200] conn=6 op=13 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=37 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=37 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=38 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:57 +0200] conn=4 op=38 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=39 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=39 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=40 SRCH base="cn=global_policy,cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [22/Jul/2015:18:14:57 +0200] conn=4 op=40 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=41 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=41 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=42 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:57 +0200] conn=4 op=42 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=43 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=43 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=44 SRCH base="cn=global_policy,cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [22/Jul/2015:18:14:57 +0200] conn=4 op=44 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=45 SRCH base="krbprincipalname=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR,cn=services,cn=accounts,dc=numeezy,dc=fr" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [22/Jul/2015:18:14:57 +0200] conn=4 op=45 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=46 MOD dn="krbprincipalname=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR,cn=services,cn=accounts,dc=numeezy,dc=fr" [22/Jul/2015:18:14:57 +0200] conn=4 op=46 RESULT err=0 tag=103 nentries=0 etime=0 csn=55afc183000000030000 [22/Jul/2015:18:14:57 +0200] conn=4 op=47 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NUMEEZY.FR at NUMEEZY.FR)(krbPrincipalName=krbtgt/NUMEEZY.FR at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=47 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=48 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/inf-ipa.numeezy.fr at NUMEEZY.FR)(krbPrincipalName=ldap/inf-ipa.numeezy.fr at NUMEEZY.FR)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=48 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=49 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:57 +0200] conn=4 op=49 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=50 SRCH base="dc=numeezy,dc=fr" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [22/Jul/2015:18:14:57 +0200] conn=4 op=50 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:14:57 +0200] conn=4 op=51 SRCH base="cn=NUMEEZY.FR,cn=kerberos,dc=numeezy,dc=fr" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [22/Jul/2015:18:14:57 +0200] conn=4 op=51 RESULT err=0 tag=101 nentries=1 etime=0 [22/Jul/2015:18:15:01 +0200] conn=6 op=14 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=pkiuser)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:15:01 +0200] conn=6 op=14 RESULT err=0 tag=101 nentries=0 etime=0 [22/Jul/2015:18:15:06 +0200] conn=6 op=16 SRCH base="cn=accounts,dc=numeezy,dc=fr" scope=2 filter="(&(uid=apache)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType" [22/Jul/2015:18:15:06 +0200] conn=6 op=16 RESULT err=0 tag=101 nentries=0 etime=0 ==> /var/log/pki/pki-tomcat/ca/debug <== [22/Jul/2015:18:15:26][localhost-startStop-1]: ============================================ [22/Jul/2015:18:15:26][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [22/Jul/2015:18:15:26][localhost-startStop-1]: ============================================ [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: done init id=debug [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: initialized debug [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: initSubsystem id=log [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: ready to init id=log [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: done init id=log [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: initialized log [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: ready to init id=jss [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: done init id=jss [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: initialized jss [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine: ready to init id=dbs [22/Jul/2015:18:15:26][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [22/Jul/2015:18:15:26][localhost-startStop-1]: LdapBoundConnFactory: init [22/Jul/2015:18:15:26][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [22/Jul/2015:18:15:26][localhost-startStop-1]: LdapAuthInfo: init() [22/Jul/2015:18:15:26][localhost-startStop-1]: LdapAuthInfo: init begins [22/Jul/2015:18:15:26][localhost-startStop-1]: LdapAuthInfo: init ends [22/Jul/2015:18:15:26][localhost-startStop-1]: init: before makeConnection errorIfDown is true [22/Jul/2015:18:15:26][localhost-startStop-1]: makeConnection: errorIfDown true [22/Jul/2015:18:15:26][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [22/Jul/2015:18:15:26][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host inf-ipa-2.numeezy.fr port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) [22/Jul/2015:18:15:26][localhost-startStop-1]: CMSEngine.shutdown() [22/Jul/2015:18:15:26][localhost-startStop-1]: LogFile:In log shutdown [22/Jul/2015:18:15:26][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [22/Jul/2015:18:15:26][localhost-startStop-1]: LogFile:In log shutdown [22/Jul/2015:18:15:26][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [22/Jul/2015:18:15:27][ajp-bio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. ==> /var/log/pki/pki-tomcat/localhost.2015-07-22.log <== Jul 22, 2015 6:15:27 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:28 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:29 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:31 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:32 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:33 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:34 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:35 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:36 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Jul 22, 2015 6:15:37 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) From abokovoy at redhat.com Wed Jul 22 16:40:42 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 19:40:42 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> Message-ID: <20150722164042.GB21928@redhat.com> On Wed, 22 Jul 2015, Alexandre Ellert wrote: > >> Le 22 juil. 2015 ? 18:08, Alexander Bokovoy a ?crit : >> >> On Wed, 22 Jul 2015, Alexandre Ellert wrote: >>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>> from both servers? >>> >>> Server 1: >>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> >>> Server 2 : >>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>> >>>> >>>> With correct setup IPA 4.x should show: >>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> >>>> I.e. there are two lines -- in the default schema and in the IPA >>>> instance schema. ? >>> >>> Seems to be good ? >> Yes. Can you get a new set of logs on 'ipactl start'? >> >> -- >> / Alexander Bokovoy > >Sorry, the log is very long?I can format differently if you need. Thanks, no need for more logs right now. What I see from these logs: - Directory server starts just fine but serves only port 389 - krb5kdc starts just fine and works fine with LDAP server - Dogtag tries to use LDAP server via port 636 and fails We need to see why port 636 is disabled. Can you grep /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif for following attributes: nsslapd-security nsslapd-port They should be 'on' and '389' correspondingly. -- / Alexander Bokovoy From ellertalexandre at gmail.com Wed Jul 22 16:49:00 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Wed, 22 Jul 2015 18:49:00 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150722164042.GB21928@redhat.com> References: <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> Message-ID: <50AABD4D-F35F-452C-A621-2C71ECEF8193@gmail.com> > Le 22 juil. 2015 ? 18:40, Alexander Bokovoy a ?crit : > > On Wed, 22 Jul 2015, Alexandre Ellert wrote: >> >>> Le 22 juil. 2015 ? 18:08, Alexander Bokovoy a ?crit : >>> >>> On Wed, 22 Jul 2015, Alexandre Ellert wrote: >>>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>>> from both servers? >>>> >>>> Server 1: >>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> >>>> Server 2 : >>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> >>>>> >>>>> With correct setup IPA 4.x should show: >>>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>> /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>> >>>>> I.e. there are two lines -- in the default schema and in the IPA >>>>> instance schema. ? >>>> >>>> Seems to be good ? >>> Yes. Can you get a new set of logs on 'ipactl start'? >>> >>> -- >>> / Alexander Bokovoy >> >> Sorry, the log is very long?I can format differently if you need. > Thanks, no need for more logs right now. > > What I see from these logs: > - Directory server starts just fine but serves only port 389 > - krb5kdc starts just fine and works fine with LDAP server > - Dogtag tries to use LDAP server via port 636 and fails > > We need to see why port 636 is disabled. > > Can you grep /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif for following > attributes: > nsslapd-security > nsslapd-port > > They should be 'on' and '389' correspondingly. > > -- > / Alexander Bokovoy Here is the result (on both servers) # grep nsslapd-security /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif nsslapd-security: on # grep nsslapd-port /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif nsslapd-port: 389 Notice that ns-slapd is listening on port 636 : # netstat -antp|grep '636\|389'|grep LISTEN tcp6 0 0 :::389 :::* LISTEN 12271/ns-slapd tcp6 0 0 :::636 :::* LISTEN 12271/ns-slapd -------------- next part -------------- An HTML attachment was scrubbed... URL: From harenberg at physik.uni-wuppertal.de Wed Jul 22 17:03:55 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 22 Jul 2015 19:03:55 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFB0B8.4010002@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> Message-ID: <55AFCCFB.1010502@physik.uni-wuppertal.de> Dear Rich, Am 22.07.2015 um 17:03 schrieb Rich Megginson: >> > > It might be helpful to do a # debuginfo-install 389-ds-base ipa-server > slapi-nis > and follow the directions at > http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs > to get a full stack trace thanks for the hint. Did that. But assume I need to wait until it hangs again, right? Or is the trace now useful as well? >> /lib64/libpthread.so.0 >> #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fb8565f19a5 in ps_send_results () >> #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 > > What is the client here that is doing a persistent search or syncrepl? > Is it BIND? To be honest, I have no idea. Bind ist installed (with ipa) but I haven't configured DNS services. My first guess would be the secondary IPA? But I do see a connection in the connection list: [root at ipa ~]# netstat -n | grep 389 tcp 0 0 132.195.124.12:54165 132.195.124.12:389 VERBUNDEN tcp 0 0 132.195.124.12:38147 132.195.124.13:389 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.87:53329 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.82:40318 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.175:38594 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.103:49170 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.149:56597 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.140:54072 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.78:40696 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.84:48177 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.96:49207 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.171:42650 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.130:50921 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.76:50983 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.211:52241 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.156:58316 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.89:53923 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.41:52193 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.55:49024 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.47:43523 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.115:57328 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.105:41527 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.165:59116 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.69:37154 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.112:35861 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.34:35281 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.66:38854 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.62:41879 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.71:38302 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.108:45796 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.36:59637 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.80:54565 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.102:49728 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.97:36546 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.155:45730 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.75:53949 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.33:46382 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.98:53164 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.213:45945 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.160:48080 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.29:56264 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.180:58558 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.74:58274 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.52:42197 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.158:44226 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.151:46135 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.25:50124 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.181:54617 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.99:52665 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.126:40899 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.24:36240 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.184:50084 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.57:56771 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.159:52635 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.11:47224 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.50:37848 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.82:38313 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.30:54923 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.109:40676 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.177:38229 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.81:58188 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.63:38784 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.132:56203 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.38:58997 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.110:40765 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.123:42858 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.147:57328 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.37:60201 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.104:53178 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.163:46192 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.91:40501 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.60:56926 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.83:50305 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.44:36306 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.150:35017 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.85:44709 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.81:49618 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.31:42830 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.106:38606 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.121:39750 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.117:48440 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.101:52745 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.107:43829 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.28:38346 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.118:48495 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.42:37963 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.92:51773 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.12:54165 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.13:43711 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.35:46839 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.79:60024 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.173:36228 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.125:45350 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.179:54028 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.90:38060 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.32:37573 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.145:36625 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.73:53294 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.94:49819 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.61:36716 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.122:56037 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.86:55947 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.161:45586 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.56:36679 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.168:52787 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.48:48955 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.45:60901 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.58:49188 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.135:41101 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.146:56472 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.164:38260 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.125.136:41270 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.78:59323 VERBUNDEN tcp6 0 0 132.195.124.12:389 132.195.124.39:42491 VERBUNDEN unix 3 [ ] STREAM VERBUNDEN 13892 /run/systemd/journal/stdout unix 3 [ ] STREAM VERBUNDEN 13891 [root at ipa ~]# Or any other idea how to find out? Thanks again Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From rmeggins at redhat.com Wed Jul 22 17:25:12 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Jul 2015 11:25:12 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFCCFB.1010502@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> Message-ID: <55AFD1F8.1090708@redhat.com> On 07/22/2015 11:03 AM, Torsten Harenberg wrote: > Dear Rich, > > Am 22.07.2015 um 17:03 schrieb Rich Megginson: >> It might be helpful to do a # debuginfo-install 389-ds-base ipa-server >> slapi-nis >> and follow the directions at >> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs >> to get a full stack trace > thanks for the hint. Did that. But assume I need to wait until it hangs > again, right? Right. > > Or is the trace now useful as well? > > >>> /lib64/libpthread.so.0 >>> #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so >>> #2 0x00007fb8565f19a5 in ps_send_results () >>> #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so >>> #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 >>> #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 >> What is the client here that is doing a persistent search or syncrepl? >> Is it BIND? > To be honest, I have no idea. Bind ist installed (with ipa) but I > haven't configured DNS services. > > My first guess would be the secondary IPA? No, probably not. I think it is either BIND or sssd. > But I do see a connection in > the connection list: > > [root at ipa ~]# netstat -n | grep 389 > tcp 0 0 132.195.124.12:54165 132.195.124.12:389 > VERBUNDEN > tcp 0 0 132.195.124.12:38147 132.195.124.13:389 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.87:53329 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.82:40318 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.175:38594 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.103:49170 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.149:56597 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.140:54072 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.78:40696 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.84:48177 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.96:49207 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.171:42650 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.130:50921 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.76:50983 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.211:52241 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.156:58316 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.89:53923 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.41:52193 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.55:49024 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.47:43523 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.115:57328 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.105:41527 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.165:59116 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.69:37154 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.112:35861 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.34:35281 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.66:38854 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.62:41879 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.71:38302 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.108:45796 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.36:59637 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.80:54565 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.102:49728 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.97:36546 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.155:45730 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.75:53949 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.33:46382 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.98:53164 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.213:45945 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.160:48080 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.29:56264 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.180:58558 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.74:58274 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.52:42197 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.158:44226 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.151:46135 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.25:50124 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.181:54617 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.99:52665 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.126:40899 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.24:36240 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.184:50084 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.57:56771 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.159:52635 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.11:47224 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.50:37848 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.82:38313 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.30:54923 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.109:40676 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.177:38229 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.81:58188 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.63:38784 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.132:56203 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.38:58997 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.110:40765 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.123:42858 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.147:57328 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.37:60201 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.104:53178 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.163:46192 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.91:40501 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.60:56926 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.83:50305 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.44:36306 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.150:35017 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.85:44709 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.81:49618 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.31:42830 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.106:38606 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.121:39750 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.117:48440 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.101:52745 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.107:43829 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.28:38346 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.118:48495 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.42:37963 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.92:51773 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.12:54165 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.13:43711 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.35:46839 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.79:60024 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.173:36228 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.125:45350 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.179:54028 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.90:38060 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.32:37573 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.145:36625 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.73:53294 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.94:49819 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.61:36716 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.122:56037 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.86:55947 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.161:45586 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.56:36679 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.168:52787 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.48:48955 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.45:60901 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.58:49188 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.135:41101 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.146:56472 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.164:38260 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.125.136:41270 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.78:59323 > VERBUNDEN > tcp6 0 0 132.195.124.12:389 132.195.124.39:42491 > VERBUNDEN > unix 3 [ ] STREAM VERBUNDEN 13892 > /run/systemd/journal/stdout > unix 3 [ ] STREAM VERBUNDEN 13891 > [root at ipa ~]# > > Or any other idea how to find out? > > Thanks again > > Torsten > From harenberg at physik.uni-wuppertal.de Wed Jul 22 17:34:25 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 22 Jul 2015 19:34:25 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFD1F8.1090708@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> Message-ID: <55AFD421.5060907@physik.uni-wuppertal.de> Hi Rich, Am 22.07.2015 um 19:25 schrieb Rich Megginson: > > No, probably not. I think it is either BIND or sssd. from that I would say sssd: [root at ipa ~]# netstat -p Aktive Internetverbindungen (ohne Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 ipa.pleiades.uni-:54189 ipa.pleiades.uni-w:ldap VERBUNDEN 456/sssd_be tcp 0 192 ipa.pleiades.uni-wu:ssh grid-admin.physik:37125 VERBUNDEN 6077/sshd: root at pts tcp 0 0 ipa.pleiades.uni-:38159 ipa2.pleiades.uni-:ldap VERBUNDEN 800/ns-slapd [...] Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From carlosla1987 at gmail.com Wed Jul 22 17:36:27 2015 From: carlosla1987 at gmail.com (=?UTF-8?Q?Carlos_Ra=C3=BAl_Laguna?=) Date: Wed, 22 Jul 2015 13:36:27 -0400 Subject: [Freeipa-users] Unable to install ipa-server-trust-ad Message-ID: Hello everyone, i am using fedora 22 server with copr repos enabled for freeipa 4.2, according with the documentation i execute sudo dnf install -y "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap however the following error occurs Error: package freeipa-server-trust-ad-4.1.4-2.fc22.x86_64 requires samba-python, but none of the providers can be installed i clean the metadata and try again but no change . Any help will be great -------------- next part -------------- An HTML attachment was scrubbed... URL: From wgraboyes at cenic.org Wed Jul 22 18:14:51 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Wed, 22 Jul 2015 11:14:51 -0700 Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) Message-ID: <55AFDD9B.1000809@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi All, I have been messing around with AD trust installs mainly around doing ntlm_auth for a radius server. However, as I was unable to see some of the needed resources, I thought maybe IPA may need a kick. So I ran the following command `ipactl restart` # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl # systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited, status=1/FAILURE) Status: "Starting process..." CGroup: /system.slice/smb.service Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. journalctl -xn provides no useful information, however journalctl does... sorta: Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory attribute ipaNTSecurityIdentifier. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824878, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. Thanks, Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7 mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8 zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66 B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6 ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu Y7j1+rZUNTtgDUJDk+Jk =xQLh -----END PGP SIGNATURE----- From jhrozek at redhat.com Wed Jul 22 19:17:42 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Jul 2015 21:17:42 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFD1F8.1090708@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> Message-ID: <20150722191742.GA15050@hendrix.redhat.com> On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote: > >>>/lib64/libpthread.so.0 > >>>#1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so > >>>#2 0x00007fb8565f19a5 in ps_send_results () > >>>#3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so > >>>#4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 > >>>#5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 > >>What is the client here that is doing a persistent search or syncrepl? > >>Is it BIND? > >To be honest, I have no idea. Bind ist installed (with ipa) but I > >haven't configured DNS services. > > > >My first guess would be the secondary IPA? > > No, probably not. I think it is either BIND or sssd. Rich, if you're certain that the lient is doing a syncrepl, then it's bind. SSSD doesn't do syncrepl..(yet) From dsirrine at redhat.com Wed Jul 22 19:22:42 2015 From: dsirrine at redhat.com (Dave Sirrine) Date: Wed, 22 Jul 2015 15:22:42 -0400 (EDT) Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) In-Reply-To: <55AFDD9B.1000809@cenic.org> References: <55AFDD9B.1000809@cenic.org> Message-ID: <1762129213.1519533.1437592962686.JavaMail.zimbra@redhat.com> Bill, Can you let us know what version of FreeIPA you're using? The most likely due to the occurrence of "NT_STATUS_INVALID_PARAMETER" which is most likely a time skew issue between AD and IPA. Can you verify this? Thanks! -- Dave ----- Original Message ----- > From: "William Graboyes" > To: "freeipa-users" > Sent: Wednesday, July 22, 2015 2:14:51 PM > Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi All, > > I have been messing around with AD trust installs mainly around doing > ntlm_auth for a radius server. > > However, as I was unable to see some of the needed resources, I > thought maybe IPA may need a kick. > > So I ran the following command > > `ipactl restart` > > # ipactl restart > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting ipa_memcached Service > Restarting httpd Service > Restarting ipa-otpd Service > Starting smb Service > Job for smb.service failed. See 'systemctl status smb.service' and > 'journalctl -xn' for details. > Failed to start smb Service > Shutting down > Aborting ipactl > > # systemctl status smb.service > smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 > PDT; 20s ago > Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > status=1/FAILURE) > Main PID: 16752 (code=exited, status=1/FAILURE) > Status: "Starting process..." > CGroup: /system.slice/smb.service > > Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB > Daemon... > Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 > 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 > Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba > SMB Daemon. > Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service > entered failed state. > > journalctl -xn provides no useful information, however journalctl > does... sorta: > > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory > attribute ipaNTSecurityIdentifier. > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of > fallback group. > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824878, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly > init (error was NT_STATUS_INVALID_PARAMETER) > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba > SMB Daemon. > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service > entered failed state. > > > Thanks, > Bill > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2 > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy > HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7 > mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8 > zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq > cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d > Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u > WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66 > B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO > 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6 > ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n > OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu > Y7j1+rZUNTtgDUJDk+Jk > =xQLh > -----END PGP SIGNATURE----- > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From rmeggins at redhat.com Wed Jul 22 19:32:29 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Jul 2015 13:32:29 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <20150722191742.GA15050@hendrix.redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <20150722191742.GA15050@hendrix.redhat.com> Message-ID: <55AFEFCD.6050707@redhat.com> On 07/22/2015 01:17 PM, Jakub Hrozek wrote: > On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote: >>>>> /lib64/libpthread.so.0 >>>>> #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so >>>>> #2 0x00007fb8565f19a5 in ps_send_results () >>>>> #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so >>>>> #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 >>>>> #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 >>>> What is the client here that is doing a persistent search or syncrepl? >>>> Is it BIND? >>> To be honest, I have no idea. Bind ist installed (with ipa) but I >>> haven't configured DNS services. >>> >>> My first guess would be the secondary IPA? >> No, probably not. I think it is either BIND or sssd. > Rich, if you're certain that the lient is doing a syncrepl, then it's > bind. SSSD doesn't do syncrepl..(yet) > I'm not sure how else 389 would be in ps_send_results without a client doing a persistent search. So BIND it is. From harenberg at physik.uni-wuppertal.de Wed Jul 22 19:47:26 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 22 Jul 2015 21:47:26 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFEFCD.6050707@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <20150722191742.GA15050@hendrix.redhat.com> <55AFEFCD.6050707@redhat.com> Message-ID: <55AFF34E.1070901@physik.uni-wuppertal.de> Am 22.07.2015 um 21:32 schrieb Rich Megginson: > On 07/22/2015 01:17 PM, Jakub Hrozek wrote: >> On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote: >>>>>> /lib64/libpthread.so.0 >>>>>> #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so >>>>>> #2 0x00007fb8565f19a5 in ps_send_results () >>>>>> #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so >>>>>> #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 >>>>>> #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 >>>>> What is the client here that is doing a persistent search or syncrepl? >>>>> Is it BIND? >>>> To be honest, I have no idea. Bind ist installed (with ipa) but I >>>> haven't configured DNS services. >>>> >>>> My first guess would be the secondary IPA? >>> No, probably not. I think it is either BIND or sssd. >> Rich, if you're certain that the lient is doing a syncrepl, then it's >> bind. SSSD doesn't do syncrepl..(yet) >> > > I'm not sure how else 389 would be in ps_send_results without a client > doing a persistent search. So BIND it is. > but strage: there is no bind binary: [root at ipa ~]# rpm -qa | grep bind bind-libs-9.9.6-9.P1.fc21.x86_64 bind-utils-9.9.6-9.P1.fc21.x86_64 samba-winbind-modules-4.1.17-1.fc21.x86_64 bind-license-9.9.6-9.P1.fc21.noarch jackson-databind-2.4.1.3-1.fc21.noarch invokebinder-1.1-8.fc21.noarch samba-winbind-4.1.17-1.fc21.x86_64 cmpi-bindings-pywbem-0.9.5-8.fc21.x86_64 bind-libs-lite-9.9.6-9.P1.fc21.x86_64 rpcbind-0.2.2-2.1.fc21.x86_64 [root at ipa ~]# [root at ipa ~]# rpm -qi bind Das Paket bind ist nicht installiert [root at ipa ~]# [root at ipa ~]# ps ax | grep bind 1449 ? Ss 0:00 /usr/sbin/winbindd 1450 ? S 0:01 /usr/sbin/winbindd 8094 pts/1 S+ 0:00 grep --color=auto bind [root at ipa ~]# Cheers Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From rmeggins at redhat.com Wed Jul 22 19:49:17 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Jul 2015 13:49:17 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFF34E.1070901@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <20150722191742.GA15050@hendrix.redhat.com> <55AFEFCD.6050707@redhat.com> <55AFF34E.1070901@physik.uni-wuppertal.de> Message-ID: <55AFF3BD.8030902@redhat.com> On 07/22/2015 01:47 PM, Torsten Harenberg wrote: > Am 22.07.2015 um 21:32 schrieb Rich Megginson: >> On 07/22/2015 01:17 PM, Jakub Hrozek wrote: >>> On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote: >>>>>>> /lib64/libpthread.so.0 >>>>>>> #1 0x00007fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so >>>>>>> #2 0x00007fb8565f19a5 in ps_send_results () >>>>>>> #3 0x00007fb8544facab in _pt_root () from /lib64/libnspr4.so >>>>>>> #4 0x00007fb853e9b52a in start_thread () from /lib64/libpthread.so.0 >>>>>>> #5 0x00007fb853bd722d in clone () from /lib64/libc.so.6 >>>>>> What is the client here that is doing a persistent search or syncrepl? >>>>>> Is it BIND? >>>>> To be honest, I have no idea. Bind ist installed (with ipa) but I >>>>> haven't configured DNS services. >>>>> >>>>> My first guess would be the secondary IPA? >>>> No, probably not. I think it is either BIND or sssd. >>> Rich, if you're certain that the lient is doing a syncrepl, then it's >>> bind. SSSD doesn't do syncrepl..(yet) >>> >> I'm not sure how else 389 would be in ps_send_results without a client >> doing a persistent search. So BIND it is. >> > > but strage: there is no bind binary: Then I'm not sure what's going on. > > [root at ipa ~]# rpm -qa | grep bind > bind-libs-9.9.6-9.P1.fc21.x86_64 > bind-utils-9.9.6-9.P1.fc21.x86_64 > samba-winbind-modules-4.1.17-1.fc21.x86_64 > bind-license-9.9.6-9.P1.fc21.noarch > jackson-databind-2.4.1.3-1.fc21.noarch > invokebinder-1.1-8.fc21.noarch > samba-winbind-4.1.17-1.fc21.x86_64 > cmpi-bindings-pywbem-0.9.5-8.fc21.x86_64 > bind-libs-lite-9.9.6-9.P1.fc21.x86_64 > rpcbind-0.2.2-2.1.fc21.x86_64 > [root at ipa ~]# > > [root at ipa ~]# rpm -qi bind > Das Paket bind ist nicht installiert > [root at ipa ~]# > > > [root at ipa ~]# ps ax | grep bind > 1449 ? Ss 0:00 /usr/sbin/winbindd > 1450 ? S 0:01 /usr/sbin/winbindd > 8094 pts/1 S+ 0:00 grep --color=auto bind > [root at ipa ~]# > > Cheers > > Torsten > > From abokovoy at redhat.com Wed Jul 22 19:53:21 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 22:53:21 +0300 Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) In-Reply-To: <55AFDD9B.1000809@cenic.org> References: <55AFDD9B.1000809@cenic.org> Message-ID: <20150722195321.GD21928@redhat.com> On Wed, 22 Jul 2015, William Graboyes wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >Hi All, > >I have been messing around with AD trust installs mainly around doing >ntlm_auth for a radius server. > >However, as I was unable to see some of the needed resources, I >thought maybe IPA may need a kick. > This is your problem: >Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 >11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) >Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory >attribute ipaNTSecurityIdentifier. What did you do? Try to search as admin and as cifs/`hostname`: # kinit admin # ldapsearch -Y GSSAPI '(cn=Default SMB Group)' # kdestroy # kinit -kt /etc/samba/samba.keytab cifs/`hostname` # ldapsearch -Y GSSAPI '(cn=Default SMB Group)' If the first one gives you a proper entry with ipaNTSecurityIdentifier and the second one does not return the same entry, you've broke ACIs. If both of them are failing, you need to re-run ipa-adtrust-install --add-sids to fix that. -- / Alexander Bokovoy From sbose at redhat.com Wed Jul 22 19:54:48 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Jul 2015 21:54:48 +0200 Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) In-Reply-To: <55AFDD9B.1000809@cenic.org> References: <55AFDD9B.1000809@cenic.org> Message-ID: <20150722195448.GH7078@p.redhat.com> On Wed, Jul 22, 2015 at 11:14:51AM -0700, William Graboyes wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi All, > > I have been messing around with AD trust installs mainly around doing > ntlm_auth for a radius server. > > However, as I was unable to see some of the needed resources, I > thought maybe IPA may need a kick. > > So I ran the following command > > `ipactl restart` > > # ipactl restart > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting ipa_memcached Service > Restarting httpd Service > Restarting ipa-otpd Service > Starting smb Service > Job for smb.service failed. See 'systemctl status smb.service' and > 'journalctl -xn' for details. > Failed to start smb Service > Shutting down > Aborting ipactl > > # systemctl status smb.service > smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 > PDT; 20s ago > Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > status=1/FAILURE) > Main PID: 16752 (code=exited, status=1/FAILURE) > Status: "Starting process..." > CGroup: /system.slice/smb.service > > Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB > Daemon... > Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 > 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 > Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba > SMB Daemon. > Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service > entered failed state. > > journalctl -xn provides no useful information, however journalctl > does... sorta: > > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory > attribute ipaNTSecurityIdentifier. > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of > fallback group. > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824878, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly > init (error was NT_STATUS_INVALID_PARAMETER) > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba > SMB Daemon. > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service > entered failed state. You can try and run 'ipa-adtrust-install' a second time. This might add all attributes smbd needs. HTH bye, Sumit > > > Thanks, > Bill > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2 > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy > HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7 > mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8 > zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq > cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d > Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u > WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66 > B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO > 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6 > ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n > OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu > Y7j1+rZUNTtgDUJDk+Jk > =xQLh > -----END PGP SIGNATURE----- > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From harenberg at physik.uni-wuppertal.de Wed Jul 22 20:09:31 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 22 Jul 2015 22:09:31 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFF3BD.8030902@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <20150722191742.GA15050@hendrix.redhat.com> <55AFEFCD.6050707@redhat.com> <55AFF34E.1070901@physik.uni-wuppertal.de> <55AFF3BD.8030902@redhat.com> Message-ID: <55AFF87B.5080905@physik.uni-wuppertal.de> Am 22.07.2015 um 21:49 schrieb Rich Megginson: >> >> but strage: there is no bind binary: > > Then I'm not sure what's going on. currently there is a java process on ldaps: [root at ipa ~]# netstat -p -n | grep 636 tcp6 0 0 132.195.124.12:636 132.195.124.12:36546 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:636 132.195.124.12:36553 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:36546 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:36549 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:36551 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:36553 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:636 132.195.124.12:36549 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:36548 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:36550 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:636 132.195.124.12:36554 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:36554 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:636 132.195.124.12:36548 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:636 132.195.124.12:36547 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:36552 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:36547 132.195.124.12:636 VERBUNDEN 1331/java tcp6 0 0 132.195.124.12:636 132.195.124.12:36550 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:636 132.195.124.12:36552 VERBUNDEN 800/ns-slapd tcp6 0 0 132.195.124.12:636 132.195.124.12:36551 VERBUNDEN 800/ns-slapd [root at ipa ~]# ps ax | grep 1331 1331 ? Ssl 2:19 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start 8411 pts/1 S+ 0:00 grep --color=auto 1331 [root at ipa ~]# Could that cause these requests? Best regards, Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From rmeggins at redhat.com Wed Jul 22 20:14:23 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Jul 2015 14:14:23 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFF87B.5080905@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <20150722191742.GA15050@hendrix.redhat.com> <55AFEFCD.6050707@redhat.com> <55AFF34E.1070901@physik.uni-wuppertal.de> <55AFF3BD.8030902@redhat.com> <55AFF87B.5080905@physik.uni-wuppertal.de> Message-ID: <55AFF99F.2090309@redhat.com> On 07/22/2015 02:09 PM, Torsten Harenberg wrote: > Am 22.07.2015 um 21:49 schrieb Rich Megginson: >>> but strage: there is no bind binary: >> Then I'm not sure what's going on. > currently there is a java process on ldaps: > > [root at ipa ~]# netstat -p -n | grep 636 > tcp6 0 0 132.195.124.12:636 132.195.124.12:36546 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:636 132.195.124.12:36553 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:36546 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:36549 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:36551 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:36553 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:636 132.195.124.12:36549 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:36548 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:36550 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:636 132.195.124.12:36554 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:36554 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:636 132.195.124.12:36548 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:636 132.195.124.12:36547 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:36552 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:36547 132.195.124.12:636 > VERBUNDEN 1331/java > tcp6 0 0 132.195.124.12:636 132.195.124.12:36550 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:636 132.195.124.12:36552 > VERBUNDEN 800/ns-slapd > tcp6 0 0 132.195.124.12:636 132.195.124.12:36551 > VERBUNDEN 800/ns-slapd > > [root at ipa ~]# ps ax | grep 1331 > 1331 ? Ssl 2:19 /usr/lib/jvm/jre/bin/java > -DRESTEASY_LIB=/usr/share/java/resteasy -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar > -Dcatalina.base=/var/lib/pki/pki-tomcat > -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= > -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.security.manager > -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy > org.apache.catalina.startup.Bootstrap start > 8411 pts/1 S+ 0:00 grep --color=auto 1331 > [root at ipa ~]# > > Could that cause these requests? Possibly, but I didn't think DogTag used persistent search. > > Best regards, > > Torsten > > From wgraboyes at cenic.org Wed Jul 22 20:20:53 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Wed, 22 Jul 2015 13:20:53 -0700 Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) In-Reply-To: <1762129213.1519533.1437592962686.JavaMail.zimbra@redhat.com> References: <55AFDD9B.1000809@cenic.org> <1762129213.1519533.1437592962686.JavaMail.zimbra@redhat.com> Message-ID: <55AFFB25.3030105@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Dave, There is no actual AD at this time. Thanks :) On 7/22/15 12:22 PM, Dave Sirrine wrote: > Bill, > > Can you let us know what version of FreeIPA you're using? The most > likely due to the occurrence of "NT_STATUS_INVALID_PARAMETER" which > is most likely a time skew issue between AD and IPA. Can you verify > this? Thanks! > > -- Dave > > ----- Original Message ----- >> From: "William Graboyes" To: >> "freeipa-users" Sent: Wednesday, July >> 22, 2015 2:14:51 PM Subject: [Freeipa-users] Samba Failing to >> start (Causing FreeIPA to not start!) >> > Hi All, > > I have been messing around with AD trust installs mainly around > doing ntlm_auth for a radius server. > > However, as I was unable to see some of the needed resources, I > thought maybe IPA may need a kick. > > So I ran the following command > > `ipactl restart` > > # ipactl restart Restarting Directory Service Restarting krb5kdc > Service Restarting kadmin Service Restarting ipa_memcached Service > Restarting httpd Service Restarting ipa-otpd Service Starting smb > Service Job for smb.service failed. See 'systemctl status > smb.service' and 'journalctl -xn' for details. Failed to start smb > Service Shutting down Aborting ipactl > > # systemctl status smb.service smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 > PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS > (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited, > status=1/FAILURE) Status: "Starting process..." CGroup: > /system.slice/smb.service > > Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba > SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: > [2015/07/22 11:01:43.956721, 0] > ../source3/smbd/server.c:1269(main) Jul 22 11:01:44 > ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 > 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul > 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 > Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client > step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: > smb.service: main process exited, code=exited, status=1/FAILURE Jul > 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba > SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit > smb.service entered failed state. > > journalctl -xn provides no useful information, however journalctl > does... sorta: > > Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 > 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 > 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory > attribute ipaNTSecurityIdentifier. Jul 22 11:03:19 > ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829, 0] > ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19 > ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback > group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: > [2015/07/22 11:03:19.824878, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22 > 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not > correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22 > 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process > exited, code=exited, status=1/FAILURE Jul 22 11:03:19 > ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. > Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service > entered failed state. > > > Thanks, Bill > >> >> -- Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users Go to >> http://freeipa.org for more info on the project >> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr/slAAoJEJFMz73A1+zr9i0P/ikhGkBsqX0zT6bqHjah7Gyy dvP2jd+WJeJxhH8jsLhUEGs26OcPdLVRc8MkvIeINcZd8dTz4l7gRVZZVk4dVho4 Tqg29EMbXh+5EOiOYd0LcFuZA1q0rFUaa9b56a3xnm9njwvKUwjnlRfUOMim3kKZ 6XfN1fAT7VVKqKJXyWn534ym/msivOuklbV5n0if0TAuIHe9X4Uwl8VvMiBsCtSv cpcpFEAZLygzW9qMxl9RgxYqPCN9gor8pW2ijO6BjJqfXTxQ0AxTCz+0C3mMizf7 lc4tdprS4hR1eWnrooBGahznm3usb4eRJvEAslHY7UUfsla9B4fgmJN4Nis8J7Mk CIRMZrFNI1YlVw8bfgxr3viq+lcVxFWAPghffmXfv1yu3Gx0OBa6bGD8fuNKVLU1 AoHZL6z0cHgGH6RsWjgC7APutssE6JqhWDTxa9cDcUozpN9R4fOH3H7uFAhJkSOU ZbslxHnmLOaLRXIDAyx9oAfp4ndYxMQH1mZ5scRHGkIZEv49mJtUOfgka67X/3xB bh78q/nxMibomteFZiWIXeCtxTOKaZ2wZLqPuhd/HS+689C9ONADsGcP8Tae/f35 nSBJEbZXzsrcWy3CN4iYtZ4dQK55FSBfW5GCyvnrBMO4MGsw48UzPOS1WiQ63NPd s0tJA1c/IO2kPzQzCaFM =KNGl -----END PGP SIGNATURE----- From wgraboyes at cenic.org Wed Jul 22 20:40:08 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Wed, 22 Jul 2015 13:40:08 -0700 Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) In-Reply-To: <20150722195321.GD21928@redhat.com> References: <55AFDD9B.1000809@cenic.org> <20150722195321.GD21928@redhat.com> Message-ID: <55AFFFA8.1050300@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Alexander, Thank you for the pointers, However it seems that I am still not getting the ipaNTSecurityIdentifier returned. Even after re-running the ipa-adtrust-install --add-sids (which I believe it gave me the option for on initial install, and i said yes). I followed the steps on this site (I believe you directed me there) http://firstyear.id.au/entry/22 and the output from the commands: [root at ipa-server-2 ~]# kinit admin Password for admin at foo.bar: [root at ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)' SASL/GSSAPI authentication started SASL username: admin at foo.bar SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (cn=Default SMB Group) # requesting: ALL # # Default SMB Group, groups, compat, foo.bar dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar gidNumber: 3512 objectClass: posixGroup objectClass: top cn: Default SMB Group # Default SMB Group, groups, accounts, foo.bar dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04 gidNumber: 3512 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 [root at ipa-server-2 ~]# kdestroy [root at ipa-server-2 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname` [root at ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)' SASL/GSSAPI authentication started SASL username: cifs/ipa-server-2.foo.bar at foo.bar SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (cn=Default SMB Group) # requesting: ALL # # Default SMB Group, groups, compat, foo.bar dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar gidNumber: 3512 objectClass: posixGroup objectClass: top cn: Default SMB Group # Default SMB Group, groups, accounts, foo.bar dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04 gidNumber: 3512 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks, Bill Graboyes On 7/22/15 12:53 PM, Alexander Bokovoy wrote: > On Wed, 22 Jul 2015, William Graboyes wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> Hi All, >> >> I have been messing around with AD trust installs mainly around >> doing ntlm_auth for a radius server. >> >> However, as I was unable to see some of the needed resources, I >> thought maybe IPA may need a kick. >> > This is your problem: >> Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 >> 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul >> 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory >> attribute ipaNTSecurityIdentifier. > What did you do? > > Try to search as admin and as cifs/`hostname`: # kinit admin # > ldapsearch -Y GSSAPI '(cn=Default SMB Group)' # kdestroy # kinit > -kt /etc/samba/samba.keytab cifs/`hostname` # ldapsearch -Y GSSAPI > '(cn=Default SMB Group)' > > If the first one gives you a proper entry with > ipaNTSecurityIdentifier and the second one does not return the same > entry, you've broke ACIs. > > If both of them are failing, you need to re-run > ipa-adtrust-install --add-sids to fix that. > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr/+oAAoJEJFMz73A1+zr+BIP/2+77QZnSWSI38Wz47kUr6Uh kOhv3gIAPlIq1ClJClbISOjwdpGBP0AUETsrbBixW7mMFswywDrLij7axbDh8MkO 8PLTH3Sv75foAUmAMH4ZIpB5NA8WNre5+gWuHAhLQnZBbedx0fm6ieuZvZBDHaFw 2rj+w8zkw0TWaf7ZmwTvawZwoy/OTfhkKLqfRvUfSxvpOeRl4AE/yUjje5rvacCK tuYwCM8Y4B0aDqRbOjbL4hyWiIVAmV5PhaVa8Qu5AwbOXV2+G5Mt6MxxMRmWBrE2 +ZwATAlqqomsZ1FYOVKgMn1ylO/SzaNde3u5rvE4vdWzP8mr/+APNIcxmp27GnWr cMGEOapdzehMVvVyW0FJ4gA+BxwhNzpGc+vo+98WeDq49yW/g3vwO/BQKqFkMaZW HZM784EAxRAEXEiAJ9bB2bOGfY/EVrvWZVjDO10Hu99kIFqN8hbjfSKlqEH00fV7 ihqHJf0lcOU4lIBH5vUxRZSHfUjMCv6TySdWZSlblO5dtTGRjgpe7Kwj2pRgCo3P PUagvJY4gkZ4ZbxIq+qkPHCNY90B+pGheVuJRfDA+Pl7bFY24/tbhnJ0kzuNQtYu K8UlD4o34AlDQr60I0bxYkwprtJneVPfVkW1+6LUDWw4eNGf1zjXQH9Jl8uQcir4 Eq5AtMD/ef8TjxQwWaHr =HkdM -----END PGP SIGNATURE----- From matt.koch at sendgrid.com Thu Jul 23 00:45:17 2015 From: matt.koch at sendgrid.com (Matt Koch) Date: Wed, 22 Jul 2015 18:45:17 -0600 Subject: [Freeipa-users] LDAP to Free IPA Migration SSSD migration : example configuration of sssd.conf file? Message-ID: Hello, I?m looking for an example sssd.conf migrationconfiguration that will allow for the user to seamlessly authenticate to LDAP or freeIPA prior to installation of the freeipa client. This would be during migration to generate kerberos hashes for each user while still providing legacy LDAP support until migration can be completed. Hopefully with minimal changes to our existing sssd.conf file. Hinted at here: (20.1.3.4. Migration Sequence - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Migrating_from_a_Directory_Server_to_IPA.html#migration-considerations and here: The redhat documentation describes https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Migrating_from_a_Directory_Server_to_IPA.html 27.1.2.3. Method 3: Using SSSD (Recommended) SSSD can work with IdM to mitigate the user impact on migrating by generating the required user keys. For deployments with a lot of users or where users shouldn't be burdened with password changes, this is the best scenario. ? A user tries to log into a machine with SSSD. ? SSSD attempts to perform Kerberos authentication against the IdM server. ? Even though the user exists in the system, the authentication will fail with the error key type is not supported because the Kerberos hashes do not yet exist. ? SSSD then performs a plain text LDAP bind over a secure connection. ? IdM intercepts this bind request. If the user has a Kerberos principal but no Kerberos hashes, then the IdM identity provider generates the hashes and stores them in the user entry. ? If authentication is successful, SSSD disconnects from IdM and tries Kerberos authentication again. This time, the request succeeds because the hash exists in the entry. That entire process is entirely transparent to the user; as far as users known, they simply log into a client service and it works as normal. From: https://www.redhat.com/archives/freeipa-users/2011-September/msg00138.html Specifically, the way SSSD behaves is as follows: 1) Try to authenticate with Kerberos. If Kerberos responds that there's no hash for this user, 2) Ask FreeIPA if migration mode is enabled, if it is, 3) Try to bind to FreeIPA LDAP using the same password. If this succeeds, we know that the password is valid 4) Initiate a kerberos password-change to set the kerberos password equal to the LDAP password. Thanks for your help! -Matt From harenberg at physik.uni-wuppertal.de Thu Jul 23 05:47:08 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 23 Jul 2015 07:47:08 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55AFD1F8.1090708@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> Message-ID: <55B07FDC.5080803@physik.uni-wuppertal.de> Good morning, Am 22.07.15 um 19:25 schrieb Rich Megginson: > On 07/22/2015 11:03 AM, Torsten Harenberg wrote: >> Dear Rich, >> >> Am 22.07.2015 um 17:03 schrieb Rich Megginson: >>> It might be helpful to do a # debuginfo-install 389-ds-base ipa-server >>> slapi-nis >>> and follow the directions at >>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs >>> to get a full stack trace >> thanks for the hint. Did that. But assume I need to wait until it hangs >> again, right? > > Right. problem happend again, this time with slightly different symtoms: [root at wn108 ~]# id atlasprd020 id: atlasprd020: No such user after restarting dirserv: [root at wn108 ~]# id atlasprd020 uid=18970(atlasprd020) gid=1407(atlasprd) groups=1407(atlasprd) [root at wn108 ~]# So of course the whole site was down. the dirserv log file has not much: [22/Jul/2015:11:03:35 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be add ed before the CoS Definition. [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=pleiades,dc=uni-wuppertal,dc=de. Check if DB RUV needs to be updated [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55af7af3000e00040000 [22/Jul/2015:11:03:39 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keyta b [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [22/Jul/2015:11:03:39 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be add ed before the CoS Definition. [22/Jul/2015:11:03:39 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL( -1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [22/Jul/2015:11:03:39 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [22/Jul/2015:11:03:39 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [22/Jul/2015:11:03:39 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jul/2015:11:03:39 +0200] - Listening on All Interfaces port 636 for LDAPS requests [22/Jul/2015:11:03:39 +0200] - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [22/Jul/2015:11:03:43 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth resumed [22/Jul/2015:15:15:41 +0200] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [51351] into an unused SID. [22/Jul/2015:15:15:41 +0200] ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. [23/Jul/2015:07:33:05 +0200] - slapd shutting down - signaling operation threads - op stack size 48 max work q size 22 max work q stack size 22 [23/Jul/2015:07:33:05 +0200] - slapd shutting down - waiting for 1 thread to terminate [23/Jul/2015:07:33:05 +0200] - slapd shutting down - closing down internal subsystems and plugins [23/Jul/2015:07:33:05 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Warning: Attempting to release replica, but unable to r eceive endReplication extended operation response from the replica. Error -5 (Timed out) [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:07:33:06 +0200] - Waiting for 4 database threads to stop [23/Jul/2015:07:33:06 +0200] - All database threads now stopped [23/Jul/2015:07:33:06 +0200] - slapd shutting down - freed 22 work q stack objects - freed 49 op stack objects [23/Jul/2015:07:33:06 +0200] - slapd stopped. [23/Jul/2015:07:33:08 +0200] nis-plugin - error connecting rpcbind client socket to the service [23/Jul/2015:07:33:08 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [23/Jul/2015:07:33:08 +0200] - SSL alert: Configured NSS Ciphers [...] [23/Jul/2015:07:33:12 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:07:33:12 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:07:33:12 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:07:33:12 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Jul/2015:07:33:12 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Jul/2015:07:33:12 +0200] - Listening on All Interfaces port 636 for LDAPS requests [23/Jul/2015:07:33:12 +0200] - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [23/Jul/2015:07:33:15 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:07:33:15 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:07:33:15 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:07:33:21 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:07:33:21 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:07:33:21 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:07:33:33 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:07:33:33 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:07:33:33 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:07:33:57 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:07:33:57 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:07:33:57 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:07:34:45 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:07:34:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:07:34:45 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) attached is the strace of slapd as instructed earlier. I am really a bit lost. Even though we have deployed two IPA servers, the whole site is down about twice a day with authentication problems. Hope anybody can help. Best regards, Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> -------------- next part -------------- A non-text attachment was scrubbed... Name: stacktrace.1437629471.txt.gz Type: application/x-gzip Size: 13122 bytes Desc: not available URL: From lkrispen at redhat.com Thu Jul 23 06:20:57 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 23 Jul 2015 08:20:57 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150722164042.GB21928@redhat.com> References: <20150720143841.GI21928@redhat.com> <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> Message-ID: <55B087C9.3060900@redhat.com> On 07/22/2015 06:40 PM, Alexander Bokovoy wrote: > On Wed, 22 Jul 2015, Alexandre Ellert wrote: >> >>> Le 22 juil. 2015 ? 18:08, Alexander Bokovoy a >>> ?crit : >>> >>> On Wed, 22 Jul 2015, Alexandre Ellert wrote: >>>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>>> from both servers? >>>> >>>> Server 1: >>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( >>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> >>>> Server 2 : >>>> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv >>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( >>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>> >>>>> >>>>> With correct setup IPA 4.x should show: >>>>> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( >>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>> /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( >>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >>>>> >>>>> I.e. there are two lines -- in the default schema and in the IPA >>>>> instance schema. ? >>>> >>>> Seems to be good ? >>> Yes. Can you get a new set of logs on 'ipactl start'? >>> >>> -- >>> / Alexander Bokovoy >> >> Sorry, the log is very long?I can format differently if you need. > Thanks, no need for more logs right now. > > What I see from these logs: > - Directory server starts just fine but serves only port 389 > - krb5kdc starts just fine and works fine with LDAP server > - Dogtag tries to use LDAP server via port 636 and fails > > We need to see why port 636 is disabled. why do you think so ? There is: [22/Jul/2015:18:14:54 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for LDAPS requests [22/Jul/2015:18:14:54 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests but what is failing is: agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () Is dogtag on a different instance ? why do we use port 7389 ? > > Can you grep /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif for following > attributes: > nsslapd-security > nsslapd-port > > They should be 'on' and '389' correspondingly. > From harenberg at physik.uni-wuppertal.de Thu Jul 23 06:20:33 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 23 Jul 2015 08:20:33 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B07FDC.5080803@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> Message-ID: <55B087B1.3020909@physik.uni-wuppertal.de> Maybe related or not: even after rebooting both IPA servers, the "secondary" has every 5 minutes (not only during startup) [23/Jul/2015:08:00:25 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Jul/2015:08:00:25 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Jul/2015:08:02:01 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Jul/2015:08:02:01 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Jul/2015:08:05:13 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Jul/2015:08:05:13 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Jul/2015:08:10:13 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Jul/2015:08:10:13 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Jul/2015:08:15:13 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Jul/2015:08:15:13 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) in the dirserv log. Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From harenberg at physik.uni-wuppertal.de Thu Jul 23 06:35:45 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 23 Jul 2015 08:35:45 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B087B1.3020909@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> Message-ID: <55B08B41.6050308@physik.uni-wuppertal.de> Huu.. situation is getting worse. Even after a full reboot, slapd does not start at all anymore on the primary server. This is the full log (looks like the realm is missing suddenly?): [23/Jul/2015:07:40:53 +0200] - slapd stopped. [23/Jul/2015:08:25:06 +0200] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 4096 (the current process limit). Server will use a setting of 4096. [23/Jul/2015:08:25:06 +0200] nis-plugin - error connecting rpcbind client socket to the service [23/Jul/2015:08:25:06 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [23/Jul/2015:08:25:06 +0200] - SSL alert: Configured NSS Ciphers [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [23/Jul/2015:08:25:06 +0200] - 389-Directory/1.3.3.8 B2015.036.047 starting up [23/Jul/2015:08:25:06 +0200] - WARNING: cache too small, increasing to 500K bytes [23/Jul/2015:08:25:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:25:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:25:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:25:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:25:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:25:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:25:06 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 4251648B; We recommend to increase the entry cache size nsslapd-cachememsize. [23/Jul/2015:08:25:06 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 173367296B; We recommend to increase the entry cache size nsslapd-cachememsize. [23/Jul/2015:08:25:07 +0200] - resizing db cache size: 320000 -> 400000 [23/Jul/2015:08:25:07 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byaddr [23/Jul/2015:08:25:07 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byname [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:25:08 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:25:08 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de [23/Jul/2015:08:25:09 +0200] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:25:09 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [23/Jul/2015:08:25:09 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [23/Jul/2015:08:25:09 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address for KDC in requested realm) [23/Jul/2015:08:25:09 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:25:09 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:25:09 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Jul/2015:08:25:09 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [23/Jul/2015:08:25:09 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Jul/2015:08:25:09 +0200] - Listening on All Interfaces port 636 for LDAPS requests [23/Jul/2015:08:25:09 +0200] - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [23/Jul/2015:08:25:12 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address for KDC in requested realm) [23/Jul/2015:08:25:12 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:25:12 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:25:18 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address for KDC in requested realm) [23/Jul/2015:08:25:18 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:25:18 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:25:30 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address for KDC in requested realm) [23/Jul/2015:08:25:30 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:25:30 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:25:54 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address for KDC in requested realm) [23/Jul/2015:08:25:54 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:25:54 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:26:42 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address for KDC in requested realm) [23/Jul/2015:08:26:42 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:26:42 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:28:21 +0200] nis-plugin - error connecting rpcbind client socket to the service [23/Jul/2015:08:28:22 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [23/Jul/2015:08:28:22 +0200] - SSL alert: Configured NSS Ciphers [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [23/Jul/2015:08:28:22 +0200] - 389-Directory/1.3.3.8 B2015.036.047 starting up [23/Jul/2015:08:28:22 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:28:22 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:28:22 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:28:22 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:28:22 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:28:22 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up [23/Jul/2015:08:28:22 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 4251648B; We recommend to increase the entry cache size nsslapd-cachememsize. [23/Jul/2015:08:28:22 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 173367296B; We recommend to increase the entry cache size nsslapd-cachememsize. [23/Jul/2015:08:28:22 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [23/Jul/2015:08:28:23 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byaddr [23/Jul/2015:08:28:23 +0200] nis-plugin - warning: no entries in domain=pleiades.uni-wuppertal.de,map=ethers.byname [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:28:25 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:28:25 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de [23/Jul/2015:08:28:26 +0200] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=dns,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pleiades,dc=uni-wuppertal,dc=de does not exist [23/Jul/2015:08:28:26 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [23/Jul/2015:08:28:26 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [23/Jul/2015:08:28:31 +0200] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=pleiades,dc=uni-wuppertal,dc=de. Check if DB RUV needs to be updated [23/Jul/2015:08:28:31 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:08:28:31 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:28:31 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:28:31 +0200] NSMMReplicationPlugin - agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Jul/2015:08:28:32 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates found, which should be added before the CoS Definition. [23/Jul/2015:08:28:32 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Jul/2015:08:28:32 +0200] - Listening on All Interfaces port 636 for LDAPS requests [23/Jul/2015:08:28:32 +0200] - Listening on /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests [23/Jul/2015:08:28:34 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:08:28:34 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:28:34 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:28:40 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:08:28:40 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:28:40 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:28:52 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:08:28:52 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:28:52 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:29:16 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [23/Jul/2015:08:29:16 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Jul/2015:08:29:16 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Jul/2015:08:29:17 +0200] - slapd shutting down - signaling operation threads - op stack size 4 max work q size 3 max work q stack size 3 [23/Jul/2015:08:29:17 +0200] - slapd shutting down - waiting for 28 threads to terminate [23/Jul/2015:08:29:17 +0200] - slapd shutting down - closing down internal subsystems and plugins [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - error sending request to portmap or rpcbind on 9: Connection refused [23/Jul/2015:08:29:17 +0200] nis-plugin - timeout registering with portmap service [23/Jul/2015:08:29:17 +0200] - Waiting for 4 database threads to stop [23/Jul/2015:08:29:17 +0200] - All database threads now stopped [23/Jul/2015:08:29:17 +0200] - slapd shutting down - freed 3 work q stack objects - freed 4 op stack objects [23/Jul/2015:08:29:17 +0200] - slapd stopped. [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# There is no rpcbind on the system. Can install one, but don't know if that is meaningful or not. Any help is really much appreciated now. Kind regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From abokovoy at redhat.com Thu Jul 23 06:41:33 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jul 2015 09:41:33 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <55B087C9.3060900@redhat.com> References: <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> Message-ID: <20150723064133.GE21928@redhat.com> On Thu, 23 Jul 2015, Ludwig Krispenz wrote: >>- Directory server starts just fine but serves only port 389 >>- krb5kdc starts just fine and works fine with LDAP server >>- Dogtag tries to use LDAP server via port 636 and fails >> >>We need to see why port 636 is disabled. >why do you think so ? There is: > >[22/Jul/2015:18:14:54 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests >[22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for LDAPS requests >[22/Jul/2015:18:14:54 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests Missed that part. However, dogtag was failing in accessing LDAP over port 636. >but what is failing is: >agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () > >Is dogtag on a different instance ? why do we use port 7389 ? Because it was migration from RHEL6 to RHEL7. In RHEL6 dogtag was living in a separate instance. -- / Alexander Bokovoy From sbose at redhat.com Thu Jul 23 07:11:39 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Jul 2015 09:11:39 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B08B41.6050308@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> Message-ID: <20150723071139.GI7078@p.redhat.com> On Thu, Jul 23, 2015 at 08:35:45AM +0200, Torsten Harenberg wrote: > Huu.. situation is getting worse. > > Even after a full reboot, slapd does not start at all anymore on the > primary server. > > This is the full log (looks like the realm is missing suddenly?): > ... > [23/Jul/2015:08:25:09 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab [FILE:/etc/krb5.keytab]: > -1765328164 (Cannot resolve network address for KDC in requested realm) The principal looks strange, I would at least expect the fully-qualified name of the ipa server here. What does the 'hostname' command return? It is expected that it will return the fully-qualified name. Additionally if you added the ipa server to /etc/hosts please only use the fully-qualified name to be on the safe side (iirc it is ok to have the short name as a second name, but the fully-qualified one should be always first). The keytab file /etc/krb5.keytab looks strange here. Later on the right one /etc/dirsrv/ds.keytab is used. Did you try to run the /usr/sbin/ns-slapd binary manually at some time? bye, Sumit From harenberg at physik.uni-wuppertal.de Thu Jul 23 07:18:43 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 23 Jul 2015 09:18:43 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <20150723071139.GI7078@p.redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> <20150723071139.GI7078@p.redhat.com> Message-ID: <55B09553.7040607@physik.uni-wuppertal.de> Hi Sumit, > The principal looks strange, I would at least expect the fully-qualified > name of the ipa server here. What does the 'hostname' command return? It [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# hostname ipa.pleiades.uni-wuppertal.de > is expected that it will return the fully-qualified name. Additionally if > you added the ipa server to /etc/hosts please only use the > fully-qualified name to be on the safe side (iirc it is ok to have the > short name as a second name, but the fully-qualified one should be > always first). I removed the entries vom /etc/hosts again. > > The keytab file /etc/krb5.keytab looks strange here. Later on the right > one /etc/dirsrv/ds.keytab is used. Did you try to run the > /usr/sbin/ns-slapd binary manually at some time? > Yes.. once .. after it did not came up. After another reboot, the system came up now. But what I found is https://fedorahosted.org/freeipa/ticket/2739 and indeed: [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# grep WARNING * errors:[21/Jul/2015:17:15:21 +0200] - WARNING: cache too small, increasing to 500K bytes errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 4177920B; We recommend to increase the entry cache size nsslapd-cachememsize. errors:[21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 18096128B; We recommend to increase the entry cache size nsslapd-cachememsize. errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 4218880B; We recommend to increase the entry cache size nsslapd-cachememsize. errors:[22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 27992064B; We recommend to increase the entry cache size nsslapd-cachememsize. errors:[23/Jul/2015:07:33:09 +0200] - WARNING: cache too small, increasing to 500K bytes errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up And what I see is that nodes occasionaly loose their users. I haven't seen that the two month while testing (of course there were no real users during that time, so I'm not 100% sure that it did not happen). Could that be the cause of the trouble?? Kind regards, Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From jhrozek at redhat.com Thu Jul 23 07:54:53 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 23 Jul 2015 09:54:53 +0200 Subject: [Freeipa-users] LDAP to Free IPA Migration SSSD migration : example configuration of sssd.conf file? In-Reply-To: References: Message-ID: <20150723075453.GE15050@hendrix.redhat.com> On Wed, Jul 22, 2015 at 06:45:17PM -0600, Matt Koch wrote: > Hello, > I?m looking for an example sssd.conf migrationconfiguration that will allow for the user to seamlessly authenticate to LDAP or freeIPA prior to installation of the freeipa client. > > This would be during migration to generate kerberos hashes for each > user while still providing legacy LDAP support until migration can be > completed. Hopefully with minimal changes to our existing sssd.conf file. The configuration should be relatively straightforward, just use ldap for both id and auth provider and set the search base to cn=accounts,$DN, use your IPA server as LDAP URI and don't forget to set ldap_tls_cacert = /etc/ipa/ca.crt. But the bigger question is why? In order to set this hybrid mode, you need to migrate your LDAP server data to your IPA server, isn't it better to also enroll the client as an IPA client and let the user migrate on first login? From sbose at redhat.com Thu Jul 23 07:56:06 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Jul 2015 09:56:06 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B09553.7040607@physik.uni-wuppertal.de> References: <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> <20150723071139.GI7078@p.redhat.com> <55B09553.7040607@physik.uni-wuppertal.de> Message-ID: <20150723075606.GJ7078@p.redhat.com> On Thu, Jul 23, 2015 at 09:18:43AM +0200, Torsten Harenberg wrote: > Hi Sumit, > > > > The principal looks strange, I would at least expect the fully-qualified > > name of the ipa server here. What does the 'hostname' command return? It > > [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# hostname > ipa.pleiades.uni-wuppertal.de > > > is expected that it will return the fully-qualified name. Additionally if > > you added the ipa server to /etc/hosts please only use the > > fully-qualified name to be on the safe side (iirc it is ok to have the > > short name as a second name, but the fully-qualified one should be > > always first). > > I removed the entries vom /etc/hosts again. > > > > > The keytab file /etc/krb5.keytab looks strange here. Later on the right > > one /etc/dirsrv/ds.keytab is used. Did you try to run the > > /usr/sbin/ns-slapd binary manually at some time? > > > > Yes.. once .. after it did not came up. > > After another reboot, the system came up now. > > But what I found is > > https://fedorahosted.org/freeipa/ticket/2739 > > and indeed: > > [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# grep WARNING * > errors:[21/Jul/2015:17:15:21 +0200] - WARNING: cache too small, > increasing to 500K bytes > errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache > size 512000B is less than db size 4177920B; We recommend to increase the > entry cache size nsslapd-cachememsize. > errors:[21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache > size 512000B is less than db size 18096128B; We recommend to increase > the entry cache size nsslapd-cachememsize. > errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache > size 512000B is less than db size 4218880B; We recommend to increase the > entry cache size nsslapd-cachememsize. > errors:[22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache > size 512000B is less than db size 27992064B; We recommend to increase > the entry cache size nsslapd-cachememsize. > errors:[23/Jul/2015:07:33:09 +0200] - WARNING: cache too small, > increasing to 500K bytes > errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up > errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is > 512000 -- rounding up I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to 10M and since I didn't do any tuning I would expect that this is some default. > > > And what I see is that nodes occasionaly loose their users. I haven't > seen that the two month while testing (of course there were no real > users during that time, so I'm not 100% sure that it did not happen). > > Could that be the cause of the trouble?? The users and groups are delivered to the system via SSSD. If SSSD loses the connection to the IPA servers, e.g. because the server does not respond, SSSD cannot lookup new users. Nevertheless SSSD has a cache and users and groups are delivered from the cache in this case. But system users which important for the services to run like the users dirsrv, apache, pkiuser etc are defined in /etc/passwd. So I don't expect this to bethe casue of the trouble. bye, Sumit > > Kind regards, > > Torsten > > > > -- > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > <> <> > <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> > <> Bergische Universitaet <> > <> FB C - Physik Tel.: +49 (0)202 439-3521 <> > <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> > <> 42097 Wuppertal <> > <> <> > <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From lkrispen at redhat.com Thu Jul 23 08:17:38 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 23 Jul 2015 10:17:38 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <20150723075606.GJ7078@p.redhat.com> References: <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> <20150723071139.GI7078@p.redhat.com> <55B09553.7040607@physik.uni-wuppertal.de> <20150723075606.GJ7078@p.redhat.com> Message-ID: <55B0A322.7090107@redhat.com> On 07/23/2015 09:56 AM, Sumit Bose wrote: > On Thu, Jul 23, 2015 at 09:18:43AM +0200, Torsten Harenberg wrote: >> Hi Sumit, >> >> >>> The principal looks strange, I would at least expect the fully-qualified >>> name of the ipa server here. What does the 'hostname' command return? It >> [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# hostname >> ipa.pleiades.uni-wuppertal.de >> >>> is expected that it will return the fully-qualified name. Additionally if >>> you added the ipa server to /etc/hosts please only use the >>> fully-qualified name to be on the safe side (iirc it is ok to have the >>> short name as a second name, but the fully-qualified one should be >>> always first). >> I removed the entries vom /etc/hosts again. >> >>> The keytab file /etc/krb5.keytab looks strange here. Later on the right >>> one /etc/dirsrv/ds.keytab is used. Did you try to run the >>> /usr/sbin/ns-slapd binary manually at some time? >>> >> Yes.. once .. after it did not came up. >> >> After another reboot, the system came up now. >> >> But what I found is >> >> https://fedorahosted.org/freeipa/ticket/2739 >> >> and indeed: >> >> [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# grep WARNING * >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: cache too small, >> increasing to 500K bytes >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache >> size 512000B is less than db size 4177920B; We recommend to increase the >> entry cache size nsslapd-cachememsize. >> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache >> size 512000B is less than db size 18096128B; We recommend to increase >> the entry cache size nsslapd-cachememsize. >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache >> size 512000B is less than db size 4218880B; We recommend to increase the >> entry cache size nsslapd-cachememsize. >> errors:[22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache >> size 512000B is less than db size 27992064B; We recommend to increase >> the entry cache size nsslapd-cachememsize. >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING: cache too small, >> increasing to 500K bytes >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up >> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is >> 512000 -- rounding up > I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to > 10M and since I didn't do any tuning I would expect that this is some > default. yes, 10M should be the default. and OOM would be triggered by a memleak, not by the cache size. Also the server seems to stop and start cleanly, and is not killed by oom > >> >> And what I see is that nodes occasionaly loose their users. I haven't >> seen that the two month while testing (of course there were no real >> users during that time, so I'm not 100% sure that it did not happen). >> >> Could that be the cause of the trouble?? > The users and groups are delivered to the system via SSSD. If SSSD loses > the connection to the IPA servers, e.g. because the server does not > respond, SSSD cannot lookup new users. Nevertheless SSSD has a cache and > users and groups are delivered from the cache in this case. But system > users which important for the services to run like the users dirsrv, > apache, pkiuser etc are defined in /etc/passwd. So I don't expect this > to bethe casue of the trouble. > > bye, > Sumit > >> Kind regards, >> >> Torsten >> >> >> >> -- >> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> >> <> <> >> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> >> <> Bergische Universitaet <> >> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> >> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> >> <> 42097 Wuppertal <> >> <> <> >> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From marisa.sandhoff at cern.ch Thu Jul 23 08:21:41 2015 From: marisa.sandhoff at cern.ch (Marisa Sandhoff) Date: Thu, 23 Jul 2015 10:21:41 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <20150723075606.GJ7078@p.redhat.com> References: <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> <20150723071139.GI7078@p.redhat.com> <55B09553.7040607@physik.uni-wuppertal.de> <20150723075606.GJ7078@p.redhat.com> Message-ID: <55B0A415.4010806@cern.ch> Hi Sumit, > > I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to > 10M and since I didn't do any tuning I would expect that this is some > default. > Perhaps we should start with increasing the nsslapd-cachememsize to 10M and than see what happens with our server. Actually, how can we increase this cachmemsize? Thanks for your help, Torsten and Marisa -- Dr. Marisa Sandhoff Experimentelle Elementarteilchenphysik Fachbereich C - Physik Bergische Universitaet Wuppertal Gaussstr. 20 D-42097 Wuppertal, Germany ------- marisa.sandhoff at cern.ch sandhoff at physik.uni-wuppertal.de Phone +49 202 439 3521 Fax +49 202 439 2811 From sbose at redhat.com Thu Jul 23 08:29:50 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Jul 2015 10:29:50 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B0A415.4010806@cern.ch> References: <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> <20150723071139.GI7078@p.redhat.com> <55B09553.7040607@physik.uni-wuppertal.de> <20150723075606.GJ7078@p.redhat.com> <55B0A415.4010806@cern.ch> Message-ID: <20150723082950.GK7078@p.redhat.com> On Thu, Jul 23, 2015 at 10:21:41AM +0200, Marisa Sandhoff wrote: > Hi Sumit, > > > > > I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to > > 10M and since I didn't do any tuning I would expect that this is some > > default. > > > > Perhaps we should start with increasing the nsslapd-cachememsize to 10M > and than see what happens with our server. Actually, how can we increase > this cachmemsize? Does https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/memoryusage.html help? bye, Sumit > > Thanks for your help, > Torsten and Marisa > > -- > Dr. Marisa Sandhoff > Experimentelle Elementarteilchenphysik > Fachbereich C - Physik > Bergische Universitaet Wuppertal > Gaussstr. 20 > D-42097 Wuppertal, Germany > ------- > marisa.sandhoff at cern.ch > sandhoff at physik.uni-wuppertal.de > Phone +49 202 439 3521 > Fax +49 202 439 2811 > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From lkrispen at redhat.com Thu Jul 23 08:32:07 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 23 Jul 2015 10:32:07 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B0A415.4010806@cern.ch> References: <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B087B1.3020909@physik.uni-wuppertal.de> <55B08B41.6050308@physik.uni-wuppertal.de> <20150723071139.GI7078@p.redhat.com> <55B09553.7040607@physik.uni-wuppertal.de> <20150723075606.GJ7078@p.redhat.com> <55B0A415.4010806@cern.ch> Message-ID: <55B0A687.3080906@redhat.com> you can change the cachememsize online: ldapmodify ........................................ dn: cn=,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsslapd-cachememsize nsslapd-cachememsize: But I would also increase the dbcache size, which would require a restart to be effective. So you could also stop DS, edit /etc/dirsrv/slapd-/dse.ldif search all *cache* attributes and replace the valu. Ludwig On 07/23/2015 10:21 AM, Marisa Sandhoff wrote: > Hi Sumit, > >> I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to >> 10M and since I didn't do any tuning I would expect that this is some >> default. >> > Perhaps we should start with increasing the nsslapd-cachememsize to 10M > and than see what happens with our server. Actually, how can we increase > this cachmemsize? > > Thanks for your help, > Torsten and Marisa > From rmeggins at redhat.com Thu Jul 23 16:28:39 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2015 10:28:39 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B07FDC.5080803@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> Message-ID: <55B11637.9090509@redhat.com> On 07/22/2015 11:47 PM, Torsten Harenberg wrote: > Good morning, > > Am 22.07.15 um 19:25 schrieb Rich Megginson: >> On 07/22/2015 11:03 AM, Torsten Harenberg wrote: >>> Dear Rich, >>> >>> Am 22.07.2015 um 17:03 schrieb Rich Megginson: >>>> It might be helpful to do a # debuginfo-install 389-ds-base ipa-server >>>> slapi-nis >>>> and follow the directions at >>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs >>>> to get a full stack trace >>> thanks for the hint. Did that. But assume I need to wait until it hangs >>> again, right? >> Right. > problem happend again, this time with slightly different symtoms: > > > [root at wn108 ~]# id atlasprd020 > id: atlasprd020: No such user > > > after restarting dirserv: > > > [root at wn108 ~]# id atlasprd020 > uid=18970(atlasprd020) gid=1407(atlasprd) groups=1407(atlasprd) > [root at wn108 ~]# > > So of course the whole site was down. > > the dirserv log file has not much: > > [22/Jul/2015:11:03:35 +0200] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates > found, which should be add > ed before the CoS Definition. > [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: disordely shutdown for replica > dc=pleiades,dc=uni-wuppertal,dc=de. Check > if DB RUV needs to be updated > [22/Jul/2015:11:03:38 +0200] NSMMReplicationPlugin - Force update of > database RUV (from CL RUV) -> 55af7af3000e00040000 > [22/Jul/2015:11:03:39 +0200] set_krb5_creds - Could not get initial > credentials for principal > [ldap/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE] in keyta > b [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [22/Jul/2015:11:03:39 +0200] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=pleiades,dc=uni-wuppertal,dc=de--no CoS Templates > found, which should be add > ed before the CoS Definition. > [22/Jul/2015:11:03:39 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL( > -1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) errno > 0 (Success) > [22/Jul/2015:11:03:39 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [22/Jul/2015:11:03:39 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth failed: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos > credentials available)) > [22/Jul/2015:11:03:39 +0200] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [22/Jul/2015:11:03:39 +0200] - Listening on All Interfaces port 636 for > LDAPS requests > [22/Jul/2015:11:03:39 +0200] - Listening on > /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests > [22/Jul/2015:11:03:43 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth resumed > [22/Jul/2015:15:15:41 +0200] find_sid_for_ldap_entry - [file > ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [51351] into an > unused SID. > [22/Jul/2015:15:15:41 +0200] ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 149]: Cannot add SID to new entry. > [23/Jul/2015:07:33:05 +0200] - slapd shutting down - signaling operation > threads - op stack size 48 max work q size 22 max work q stack size 22 > [23/Jul/2015:07:33:05 +0200] - slapd shutting down - waiting for 1 > thread to terminate > [23/Jul/2015:07:33:05 +0200] - slapd shutting down - closing down > internal subsystems and plugins > [23/Jul/2015:07:33:05 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Warning: > Attempting to release replica, but unable to r > eceive endReplication extended operation response from the replica. > Error -5 (Timed out) > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with > portmap service > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with > portmap service > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with > portmap service > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with > portmap service > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with > portmap service > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - error sending request to > portmap or rpcbind on 9: Connection refused > [23/Jul/2015:07:33:06 +0200] nis-plugin - timeout registering with > portmap service > [23/Jul/2015:07:33:06 +0200] - Waiting for 4 database threads to stop > [23/Jul/2015:07:33:06 +0200] - All database threads now stopped > [23/Jul/2015:07:33:06 +0200] - slapd shutting down - freed 22 work q > stack objects - freed 49 op stack objects > [23/Jul/2015:07:33:06 +0200] - slapd stopped. > [23/Jul/2015:07:33:08 +0200] nis-plugin - error connecting rpcbind > client socket to the service > [23/Jul/2015:07:33:08 +0200] SSL Initialization - Configured SSL version > range: min: TLS1.0, max: TLS1.2 > [23/Jul/2015:07:33:08 +0200] - SSL alert: Configured NSS Ciphers > > [...] > > > [23/Jul/2015:07:33:12 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [23/Jul/2015:07:33:12 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [23/Jul/2015:07:33:12 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [23/Jul/2015:07:33:12 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa2.pleiades.uni-wuppertal.de" (ipa2:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (No Kerberos credentials available)) > [23/Jul/2015:07:33:12 +0200] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [23/Jul/2015:07:33:12 +0200] - Listening on All Interfaces port 636 for > LDAPS requests > [23/Jul/2015:07:33:12 +0200] - Listening on > /var/run/slapd-PLEIADES-UNI-WUPPERTAL-DE.socket for LDAPI requests > [23/Jul/2015:07:33:15 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [23/Jul/2015:07:33:15 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [23/Jul/2015:07:33:15 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [23/Jul/2015:07:33:21 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [23/Jul/2015:07:33:21 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [23/Jul/2015:07:33:21 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [23/Jul/2015:07:33:33 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [23/Jul/2015:07:33:33 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [23/Jul/2015:07:33:33 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [23/Jul/2015:07:33:57 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [23/Jul/2015:07:33:57 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [23/Jul/2015:07:33:57 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [23/Jul/2015:07:34:45 +0200] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [23/Jul/2015:07:34:45 +0200] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [23/Jul/2015:07:34:45 +0200] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > > attached is the strace of slapd as instructed earlier. Thanks. This was taken during slapd unresponsive? The server does not appear to be under a load at all. It is almost completely idle except for a thread sending replication updates. I think we need a better test for slapd being unresponsive, so we can narrow the problem down to slapd or something else. When the directory server appears to be hung, try this: # ldapsearch -xLLL -D "cn=directory manager" -W -s base -b "dc=uni-wuppertal,dc=de" This search should return immediately. If it hangs, then the problem is in slapd, and get a stack trace as before. > > I am really a bit lost. Even though we have deployed two IPA servers, > the whole site is down about twice a day with authentication problems. > > Hope anybody can help. > > Best regards, > > Torsten > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harenberg at physik.uni-wuppertal.de Fri Jul 24 07:20:28 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Fri, 24 Jul 2015 09:20:28 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B11637.9090509@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B11637.9090509@redhat.com> Message-ID: <55B1E73C.5020607@physik.uni-wuppertal.de> Dear Rich and all, thanks to everbody! Really thankful for your support. The situation really approved. We: - enlarged the caches for 389ds until the WARNING messages disappeared in the log files, - (just to be sure) re-sync'ed firewalld rules between primary and secondary server. Now the server was stable, Kerberos and 389ds are still alive and all clients can still resolve all users. There is only one issue left (see bottom). First let us answer that: Am 23.07.15 um 18:28 schrieb Rich Megginson: > > # ldapsearch -xLLL -D "cn=directory manager" -W -s base -b > "dc=uni-wuppertal,dc=de" > > This search should return immediately. If it hangs, then the problem is > in slapd, and get a stack trace as before. > [root at ipa httpd]# time ldapsearch -xLLL -D "cn=directory manager" -W -s base -b "dc=pleiades,dc=uni-wuppertal,dc=de" Enter LDAP Password: dn: dc=pleiades,dc=uni-wuppertal,dc=de objectClass: top objectClass: domain objectClass: pilotObject objectClass: domainRelatedObject objectClass: nisDomainObject dc: pleiades info: IPA V2.0 nisDomain: pleiades.uni-wuppertal.de associatedDomain: pleiades.uni-wuppertal.de real 0m4.559s user 0m0.403s sys 0m0.057s [root at ipa httpd]# Looks okay to us, or? So.. here is the problem which is left over. When logging in as admin now through th web page or locally: [Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO: [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: radiusproxy_find(None, version=u'2.114'): SUCCESS [Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO: [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: user_find(None, version=u'2.114'): SUCCESS [Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401 Unauthorized: kinit: Clients credentials have been revoked while getting initial credentials [Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134] [Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401 Unauthorized: kinit: Clients credentials have been revoked while getting initial credentials [Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133] [Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401 Unauthorized: kinit: Clients credentials have been revoked while getting initial credentials [Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134] [root at ipa httpd]# kinit admin kinit: Clients credentials have been revoked while getting initial credentials [root at ipa httpd]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin at PLEIADES.UNI-WUPPERTAL.DE Valid starting Expires Service principal 07/23/2015 11:44:13 07/24/2015 11:44:08 HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE 07/23/2015 11:44:11 07/24/2015 11:44:08 krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE [root at ipa httpd]# Hope you have an idea about that one as well :). Thanks Marisa and Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From mkosek at redhat.com Fri Jul 24 07:33:11 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jul 2015 09:33:11 +0200 Subject: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate In-Reply-To: References: Message-ID: <55B1EA37.3060004@redhat.com> On 07/10/2015 04:36 PM, Natxo Asenjo wrote: > hi, > > earlier today I was reading a post about the new freeipa version on my mobile > device and got plenty of warnings about an invalid certificate. On a fedora > laptop no warnings, but this is the problem: > > $ curl -LIv https://www.freeipa.org > * Rebuilt URL to: https://www.freeipa.org/ > * Hostname was NOT found in DNS cache > * Trying 54.227.25.77... > * Connected to www.freeipa.org (54.227.25.77) port 443 > (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * Server certificate: > * subject: CN=www.freeipa.org ,O=Red Hat > Inc.,L=Raleigh,ST=North Carolina,C=US > * start date: Jul 16 00:00:00 2014 GMT > * expire date: Jul 19 12:00:00 2016 GMT > * common name: www.freeipa.org > * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com > ,O=DigiCert Inc,C=US > * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) > * Peer's Certificate issuer is not recognized. > * Closing connection 0 > curl: (60) Peer's Certificate issuer is not recognized. > More details here: http://curl.haxx.se/docs/sslcerts.html > > You need to add the intermediate digicert certrificate, it seems. Hello natxo, Sorry for the late reply, I just returned from a longer PTO... I checked the site and finally figured out how to stuff the intermediate certificate to our OpenShift instance. The issue now appears to be fixed, please try it and push back if it isn't :-) Enjoy! Martin From mkosek at redhat.com Fri Jul 24 07:37:09 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jul 2015 09:37:09 +0200 Subject: [Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart In-Reply-To: References: Message-ID: <55B1EB25.3050802@redhat.com> On 07/14/2015 02:47 PM, Sina Owolabi wrote: > Hi > > Please, I would really need some help in troubleshooting one of my > domain servers which I restarted the IPA services. > Its an CentOS 7.1 server running ipa-4.1.0 > > > [root at dc01 ~]# ipactl start > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Failed to read data from service file: Failed to get list of dc to probe status! > Configured hostname 'dc01.mydom.com' does not match any master server in LDAP: > dc.mydom.com > dc02.mydom.com > dc01.mydom.com > dc01.mydom.com > Shutting down > [root at dc01 ~]# > Scooping through the freeipa-users posts, I see this was not replied to. Did you manage to resolve the issue? From mkosek at redhat.com Fri Jul 24 07:43:40 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jul 2015 09:43:40 +0200 Subject: [Freeipa-users] OTP vs sudo In-Reply-To: References: Message-ID: <55B1ECAC.1050800@redhat.com> On 07/16/2015 06:58 PM, Bendl, Kurt wrote: > I'm planning our implementation of IdM/IPA, and I'm unclear about how I can implement IPA's OTP for privileged access. > > I need to be able to set up systems so: > * accounts can auth using traditional userid/password > * privileged access (sudo) requires OTP > > We've done some testing, injecting a 3rd party OTP solution (PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's built-in mojo work, I'd prefer to keep it all in the family. Hello Kurt, FreeIPA OTP cannot be configured at the moment to only require OTP in some services. We plan this for the future (https://fedorahosted.org/freeipa/ticket/433), but we are not there yet. Sudo is different though as it is not a classic Kerberos service per se, this policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and Nathaniel, to see if they know about any hack allowing this. From mkosek at redhat.com Fri Jul 24 07:49:28 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jul 2015 09:49:28 +0200 Subject: [Freeipa-users] dnssec support in 4.1 In-Reply-To: <20150722135219.GB18036@dead.ccr.buffalo.edu> References: <20150722134010.GA18036@dead.ccr.buffalo.edu> <20150722134833.GW21928@redhat.com> <20150722135219.GB18036@dead.ccr.buffalo.edu> Message-ID: <55B1EE08.1060806@redhat.com> On 07/22/2015 03:52 PM, Andrew E. Bruno wrote: > On Wed, Jul 22, 2015 at 04:48:33PM +0300, Alexander Bokovoy wrote: >> On Wed, 22 Jul 2015, Andrew E. Bruno wrote: >>> Apologies if this has been answered before but we're interested in >>> dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18 >>> and following the docs here: >>> https://www.freeipa.org/page/Howto/DNSSEC >>> >>> and >>> >>> http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support >>> >>> # ipa-dns-install --dnssec-master >>> Usage: ipa-dns-install [options] >>> >>> ipa-dns-install: error: no such option: --dnssec-master >>> >>> >>> Is this not supported in 4.1.0? If not, is there a manual way to get >>> zone signing to work? >> DNSSEC support is switched off in RHEL 7.1 (and CentOS 7.1) but is >> available in Fedora 21+/upstream bits. >> >> We plan to bring DNSSEC support to next RHEL 7 update, thanks to >> stabilization work done after RHEL 7.1 release. > > Sounds great. Thanks. Looking forward to the next update. Cool! BTW, if you are interested in DNSSEC, we would really welcome your early testing of the feature so that any potential issues can be caught even before the bits hit RHEL/CentOS - there is still time. More details about the release and repos where to get it: http://www.freeipa.org/page/Releases/4.2.0 Martin From notify.sina at gmail.com Sat Jul 25 00:12:15 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Sat, 25 Jul 2015 01:12:15 +0100 Subject: [Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart In-Reply-To: <55B1EB25.3050802@redhat.com> References: <55B1EB25.3050802@redhat.com> Message-ID: Hi Martin I wasn't able to resolve it, so I destroyed and recreated the replica and its replication agreements. On Fri, Jul 24, 2015 at 8:37 AM, Martin Kosek wrote: > On 07/14/2015 02:47 PM, Sina Owolabi wrote: >> >> Hi >> >> Please, I would really need some help in troubleshooting one of my >> domain servers which I restarted the IPA services. >> Its an CentOS 7.1 server running ipa-4.1.0 >> >> >> [root at dc01 ~]# ipactl start >> Existing service file detected! >> Assuming stale, cleaning and proceeding >> Starting Directory Service >> Failed to read data from service file: Failed to get list of dc to probe >> status! >> Configured hostname 'dc01.mydom.com' does not match any master server in >> LDAP: >> dc.mydom.com >> dc02.mydom.com >> dc01.mydom.com >> dc01.mydom.com >> Shutting down >> [root at dc01 ~]# >> > > Scooping through the freeipa-users posts, I see this was not replied to. Did > you manage to resolve the issue? From ellertalexandre at gmail.com Sun Jul 26 12:05:30 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Sun, 26 Jul 2015 14:05:30 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150723064133.GE21928@redhat.com> References: <20150720151750.GJ21928@redhat.com> <5BF06D93-37EE-4B0E-AC3F-A4761E801402@gmail.com> <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> Message-ID: 2015-07-23 8:41 GMT+02:00 Alexander Bokovoy : > On Thu, 23 Jul 2015, Ludwig Krispenz wrote: > >> - Directory server starts just fine but serves only port 389 >>> - krb5kdc starts just fine and works fine with LDAP server >>> - Dogtag tries to use LDAP server via port 636 and fails >>> >>> We need to see why port 636 is disabled. >>> >> why do you think so ? There is: >> >> [22/Jul/2015:18:14:54 +0200] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for >> LDAPS requests >> [22/Jul/2015:18:14:54 +0200] - Listening on >> /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests >> > Missed that part. However, dogtag was failing in accessing LDAP over > port 636. > > but what is failing is: >> agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): >> Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP >> server) () >> >> Is dogtag on a different instance ? why do we use port 7389 ? >> > Because it was migration from RHEL6 to RHEL7. In RHEL6 dogtag was living > in a separate instance. > > -- > / Alexander Bokovoy > > If the problem is too hard to solve, maybe I should try to deploy another replica ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From tde3000 at gmail.com Mon Jul 27 14:19:16 2015 From: tde3000 at gmail.com (John Stein) Date: Mon, 27 Jul 2015 17:19:16 +0300 Subject: [Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone Message-ID: Hi, I consider deploying IPA in my organization.The environment is disconnected from the internet.I have some concerns I'm not sure how to resolve. The environment consists mostly of windows servers (thousands) and workstations (ten thousand) managed by AD (CORP.COM). There is also a small linux environment (up to a thousand servers) that are currently not centerally managed (user-wise). I want to utilize IPA and the AD trust feature to implement SSO. I'd like to have a sub-domain ran by IPA (LINUX.CORP.COM). Because the environment is windows dominated, the AD is used as the authoritative DNS server for all forward and reverse lookup zones. The AD trust requires that both the IPA and AD will be authoritative over their respective forward and reverse lookup zones. However, the linux and windows servers are spread across multiple subnets without any big-scale logic, therefore it is not practical to create a reverse lookup zone for each subnet in the IPA server as those subnets contain both linux and windows machines. I came up with some solutions: 1) Have only the AD as a DNS server and give up on ipa-client-install and automatic client registration. 2) DNS synchronization between IPA and AD. 3) Have the IPA manage the forward zone (linux.corp.com), and have the clients update its own A record automatically upon ipa-client-install, while having the AD manage the reverse zones (A or B class subnets) with me creating the PTR records manually. The IPA will be configured as a conditional forwarder for linux.corp.com, while the AD will be configured as a global forwarder in the IPA server. I strongly dislike the first two solutions and I would like your opinion on the feasibility of the third. I'm also open for any other ideas. If there aren't any, is this solution feasible? Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 27 14:30:09 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 27 Jul 2015 17:30:09 +0300 Subject: [Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone In-Reply-To: References: Message-ID: <20150727143009.GC21928@redhat.com> On Mon, 27 Jul 2015, John Stein wrote: >Hi, > >I consider deploying IPA in my organization.The environment is disconnected >from the internet.I have some concerns I'm not sure how to resolve. > >The environment consists mostly of windows servers (thousands) and >workstations (ten thousand) managed by AD (CORP.COM). There is also a small >linux environment (up to a thousand servers) that are currently not >centerally managed (user-wise). > >I want to utilize IPA and the AD trust feature to implement SSO. > >I'd like to have a sub-domain ran by IPA (LINUX.CORP.COM). > >Because the environment is windows dominated, the AD is used as the >authoritative DNS server for all forward and reverse lookup zones. > >The AD trust requires that both the IPA and AD will be authoritative over >their respective forward and reverse lookup zones. However, the linux and No. We require that *some entity* is responsible for the zones. If you put everything in AD DNS, fine, but then you are responsible for manual update of the zone records and that all specific records are there. >windows servers are spread across multiple subnets without any big-scale >logic, therefore it is not practical to create a reverse lookup zone for >each subnet in the IPA server as those subnets contain both linux and >windows machines. You cannot have machines from IPA and AD domains in the same DNS zone at the same time. A/AAAA records of those IPA and AD machines must belong to different DNS zones. This is basic requirement of Active Directory deployment -- each AD domain is responsible for at least one DNS zone and you cannot have machines from two different AD domains in the same DNS zone. >I came up with some solutions: > >1) Have only the AD as a DNS server and give up on ipa-client-install and >automatic client registration. Totally unrelated to how you handle DNS zones. ipa-client-install does not require you to allow creation of DNS records. It can sufficiently work with a configuration where a DNS record for the host is pre-created. >2) DNS synchronization between IPA and AD. Unrelated and is not recommended. In DNS lexicon only a single entity is responsible for the single DNS zone. IPA cannot be authoritative at the same time as AD. (Neither we support IPA being a slave for other DNS server). >3) Have the IPA manage the forward zone (linux.corp.com), and have the >clients update its own A record automatically upon ipa-client-install, >while having the AD manage the reverse zones (A or B class subnets) with me >creating the PTR records manually. The IPA will be configured as a >conditional forwarder for linux.corp.com, while the AD will be configured >as a global forwarder in the IPA server. That would work. There is a bug in nsupdate tool that prevents you from GSSAPI-updating PTR records (over AD trust) so going with manual PTR records would work. You need to make sure AD has no policy to periodically remove PTR records for Linux machines. -- / Alexander Bokovoy From ilmostro7 at gmail.com Mon Jul 27 14:48:28 2015 From: ilmostro7 at gmail.com (John Johnson) Date: Mon, 27 Jul 2015 09:48:28 -0500 Subject: [Freeipa-users] OTP and Laptops Message-ID: Hello, I'm wondering where/how I could get some more information about the underpinnings of the OTP token mechanisms? Ultimately, I'd like to understand the reason why OTP in FreeIPA doesn't work at the moment with laptops, specifically. -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Mon Jul 27 15:14:27 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 27 Jul 2015 08:14:27 -0700 Subject: [Freeipa-users] OTP and Laptops In-Reply-To: References: Message-ID: <55B64AD3.9000105@gmail.com> Depending on the laptop -- assuming you are trying to "kinit" from a terminal window, check the version of Kerberos. It needs to be at least 1.6. ~J On 7/27/15 7:48 AM, John Johnson wrote: > Hello, > > I'm wondering where/how I could get some more information about the > underpinnings of the OTP token mechanisms? Ultimately, I'd like to > understand the reason why OTP in FreeIPA doesn't work at the moment > with laptops, specifically. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ilmostro7 at gmail.com Tue Jul 28 03:11:05 2015 From: ilmostro7 at gmail.com (John Johnson) Date: Mon, 27 Jul 2015 22:11:05 -0500 Subject: [Freeipa-users] OTP and Laptops In-Reply-To: <55B64AD3.9000105@gmail.com> References: <55B64AD3.9000105@gmail.com> Message-ID: Kerberos version is 1.12.2 on RHEL7.1. I guess I'm wondering if the issue is hardware-related, somehow specific to laptops; or if it's related to the way laptops are assumed to be used, i.e. portable, etc. On Mon, Jul 27, 2015 at 10:14 AM, Janelle wrote: > Depending on the laptop -- assuming you are trying to "kinit" from a > terminal window, check the version of Kerberos. It needs to be at least 1.6. > > ~J > > On 7/27/15 7:48 AM, John Johnson wrote: > > Hello, > > I'm wondering where/how I could get some more information about the > underpinnings of the OTP token mechanisms? Ultimately, I'd like to > understand the reason why OTP in FreeIPA doesn't work at the moment with > laptops, specifically. > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 28 03:13:17 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jul 2015 23:13:17 -0400 Subject: [Freeipa-users] OTP and Laptops In-Reply-To: References: <55B64AD3.9000105@gmail.com> Message-ID: <55B6F34D.2040202@redhat.com> John Johnson wrote: > Kerberos version is 1.12.2 on RHEL7.1. I guess I'm wondering if the > issue is hardware-related, somehow specific to laptops; or if it's > related to the way laptops are assumed to be used, i.e. portable, etc. It would be helpful if you described what isn't working. rob > > On Mon, Jul 27, 2015 at 10:14 AM, Janelle > wrote: > > Depending on the laptop -- assuming you are trying to "kinit" from a > terminal window, check the version of Kerberos. It needs to be at > least 1.6. > > ~J > > On 7/27/15 7:48 AM, John Johnson wrote: >> Hello, >> >> I'm wondering where/how I could get some more information about >> the underpinnings of the OTP token mechanisms? Ultimately, I'd >> like to understand the reason why OTP in FreeIPA doesn't work at >> the moment with laptops, specifically. >> >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From ilmostro7 at gmail.com Tue Jul 28 03:21:22 2015 From: ilmostro7 at gmail.com (John Johnson) Date: Mon, 27 Jul 2015 22:21:22 -0500 Subject: [Freeipa-users] OTP and Laptops In-Reply-To: <55B6F34D.2040202@redhat.com> References: <55B64AD3.9000105@gmail.com> <55B6F34D.2040202@redhat.com> Message-ID: I'm not saying that something isn't working for me; I'm going off the information available on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#otp-laptop-users and a thread in this mailing list referencing it. I'm simply trying to understand the particular issue related to the laptop-specific implementation and obstacles as it relates to OTP On Mon, Jul 27, 2015 at 10:13 PM, Rob Crittenden wrote: > John Johnson wrote: > >> Kerberos version is 1.12.2 on RHEL7.1. I guess I'm wondering if the >> issue is hardware-related, somehow specific to laptops; or if it's >> related to the way laptops are assumed to be used, i.e. portable, etc. >> > > It would be helpful if you described what isn't working. > > rob > > >> On Mon, Jul 27, 2015 at 10:14 AM, Janelle > > wrote: >> >> Depending on the laptop -- assuming you are trying to "kinit" from a >> terminal window, check the version of Kerberos. It needs to be at >> least 1.6. >> >> ~J >> >> On 7/27/15 7:48 AM, John Johnson wrote: >> >>> Hello, >>> >>> I'm wondering where/how I could get some more information about >>> the underpinnings of the OTP token mechanisms? Ultimately, I'd >>> like to understand the reason why OTP in FreeIPA doesn't work at >>> the moment with laptops, specifically. >>> >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jul 28 03:57:58 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jul 2015 06:57:58 +0300 Subject: [Freeipa-users] OTP and Laptops In-Reply-To: References: <55B64AD3.9000105@gmail.com> <55B6F34D.2040202@redhat.com> Message-ID: <20150728035758.GF21928@redhat.com> On Mon, 27 Jul 2015, John Johnson wrote: >I'm not saying that something isn't working for me; I'm going off the >information available on >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#otp-laptop-users >and a thread in this mailing list referencing it. I'm simply trying to >understand the particular issue related to the laptop-specific >implementation and obstacles as it relates to OTP No, there is no hardware-specific limitations. What the documentation tries to explain (rather poorly, I agree!) is that a roaming clients like laptops would have some issues when OTP is the only scheme enabled for the user. This is solved in SSSD 1.13 and both solution and the problem are described in detail in https://fedorahosted.org/sssd/wiki/DesignDocs/PAMConversationForOTP -- / Alexander Bokovoy From abokovoy at redhat.com Tue Jul 28 03:59:37 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jul 2015 06:59:37 +0300 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <20150722150933.GX21928@redhat.com> <3734FB8A-A738-424E-BED2-1F846EC20E81@gmail.com> <20150722154339.GY21928@redhat.com> <8A1E9936-DD9D-4D43-80D3-E9CD99D7218A@gmail.com> <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> Message-ID: <20150728035937.GG21928@redhat.com> On Sun, 26 Jul 2015, Alexandre Ellert wrote: >2015-07-23 8:41 GMT+02:00 Alexander Bokovoy : > >> On Thu, 23 Jul 2015, Ludwig Krispenz wrote: >> >>> - Directory server starts just fine but serves only port 389 >>>> - krb5kdc starts just fine and works fine with LDAP server >>>> - Dogtag tries to use LDAP server via port 636 and fails >>>> >>>> We need to see why port 636 is disabled. >>>> >>> why do you think so ? There is: >>> >>> [22/Jul/2015:18:14:54 +0200] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for >>> LDAPS requests >>> [22/Jul/2015:18:14:54 +0200] - Listening on >>> /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests >>> >> Missed that part. However, dogtag was failing in accessing LDAP over >> port 636. >> >> but what is failing is: >>> agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): >>> Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP >>> server) () >>> >>> Is dogtag on a different instance ? why do we use port 7389 ? >>> >> Because it was migration from RHEL6 to RHEL7. In RHEL6 dogtag was living >> in a separate instance. >> >If the problem is too hard to solve, maybe I should try to deploy another >replica ? You may try that. Sorry for not responding, I have some other tasks that occupy my time right now. If you have Red Hat subscription, it would be good to open a support case and put the details of the migration and logs there. -- / Alexander Bokovoy From Kurt.Bendl at nrel.gov Tue Jul 28 17:02:17 2015 From: Kurt.Bendl at nrel.gov (Bendl, Kurt) Date: Tue, 28 Jul 2015 17:02:17 +0000 Subject: [Freeipa-users] OTP vs sudo In-Reply-To: <55B1ECAC.1050800@redhat.com> References: <55B1ECAC.1050800@redhat.com> Message-ID: Thank you for the reply, Martin. This is what I'd expected, even though I was hoping for a workaround. ;-) The per-service OTP is a hot button for us, as well as sudo. For now, we'll go the PrivacyIDEA + RADIUS route for OTP, and look forward to all the future awesomeness! -Kurt On 7/24/15, 1:43 AM, "Martin Kosek" wrote: >On 07/16/2015 06:58 PM, Bendl, Kurt wrote: >> I'm planning our implementation of IdM/IPA, and I'm unclear about how I >>can implement IPA's OTP for privileged access. >> >> I need to be able to set up systems so: >> * accounts can auth using traditional userid/password >> * privileged access (sudo) requires OTP >> >> We've done some testing, injecting a 3rd party OTP solution >>(PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's >>built-in mojo work, I'd prefer to keep it all in the family. > >Hello Kurt, > >FreeIPA OTP cannot be configured at the moment to only require OTP in >some >services. We plan this for the future >(https://fedorahosted.org/freeipa/ticket/433), but we are not there yet. > >Sudo is different though as it is not a classic Kerberos service per se, >this >policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and >Nathaniel, to see if they know about any hack allowing this. From rmeggins at redhat.com Tue Jul 28 17:08:49 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 28 Jul 2015 11:08:49 -0600 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B1E73C.5020607@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B11637.9090509@redhat.com> <55B1E73C.5020607@physik.uni-wuppertal.de> Message-ID: <55B7B721.1020006@redhat.com> On 07/24/2015 01:20 AM, Torsten Harenberg wrote: > Dear Rich and all, > > thanks to everbody! Really thankful for your support. > > The situation really approved. > > We: > > - enlarged the caches for 389ds until the WARNING messages disappeared > in the log files, > - (just to be sure) re-sync'ed firewalld rules between primary and > secondary server. > > Now the server was stable, Kerberos and 389ds are still alive and all > clients can still resolve all users. There is only one issue left (see > bottom). > > > First let us answer that: > > Am 23.07.15 um 18:28 schrieb Rich Megginson: > >> # ldapsearch -xLLL -D "cn=directory manager" -W -s base -b >> "dc=uni-wuppertal,dc=de" >> >> This search should return immediately. If it hangs, then the problem is >> in slapd, and get a stack trace as before. >> > [root at ipa httpd]# time ldapsearch -xLLL -D "cn=directory manager" -W -s > base -b "dc=pleiades,dc=uni-wuppertal,dc=de" > Enter LDAP Password: > dn: dc=pleiades,dc=uni-wuppertal,dc=de > objectClass: top > objectClass: domain > objectClass: pilotObject > objectClass: domainRelatedObject > objectClass: nisDomainObject > dc: pleiades > info: IPA V2.0 > nisDomain: pleiades.uni-wuppertal.de > associatedDomain: pleiades.uni-wuppertal.de > > > real 0m4.559s > user 0m0.403s > sys 0m0.057s > [root at ipa httpd]# > > Looks okay to us, or? 4 seconds? That seems way too long. What does the dirsrv access log look like for this sequence of operations? There will be a connection, a BIND, a SRCH, and an UNBIND. > > So.. here is the problem which is left over. When logging in as admin > now through th web page or locally: > > [Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO: > [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: > radiusproxy_find(None, version=u'2.114'): SUCCESS > [Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO: > [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: user_find(None, > version=u'2.114'): SUCCESS > [Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401 > Unauthorized: kinit: Clients credentials have been revoked while getting > initial credentials > [Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134] > [Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401 > Unauthorized: kinit: Clients credentials have been revoked while getting > initial credentials > [Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133] > [Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401 > Unauthorized: kinit: Clients credentials have been revoked while getting > initial credentials > [Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134] > [root at ipa httpd]# kinit admin > kinit: Clients credentials have been revoked while getting initial > credentials > [root at ipa httpd]# klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: admin at PLEIADES.UNI-WUPPERTAL.DE > > Valid starting Expires Service principal > 07/23/2015 11:44:13 07/24/2015 11:44:08 > HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE > 07/23/2015 11:44:11 07/24/2015 11:44:08 > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE > [root at ipa httpd]# > > > Hope you have an idea about that one as well :). I do not, sorry. Maybe one of our kerberos experts will know. > > Thanks > > Marisa and Torsten > > From mikeo at bixly.com Tue Jul 28 22:56:04 2015 From: mikeo at bixly.com (Mike Oliver) Date: Tue, 28 Jul 2015 15:56:04 -0700 Subject: [Freeipa-users] CA-less replica setup and trouble with cert chain Message-ID: <55B80884.1030004@bixly.com> Hi folks, We're trying to add a FreeIPA (4.1; CentOS 7) replica to our infrastructure and keep running into an issue that prevents us from preparing the replica. We're using the CA-less setup where FreeIPA is using a wildcard certificate provided by RapidSSL. I started trying to create the replica using the information provided here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html But since we're not using a CA, it tells me that I need to specify --http-cert-file and --dirsrv-cert-file. I create a p12 file that includes the wildcard cert and the rest of the certs in the chain with: $ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey wildcard.key -name "replica01" -out replica01.mydomain.com.p12 I then check to see if all the necessary certs were added to the p12 file: $ pk12util -l replica01.mydomain.com.p12 I see our wildcard certificate, RapidSSL's intermediate certificate, and the entry for Equifax/GeoTrust, that signed RapidSSL's certificate. Then I run 'ipa-replica-prepare' on the existing FreeIPA server. $ ipa-replica-prepare replica01.mydomain.com \ --http-cert-file=replica01.mydomain.com.p12 \ --dirsrv-cert-file=replica01.mydomain.com.p12 \ --ca /etc/ipa/ca.crt \ -v I get the following error after the debug output reports a series of calls to certutil: ipa: DEBUG: stderr= ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 262, in ask_for_options options.http_cert_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 162, in load_pkcs12 host_name=self.replica_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 799, in load_pkcs12 (", ".join(cert_files))) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: ScriptError: The full certificate chain is not present in replica01.mydomain.com.p12 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The full certificate chain is not present in replicate01.mydomain.com.p12 The chain certainly looks to be complete given the output of pk12util, but it's possible I'm just building the file wrong for use with FreeIPA. What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting and how should I go about generating the certificate used by 'ipa-replica-prepare' with a CA-less configuration? Thanks all, -- Mike Oliver From lundman at lundman.net Wed Jul 29 04:30:38 2015 From: lundman at lundman.net (Jorgen Lundman) Date: Wed, 29 Jul 2015 13:30:38 +0900 Subject: [Freeipa-users] bind-dynamicdb TKEY update Message-ID: <55B856EE.9040007@lundman.net> Hola! So with todays advisory: https://kb.isc.org/article/AA-01272 we finally get to test the procedure to patch and update here :) Are there any plans for the dynamic_db github to pull in the fix, or should I proceed with that step? Sincerely, Lund -- Jorgen Lundman | Unix Administrator | +81 (0)90-5578-8500 (work) Shibuya-ku, Tokyo | +81 (0)80-2090-5800 (cell) Japan | +81 (0)3 -3375-1767 (home) From lundman at lundman.net Wed Jul 29 04:41:12 2015 From: lundman at lundman.net (Jorgen Lundman) Date: Wed, 29 Jul 2015 13:41:12 +0900 Subject: [Freeipa-users] bind-dynamicdb TKEY update In-Reply-To: <55B856EE.9040007@lundman.net> References: <55B856EE.9040007@lundman.net> Message-ID: <55B85968.3040502@lundman.net> Took a look at the diff while I was waiting: diff -rub bind-9.9.7-P1/lib/dns/tkey.c bind-9.9.7-P2/lib/dns/tkey.c --- bind-9.9.7-P1/lib/dns/tkey.c 2015-06-18 07:48:03.000000000 +0900 +++ bind-9.9.7-P2/lib/dns/tkey.c 2015-07-15 08:50:22.000000000 +0900 @@ -650,6 +650,7 @@ * Try the answer section, since that's where Win2000 * puts it. */ + name = NULL; if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, dns_rdatatype_tkey, 0, &name, &tkeyset) != ISC_R_SUCCESS) { Sigh. All that work for one line. :) Lund Jorgen Lundman wrote: > > Hola! > > So with todays advisory: https://kb.isc.org/article/AA-01272 > we finally get to test the procedure to patch and update here :) > > Are there any plans for the dynamic_db github to pull in the fix, or should > I proceed with that step? > > Sincerely, > > Lund > -- Jorgen Lundman | Unix Administrator | +81 (0)90-5578-8500 (work) Shibuya-ku, Tokyo | +81 (0)80-2090-5800 (cell) Japan | +81 (0)3 -3375-1767 (home) From jcholast at redhat.com Wed Jul 29 05:09:04 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jul 2015 07:09:04 +0200 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55AD3570.8020400@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> <55A6AD1E.2070604@cora.nwra.com> <55AC9BDE.4020505@redhat.com> <55AD3570.8020400@cora.nwra.com> Message-ID: <55B85FF0.4000304@redhat.com> Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a): > On 07/20/2015 12:57 AM, Jan Cholasta wrote: >> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): >>> On 07/14/2015 11:53 PM, Jan Cholasta wrote: >>>> >>>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >>> >>> Directory Manager (existing master) password: >>> >>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>> >>> Not much :( >>> >>> Seems to be very early. >>> >>> I can't find an ipa-replica-prepare.log file. >> >> That's weird, there should be ~50 lines of output before ipa-replica-prepare >> prompts you for directory manager password. >> >> I didn't have any luck in reproducing the issue so far. >> >> Could you please try this: >> >> $ mkdir tmpdb >> $ certutil -N -d tmpdb >> $ pk12util -i nwra.com.p12 >> $ certutil -L -d tmpdb # look for nickname of certificate >> which has trust attributes of u,u,u >> $ certutil -O -d tmpdb -n nickname # use the nickname from above >> >> I would like to see the output of the last 2 commands. >> > > [root at europa ~]# pk12util -i nwra.com.p12 -d tmpdb > Enter Password or Pin for "NSS Certificate DB": > Enter password for PKCS12 file: > pk12util: no nickname for cert in PKCS12 file. > pk12util: using nickname: *.nwra.com - COMODO CA Limited > pk12util: PKCS12 IMPORT SUCCESSFUL > [root at europa ~]# certutil -L -d tmpdb > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,, > AddTrust External CA Root - AddTrust AB ,, > *.nwra.com - COMODO CA Limited u,u,u > COMODO RSA Certification Authority - AddTrust AB ,, > [root at europa ~]# certutil -O -d tmpdb -n '*.nwra.com - COMODO CA Limited' > "AddTrust External CA Root - AddTrust AB" [CN=AddTrust External CA > Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE] > > "COMODO RSA Certification Authority - AddTrust AB" [CN=COMODO RSA > Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB] > > "COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited" > [CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA > Limited,L=Salford,ST=Greater Manchester,C=GB] > > "*.nwra.com - COMODO CA Limited" [CN=*.nwra.com,OU=PositiveSSL > Wildcard,OU=Domain Control Validated] Thanks. Unfortunately it looks perfectly fine, so I still have no idea what's wrong. This is a long shot, but coult you try running ipa-replica-prepare in strace and post the log of that? # strace -o ipa-replica-prepare-strace.log ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX -- Jan Cholasta From jcholast at redhat.com Wed Jul 29 05:20:30 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jul 2015 07:20:30 +0200 Subject: [Freeipa-users] CA-less replica setup and trouble with cert chain In-Reply-To: <55B80884.1030004@bixly.com> References: <55B80884.1030004@bixly.com> Message-ID: <55B8629E.1080805@redhat.com> Hi, Dne 29.7.2015 v 00:56 Mike Oliver napsal(a): > Hi folks, > > We're trying to add a FreeIPA (4.1; CentOS 7) replica to our > infrastructure and keep running into an issue that prevents us from > preparing the replica. > > We're using the CA-less setup where FreeIPA is using a wildcard > certificate provided by RapidSSL. I started trying to create the replica > using the information provided here : > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html > > > But since we're not using a CA, it tells me that I need to specify > --http-cert-file and --dirsrv-cert-file. I create a p12 file that > includes the wildcard cert and the rest of the certs in the chain with: > $ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey > wildcard.key -name "replica01" -out replica01.mydomain.com.p12 > > I then check to see if all the necessary certs were added to the p12 file: > $ pk12util -l replica01.mydomain.com.p12 > > I see our wildcard certificate, RapidSSL's intermediate certificate, and > the entry for Equifax/GeoTrust, that signed RapidSSL's certificate. > > Then I run 'ipa-replica-prepare' on the existing FreeIPA server. > $ ipa-replica-prepare replica01.mydomain.com \ > --http-cert-file=replica01.mydomain.com.p12 \ > --dirsrv-cert-file=replica01.mydomain.com.p12 \ > --ca /etc/ipa/ca.crt \ > -v Note that you can use the .crt and .key files directly: $ ipa-replica-prepare replica01.mydomain.com --http-cert-file=wildcard-with-intermediates.crt --http-cert-file=wildcard.key --dirsrv-cert-file=wildcard-with-intermediates.crt --dirsrv-cert-file=wildcard.key > > I get the following error after the debug output reports a series of > calls to certutil: > ipa: DEBUG: stderr= > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in > execute > self.ask_for_options() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 262, in ask_for_options > options.http_cert_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 162, in load_pkcs12 > host_name=self.replica_fqdn) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 799, in load_pkcs12 > (", ".join(cert_files))) > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The > ipa-replica-prepare command failed, exception: ScriptError: The full > certificate chain is not present in replica01.mydomain.com.p12 > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The > full certificate chain is not present in replicate01.mydomain.com.p12 > > > The chain certainly looks to be complete given the output of pk12util, > but it's possible I'm just building the file wrong for use with FreeIPA. > What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting > and how should I go about generating the certificate used by > 'ipa-replica-prepare' with a CA-less configuration? If the chain is complete, there should be a self-signed CA certificate at the top. For you that would be the Equifax/GeoTrust certificate. If it's not self-signed, it means the chain is in fact not complete. > > Thanks all, > Honza -- Jan Cholasta From harenberg at physik.uni-wuppertal.de Wed Jul 29 05:31:07 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Wed, 29 Jul 2015 07:31:07 +0200 Subject: [Freeipa-users] Kerberos hanging approx. once a day In-Reply-To: <55B7B721.1020006@redhat.com> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> <55B11637.9090509@redhat.com> <55B1E73C.5020607@physik.uni-wuppertal.de> <55B7B721.1020006@redhat.com> Message-ID: <55B8651B.70904@physik.uni-wuppertal.de> Dear Rich, all, Am 28.07.15 um 19:08 schrieb Rich Megginson: >>> # ldapsearch -xLLL -D "cn=directory manager" -W -s base -b >>> "dc=uni-wuppertal,dc=de" [...] >> >> >> real 0m4.559s >> user 0m0.403s >> sys 0m0.057s >> [root at ipa httpd]# >> >> Looks okay to us, or? > > 4 seconds? That seems way too long. No.. that includes the time it took me to enter the password. Only the "user" line is relevant, so 0.4 seconds. >> >> So.. here is the problem which is left over. When logging in as admin >> now through th web page or locally: >> >> [Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO: >> [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: >> radiusproxy_find(None, version=u'2.114'): SUCCESS >> [Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO: >> [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: user_find(None, >> version=u'2.114'): SUCCESS >> [Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401 >> Unauthorized: kinit: Clients credentials have been revoked while getting >> initial credentials >> [Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134] >> [Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401 >> Unauthorized: kinit: Clients credentials have been revoked while getting >> initial credentials >> [Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133] >> [Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401 >> Unauthorized: kinit: Clients credentials have been revoked while getting >> initial credentials >> [Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134] >> [root at ipa httpd]# kinit admin >> kinit: Clients credentials have been revoked while getting initial >> credentials >> [root at ipa httpd]# klist >> Ticket cache: KEYRING:persistent:0:0 >> Default principal: admin at PLEIADES.UNI-WUPPERTAL.DE >> >> Valid starting Expires Service principal >> 07/23/2015 11:44:13 07/24/2015 11:44:08 >> HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE >> 07/23/2015 11:44:11 07/24/2015 11:44:08 >> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE >> [root at ipa httpd]# >> >> >> Hope you have an idea about that one as well :). > > I do not, sorry. Maybe one of our kerberos experts will know. Hope so.. the problem still persists. Strangely, it's not always there. And it's only on the primary, not on the secondary server. with an strace there is a difference when it does NOT work: keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 294917837 keyctl(KEYCTL_SEARCH, 294917837, "keyring", "_krb", KEY_SPEC_PROCESS_KEYRING) = 780102244 keyctl(KEYCTL_SEARCH, 780102244, "user", "krb_ccache:primary", 0) = 12049273 keyctl(KEYCTL_READ, 12049273, NULL, 0) = 10 keyctl(KEYCTL_READ, 12049273, "", 10) = 10 keyctl(KEYCTL_READ, 780102244, NULL, 0) = 4 keyctl(KEYCTL_READ, 780102244, "y\333\267", 4) = 4 keyctl(KEYCTL_SEARCH, 780102244, "keyring", "0", 0) = -1 ENOKEY (Required key not available) keyctl(KEYCTL_DESCRIBE, 12049273, NULL, 0) = 37 keyctl(KEYCTL_DESCRIBE, 12049273, "user;0;0;3f010000;krb_ccache:pri"..., 37) = 37 compared to when it WORKS: keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 294917837 keyctl(KEYCTL_SEARCH, 294917837, "keyring", "_krb", KEY_SPEC_PROCESS_KEYRING) = 780102244 keyctl(KEYCTL_SEARCH, 780102244, "user", "krb_ccache:primary", 0) = 12049273 keyctl(KEYCTL_READ, 12049273, NULL, 0) = 10 keyctl(KEYCTL_READ, 12049273, "", 10) = 10 keyctl(KEYCTL_SEARCH, 780102244, "keyring", "0", 0) = 17381009 keyctl(KEYCTL_SEARCH, 17381009, "user", "__krb5_princ__", 0) = 378086918 keyctl(KEYCTL_SEARCH, 17381009, "user", "__krb5_time_offsets__", 0) = 416824569 keyctl(KEYCTL_READ, 416824569, NULL, 0) = 8 keyctl(KEYCTL_READ, 416824569, "", 8) = 8 keyctl(KEYCTL_READ, 378086918, NULL, 0) = 46 keyctl(KEYCTL_READ, 378086918, "", 46) = 46 keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 294917837 keyctl(KEYCTL_SEARCH, 294917837, "keyring", "_krb", KEY_SPEC_PROCESS_KEYRING) = 780102244 keyctl(KEYCTL_SEARCH, 780102244, "user", "krb_ccache:primary", 0) = 12049273 keyctl(KEYCTL_READ, 12049273, NULL, 0) = 10 keyctl(KEYCTL_READ, 12049273, "", 10) = 10 keyctl(KEYCTL_READ, 780102244, NULL, 0) = 12 keyctl(KEYCTL_READ, 780102244, "y\333\267", 12) = 12 keyctl(KEYCTL_SEARCH, 780102244, "keyring", "0", 0) = 17381009 keyctl(KEYCTL_SEARCH, 17381009, "user", "__krb5_princ__", 0) = 378086918 keyctl(KEYCTL_READ, 378086918, NULL, 0) = 46 keyctl(KEYCTL_READ, 378086918, "", 46) = 46 Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From mkosek at redhat.com Wed Jul 29 10:05:46 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Jul 2015 12:05:46 +0200 Subject: [Freeipa-users] bind-dynamicdb TKEY update In-Reply-To: <55B85968.3040502@lundman.net> References: <55B856EE.9040007@lundman.net> <55B85968.3040502@lundman.net> Message-ID: <55B8A57A.2000604@redhat.com> Hello Jorgen, Given you ask on this list, I assume you are asking if this CVE is fixed in FreeIPA DNS feature which utilizes BIND. The answer is - "it depends" :-) As the bug itself is in BIND, it depends if the patch made it for given downstream platform. As for Fedora and/or RHEL, I checked with the BIND maintainer and the fix is there, live. You can check the tracking bug, which is now public: https://bugzilla.redhat.com/show_bug.cgi?id=1247361 HTH, Martin On 07/29/2015 06:41 AM, Jorgen Lundman wrote: > > Took a look at the diff while I was waiting: > > diff -rub bind-9.9.7-P1/lib/dns/tkey.c bind-9.9.7-P2/lib/dns/tkey.c > --- bind-9.9.7-P1/lib/dns/tkey.c 2015-06-18 07:48:03.000000000 +0900 > +++ bind-9.9.7-P2/lib/dns/tkey.c 2015-07-15 08:50:22.000000000 +0900 > @@ -650,6 +650,7 @@ > * Try the answer section, since that's where Win2000 > * puts it. > */ > + name = NULL; > if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, > dns_rdatatype_tkey, 0, &name, > &tkeyset) != ISC_R_SUCCESS) { > > > Sigh. All that work for one line. :) > > Lund > > Jorgen Lundman wrote: >> >> Hola! >> >> So with todays advisory: https://kb.isc.org/article/AA-01272 >> we finally get to test the procedure to patch and update here :) >> >> Are there any plans for the dynamic_db github to pull in the fix, or should >> I proceed with that step? >> >> Sincerely, >> >> Lund >> > From guillermo.fuentes at modernizingmedicine.com Tue Jul 28 23:47:36 2015 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Tue, 28 Jul 2015 19:47:36 -0400 Subject: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) Message-ID: Hi all, We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1). Starting with FreeIPA 3.0 and to avoid the SSL certificate warning when accessing the GUI, we installed a 3rd part certificate for https: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 replicas but we're having problems cloning the CA from the 3.0 master. This is our current environment: master1 and master2: CentOS 6.6 (up to date) ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.11.6-30.el6_6.4.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-selinux-9.0.3-39.el6_6.noarch pki-common-9.0.3-39.el6_6.noarch pki-native-tools-9.0.3-39.el6_6.x86_64 pki-setup-9.0.3-39.el6_6.noarch pki-util-9.0.3-39.el6_6.noarch pki-symkey-9.0.3-39.el6_6.x86_64 pki-ca-9.0.3-39.el6_6.noarch pki-java-tools-9.0.3-39.el6_6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-silent-9.0.3-39.el6_6.noarch replica1 and replica2: CentOS 7.1 (up to date) ipa-client-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 pki-server-10.1.2-7.el7.noarch krb5-pkinit-1.12.2-14.el7.x86_64 pki-base-10.1.2-7.el7.noarch pki-ca-10.1.2-7.el7.noarch pki-symkey-10.1.2-7.el7.x86_64 pki-tools-10.1.2-7.el7.x86_64 # ipa-replica-manage list master1.example.com: master master2.example.com: master replica1.example.com: master replica2.example.com.com: master # ipa-csreplica-manage list Directory Manager password: replica1.example.com: CA not configured master1.example.com: master master2.example.com: master replica2.example.com: CA not configured When trying to install the CA on replica1 to do the migration: ipa-ca-install --skip-conncheck --skip-schema-check /var/lib/ipa/replica-info-replica1.example.com.gpg we're getting the following error in the /var/log/ipareplica-ca-install.log file: ... 2015-07-28T21:25:14Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-07-28T21:25:14Z DEBUG Starting external process 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql' 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmp2ON_ql. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-07-28T21:25:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned non-zero exit status 1 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed ... >From /var/log/pki/pki-ca-spawn.20150728172515.log: ... 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - server may still be down 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2015-07-28 17:25:46 pkispawn : DEBUG ........... 0CArunning10.1.2-7.el7 2015-07-28 17:25:47 pkispawn : INFO ....... constructing PKI configuration data. 2015-07-28 17:25:47 pkispawn : INFO ....... configuring PKI configuration data. 2015-07-28 17:25:51 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning java.io.IOException: Error: Not authorized 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Type: HTTPError 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Message: 500 Server Error: Internal Server Error 2015-07-28 17:25:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 463, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 126, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3211, in configure_pki_data response = client.configure(data) File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure r = self.connection.post('/rest/installer/configure', data, headers) File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status raise HTTPError(http_error_msg, response=self) ... >From /var/log/pki/pki-tomcat/ca/debug: ... [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService(): configure() called [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://master1.example.com:443, securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true, cloneUri=https://master1.example.com:443, subsystemName=CA replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=replica1.example.com, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=False, masterReplicationPort=7389, cloneReplicationPort=389, replicationSecurity=TLS, systemCerts=[com.netscape.certsrv.system.SystemCertData at ac5b61d], issuingCA=https://master1.example.com:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null] [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel === [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel === [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: domainInfo=IPAmaster1.example.com44344344344380FALSEpki-cadTRUEmaster2.example.com44344344380443TRUETRUEpki-cad200000 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel === [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http content=type=request&xmlOutput=true&sessionID=4266586385374846691 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start host=master1.example.com adminPort=443 eePort=443 [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: content is null. [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjava.io.IOException: The server you want to contact is not available [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: Attempting to contact master using EE port [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee interface =1Error: Not authorized [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): status=1 ... Related logs from master1 (/var/log/pki-ca/debug): ... [28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode, authorization for servlet: caUpdateNumberRange is LDAP based, not XML {1}, use default authz mgr: {2}. [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done initializing... [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri = /ca/ee/ca/updateNumberRange [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param name='type' value='request' [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param name='xmlOutput' value='true' [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param name='sessionID' value='-5799572006108726179' [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange start to service. [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing... [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process: authentication starts [28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45 [28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate found [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: content=sessionID=-5799572006108726179&hostname=10.10.2.45 [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.10.2.45, authManagerId=TokenAuth} [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth] authentication success [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.10.2.45, authManagerId=TokenAuth} [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.10.2.45, authManagerId=TokenAuth} [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: null [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize... TokenAuth auditSubjectID unavailable, changing to auditGroupID [28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry expressions= group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" [28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions: group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise CA Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise KRA Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise RA Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise OCSP Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: group="Enterprise TKS Administrators" to be false [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify] authorization failure ... Do you guys know which certificate is the one that's failing and where else to look at to fix this problem? Thanks so much for any help you can provide! Guillermo From dkupka at redhat.com Wed Jul 29 13:13:48 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 29 Jul 2015 15:13:48 +0200 Subject: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: References: Message-ID: <55B8D18C.8030906@redhat.com> On 29/07/15 01:47, Guillermo Fuentes wrote: > Hi all, > > We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1). > > Starting with FreeIPA 3.0 and to avoid the SSL certificate warning > when accessing the GUI, we installed a 3rd part certificate for https: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 > replicas but we're having problems cloning the CA from the 3.0 master. > > This is our current environment: > master1 and master2: > CentOS 6.6 (up to date) > ipa-admintools-3.0.0-42.el6.centos.x86_64 > ipa-server-3.0.0-42.el6.centos.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-1.11.6-30.el6_6.4.x86_64 > device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 > ipa-client-3.0.0-42.el6.centos.x86_64 > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > ipa-python-3.0.0-42.el6.centos.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > sssd-ipa-1.11.6-30.el6_6.4.x86_64 > pki-selinux-9.0.3-39.el6_6.noarch > pki-common-9.0.3-39.el6_6.noarch > pki-native-tools-9.0.3-39.el6_6.x86_64 > pki-setup-9.0.3-39.el6_6.noarch > pki-util-9.0.3-39.el6_6.noarch > pki-symkey-9.0.3-39.el6_6.x86_64 > pki-ca-9.0.3-39.el6_6.noarch > pki-java-tools-9.0.3-39.el6_6.noarch > ipa-pki-ca-theme-9.0.3-7.el6.noarch > pki-silent-9.0.3-39.el6_6.noarch > > > replica1 and replica2: > CentOS 7.1 (up to date) > ipa-client-4.1.0-18.el7.centos.3.x86_64 > libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-admintools-4.1.0-18.el7.centos.3.x86_64 > ipa-server-4.1.0-18.el7.centos.3.x86_64 > ipa-python-4.1.0-18.el7.centos.3.x86_64 > libipa_hbac-1.12.2-58.el7_1.6.x86_64 > pki-server-10.1.2-7.el7.noarch > krb5-pkinit-1.12.2-14.el7.x86_64 > pki-base-10.1.2-7.el7.noarch > pki-ca-10.1.2-7.el7.noarch > pki-symkey-10.1.2-7.el7.x86_64 > pki-tools-10.1.2-7.el7.x86_64 > > > # ipa-replica-manage list > master1.example.com: master > master2.example.com: master > replica1.example.com: master > replica2.example.com.com: master > > # ipa-csreplica-manage list > Directory Manager password: > > replica1.example.com: CA not configured > master1.example.com: master > master2.example.com: master > replica2.example.com: CA not configured > > > When trying to install the CA on replica1 to do the migration: > ipa-ca-install --skip-conncheck --skip-schema-check > /var/lib/ipa/replica-info-replica1.example.com.gpg > > we're getting the following error in the > /var/log/ipareplica-ca-install.log file: > ... > 2015-07-28T21:25:14Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-07-28T21:25:14Z DEBUG Starting external process > 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmp2ON_ql' > 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 > 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration > from /tmp/tmp2ON_ql. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > 2015-07-28T21:25:51Z DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > pkispawn : ERROR ....... Exception from Java Configuration > Servlet: Failed to obtain configuration entries from the master for > cloning java.io.IOException: Error: Not authorized > > 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned > non-zero exit status 1 > 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 673, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > ... > > >>From /var/log/pki/pki-ca-spawn.20150728172515.log: > ... > 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'certutil > -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' > 2015-07-28 17:25:16 pkispawn : INFO ....... executing > 'systemctl daemon-reload' > 2015-07-28 17:25:16 pkispawn : INFO ....... executing > 'systemctl start pki-tomcatd at pki-tomcat.service' > 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - > server may still be down > 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - > exception thrown: ('Connection aborted.', error(111, 'Connection > refused')) > 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - > server may still be down > 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - > exception thrown: ('Connection aborted.', error(111, 'Connection > refused')) > 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - > server may still be down > 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - > exception thrown: ('Connection aborted.', error(111, 'Connection > refused')) > 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - > server may still be down > 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - > exception thrown: ('Connection aborted.', error(111, 'Connection > refused')) > 2015-07-28 17:25:46 pkispawn : DEBUG ........... version="1.0" encoding="UTF-8" > standalone="no"?>0CArunning10.1.2-7.el7 > 2015-07-28 17:25:47 pkispawn : INFO ....... constructing PKI > configuration data. > 2015-07-28 17:25:47 pkispawn : INFO ....... configuring PKI > configuration data. > 2015-07-28 17:25:51 pkispawn : ERROR ....... Exception from Java > Configuration Servlet: Failed to obtain configuration entries from the > master for cloning java.io.IOException: Error: Not authorized > 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Type: HTTPError > 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Message: 500 > Server Error: Internal Server Error > 2015-07-28 17:25:51 pkispawn : DEBUG ....... File > "/usr/sbin/pkispawn", line 463, in main > rv = instance.spawn(deployer) > File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 126, in spawn > json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", > line 3211, in configure_pki_data > response = client.configure(data) > File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure > r = self.connection.post('/rest/installer/configure', data, headers) > File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post > r.raise_for_status() > File "/usr/lib/python2.7/site-packages/requests/models.py", line > 834, in raise_for_status > raise HTTPError(http_error_msg, response=self) > ... > >>From /var/log/pki/pki-tomcat/ca/debug: > ... > [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService(): > configure() called > [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest > [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, > securityDomainType=existingdomain, > securityDomainUri=https://master1.example.com:443, > securityDomainName=null, securityDomainUser=admin, > securityDomainPassword=XXXX, isClone=true, > cloneUri=https://master1.example.com:443, subsystemName=CA > replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, > hierarchy=root, dsHost=replica1.example.com, dsPort=389, > baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, > database=ipaca, secureConn=false, removeData=true, > replicateSchema=False, masterReplicationPort=7389, > cloneReplicationPort=389, replicationSecurity=TLS, > systemCerts=[com.netscape.certsrv.system.SystemCertData at ac5b61d], > issuingCA=https://master1.example.com:443, backupKeys=true, > backupPassword=XXXX, > backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, > adminUID=null, adminPassword=XXXX, adminEmail=null, > adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, > adminName=null, adminProfileID=null, adminCert=null, > importAdminCert=false, generateServerCert=true, standAlone=false, > stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, > authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, > enableServerSideKeyGen=null, importSharedSecret=null] > [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel === > [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel === > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0 > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: > domainInfo= standalone="no"?>IPAmaster1.example.com44344344344380FALSEpki-cadTRUEmaster2.example.com44344344380443TRUETRUEpki-cad200000 nt> > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2 > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443> > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel === > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2 > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443 > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http > content=type=request&xmlOutput=true&sessionID=4266586385374846691 > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start > host=master1.example.com adminPort=443 eePort=443 > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: > content is null. > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: > Failed to contact master using admin portjava.io.IOException: The > server you want to contact is not available > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: > Attempting to contact master using EE port > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee > interface = standalone="no"?>1Error: Not > authorized > [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): status=1 > ... > > > > Related logs from master1 (/var/log/pki-ca/debug): > ... > [28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode, > authorization for servlet: caUpdateNumberRange is LDAP based, not XML > {1}, use default authz mgr: {2}. > [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done initializing... > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri = > /ca/ee/ca/updateNumberRange > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param > name='type' value='request' > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param > name='xmlOutput' value='true' > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param > name='sessionID' value='-5799572006108726179' > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange > start to service. > [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing... > [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process: > authentication starts > [28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45 > [28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate found > [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start > [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: > content=sessionID=-5799572006108726179&hostname=10.10.2.45 > [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication > authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: > SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been > marked as not trusted by the user. > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID > auditContext {locale=en_US, ipAddress=10.10.2.45, > authManagerId=TokenAuth} > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: > subjectID: null > [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: > create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth] > authentication success > > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID > auditContext {locale=en_US, ipAddress=10.10.2.45, > authManagerId=TokenAuth} > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: > subjectID: null > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID > auditContext {locale=en_US, ipAddress=10.10.2.45, > authManagerId=TokenAuth} > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: null > [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize... > TokenAuth auditSubjectID unavailable, changing to auditGroupID > [28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry > expressions= group="Enterprise CA Administrators" || group="Enterprise > KRA Administrators" || group="Enterprise RA Administrators" || > group="Enterprise OCSP Administrators" || group="Enterprise TKS > Administrators" > [28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions: > group="Enterprise CA Administrators" || group="Enterprise KRA > Administrators" || group="Enterprise RA Administrators" || > group="Enterprise OCSP Administrators" || group="Enterprise TKS > Administrators" > [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null > [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: > group="Enterprise CA Administrators" to be false > [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null > [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: > group="Enterprise KRA Administrators" to be false > [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null > [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: > group="Enterprise RA Administrators" to be false > [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null > [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: > group="Enterprise OCSP Administrators" to be false > [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid null > [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: > group="Enterprise TKS Administrators" to be false > [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: > create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify] > authorization failure > ... > > Do you guys know which certificate is the one that's failing and where > else to look at to fix this problem? > > Thanks so much for any help you can provide! > > Guillermo > Hello! The problem is in pki-* packages. The old version that is used with freeipa-3.0 does not have REST API and the one that is used in freeipa-4.1 does not expect that. The issue is fixed in pki 10.2.6 but I'm not sure if it is available in CentOS, yet. -- David Kupka From dewanggaba at xtremenitro.org Wed Jul 29 13:22:16 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Wed, 29 Jul 2015 20:22:16 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? Message-ID: <55B8D388.5090108@xtremenitro.org> Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root at ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Sudo order: 1 Users: dewangga User Groups: wheel Sudo Option: !authenticate On ipa-client, user `dewangga` asking for password when execute command `sudo -l` [dewangga at sherief-repository ~]$ sudo -l [sudo] password for dewangga: Here is `ipa user-show dewangga` result : $ ipa user-show dewangga User login: dewangga First name: Dewangga Last name: Alam Home directory: /home/dewangga Login shell: /bin/bash Email address: [removed] UID: 642000001 GID: 642000001 Account disabled: False Password: False Member of groups: wheel Member of Sudo rule: Wheel Kerberos keys available: False SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) Any helps are appreciated. Thanks From david.dagmore at gmail.com Wed Jul 29 14:11:15 2015 From: david.dagmore at gmail.com (Tom David) Date: Wed, 29 Jul 2015 10:11:15 -0400 Subject: [Freeipa-users] expired password reset issue Message-ID: Hey All, Apologies in advance for the long email. I am having an issue with password resets via sshd and usermin. I think if I can get the sshd working again the usermin side will fall into place again. This used to work about a week or two ago, but I'm not sure what changed to break it. A new kernel update from RH was applied but even if I boot to the old kernel the issue persists. Attempts to connect over ssh (or anywhere else allowed by HBAC policy) works great except for users with expired passwords. When the client server tries to reset the password it fails. I was able to get the password change to succeed by setting the sshd to ChallengeResponse yes which seems very strange to me. Everything was run with setenforce 0 to make sure there was no issues from selinux. If anyone has any ideas on what I could try as a next step it would be greatly appreciated! V/r, David auth is the freeipa server while webserver is the server acting as the client, both are RHEL6.6 Client Server versions: ipa-client.x86_64 3.0.0-42.el6 ipa-python.x86_64 3.0.0-42.el6 libipa_hbac.x86_64 1.11.6-30.el6_6.4 libipa_hbac-python.x86_64 1.11.6-30.el6_6.4 python-iniparse.noarch 0.3.1-2.1.el6 sssd-ipa.x86_64 1.11.6-30.el6_6.4 IPA Server versions: ipa-admintools.x86_64 3.0.0-42.el6 ipa-client.x86_64 3.0.0-42.el6 ipa-pki-ca-theme.noarch 9.0.3-7.el6 ipa-pki-common-theme.noarch 9.0.3-7.el6 ipa-python.x86_64 3.0.0-42.el6 ipa-server.x86_64 3.0.0-42.el6 ipa-server-selinux.x86_64 3.0.0-42.el6 libipa_hbac.x86_64 1.11.6-30.el6_6.4 libipa_hbac-python.x86_64 1.11.6-30.el6_6.4 python-iniparse.noarch 0.3.1-2.1.el6 sssd-ipa.x86_64 1.11.6-30.el6_6.4 My sshd pam file on the client server: [root at webserver pam.d]# cat sshd | grep -v ^# auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth My password-auth on the client server: [root at webserver pam.d]# cat password-auth | grep -v ^# auth required pam_env.so auth sufficient pam_sss.so auth sufficient pam_unix.so try_first_pass auth required pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_unix.so account required pam_permit.so password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3 maxrepeat=3 password sufficient pam_sss.so use_authtok password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 password required pam_deny.so session optional pam_sss.so session required pam_unix.so Attempting to ssh in first with ChallengeResponse set to no, then yes [root at auth /]# ssh dummy at 192.168.1.6 dummy at 192.168.1.6's password: Password expired. Change your password now. Last login: Wed Jul 29 09:08:13 2015 from auth.mydomain.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user dummy. Current Password: New password: Retype new password: passwd: Authentication token manipulation error Connection to 192.168.1.6 closed. [root at auth /]# ssh dummy at 192.168.1.6 Password: Password expired. Change your password now. Current Password: New password: Retype new password: Last login: Wed Jul 29 09:11:19 2015 from auth.mydomain.com [dummy at webserver ~]$ /var/log/secure record of the activity: Jul 29 09:11:19 webserver sshd[26823]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=auth.mydomain.com user=dummy Jul 29 09:11:19 webserver sshd[26823]: pam_sss(sshd:auth): received for user dummy: 12 (Authentication token is no longer valid; new one required) Jul 29 09:11:19 webserver sshd[26823]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Jul 29 09:11:19 webserver sshd[26823]: Accepted password for dummy from 192.168.1.5 port 43656 ssh2 Jul 29 09:11:19 webserver sshd[26823]: pam_unix(sshd:session): session opened for user dummy by (uid=0) Jul 29 09:11:28 webserver passwd: pam_sss(passwd:chauthtok): Password change failed for user dummy: 15 (Authentication service cannot retrieve user credentials) Jul 29 09:11:38 webserver passwd: pam_unix(passwd:chauthtok): user "dummy" does not exist in /etc/passwd Jul 29 09:11:39 webserver sshd[26823]: pam_unix(sshd:session): session closed for user dummy Jul 29 09:12:01 webserver crond[26836]: pam_unix(crond:session): session opened for user root by (uid=0) Jul 29 09:12:01 webserver crond[26837]: pam_unix(crond:session): session opened for user root by (uid=0) Jul 29 09:12:01 webserver CROND[26836]: pam_unix(crond:session): session closed for user root Jul 29 09:12:01 webserver CROND[26837]: pam_unix(crond:session): session closed for user root Jul 29 09:12:04 webserver sshd[26784]: Received signal 15; terminating. Jul 29 09:12:05 webserver sshd[26865]: Server listening on 0.0.0.0 port 22. Jul 29 09:12:16 webserver sshd[26874]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=auth.mydomain.com user=dummy Jul 29 09:12:16 webserver sshd[26874]: pam_sss(sshd:auth): received for user dummy: 12 (Authentication token is no longer valid; new one required) Jul 29 09:12:16 webserver sshd[26874]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Jul 29 09:12:33 webserver sshd[26869]: Accepted keyboard-interactive/pam for dummy from 192.168.1.5 port 43657 ssh2 Jul 29 09:12:34 webserver sshd[26869]: pam_unix(sshd:session): session opened for user dummy by (uid=0) Log of the activity from /var/log/sssd/sssd_mydomain.com.log with debug_level=6 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=dummy] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=mydomain,dc=com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dummy)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Save user (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Processing user dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [dummy]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Adding user principal [dummy at mydomain.com] to attributes of [dummy]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Storing info for user dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=employee,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com, returned 0 results. Skipping (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=sshldapusers,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object employee (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object sshldapusers (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=mydomain,dc=com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=895400028)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_group] (0x0400): Processing group dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_group] (0x0400): Storing info for group dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_grpmem] (0x0400): Processing group dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_save_grpmem] (0x0400): No members for group [dummy] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27457 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [switch_creds] (0x0200): Switch user to [895400028][895400028]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server auth.mydomain.com: [192.168.1.5] TTL 86400 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://auth.mydomain.com' (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [switch_creds] (0x0200): Switch user to [895400028][895400028]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 12, ) [Success] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [12][mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [12][mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [27462] finished successfully. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27457 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_access_send] (0x0400): Performing access check for user [dummy] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [dummy] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=webserver.mydomain.com ))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= webserver.mydomain.com,cn=computers,cn=accounts,dc=mydomain,dc=com] using OpenLDAP deref (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=webserver.mydomain.com ,cn=computers,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=mydomain,dc=com][2][(objectClass=ipaHBACService)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=mydomain,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=mydomain,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= webserver.mydomain.com ,cn=computers,cn=accounts,dc=mydomain,dc=com)(memberHost=ipauniqueid=2f86c3d6-145f-11e5-9d77-00505689b3d1,cn=hbac,dc=mydomain,dc=com)(memberHost=ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com)))] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= webserver.mydomain.com ,cn=computers,cn=accounts,dc=mydomain,dc=com)(memberHost=ipauniqueid=2f86c3d6-145f-11e5-9d77-00505689b3d1,cn=hbac,dc=mydomain,dc=com)(memberHost=ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com)))][cn=hbac,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [customer] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [admins] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [employee] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_user_attrs_to_rule] (0x0020): [uid=vascan,cn=users,cn=accounts,dc=mydomain,dc=com] does not map to either a user or group. Skipping (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [vascan] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [employee] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=mydomain,dc=com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=mydomain,dc=com]. (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27457 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27457 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27463 (Wed Jul 29 09:37:36 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=dummy] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=mydomain,dc=com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dummy)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Save user (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Processing user dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [dummy]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Adding user principal [dummy at mydomain.com] to attributes of [dummy]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Storing info for user dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=employee,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com, returned 0 results. Skipping (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=sshldapusers,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object employee (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object sshldapusers (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=mydomain,dc=com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=895400028)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_group] (0x0400): Processing group dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_group] (0x0400): Storing info for group dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_grpmem] (0x0400): Processing group dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [sdap_save_grpmem] (0x0400): No members for group [dummy] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_CHAUTHTOK_PRELIM (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: passwd (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: pts/1 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27464 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [krb5_auth_send] (0x0100): No ccache file for user [dummy] found. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server auth.mydomain.com: [192.168.1.5] TTL 86400 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_CHAUTHTOK (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: passwd (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: pts/1 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27464 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [krb5_auth_send] (0x0100): No ccache file for user [dummy] found. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server auth.mydomain.com: [192.168.1.5] TTL 86400 (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [27467] finished successfully. (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 15, ) [Success] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [15][mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [15][mydomain.com] (Wed Jul 29 09:37:42 2015) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [27468] finished successfully. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=dummy] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=mydomain,dc=com] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dummy)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Save user (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Processing user dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [dummy]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Adding user principal [dummy at mydomain.com] to attributes of [dummy]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Storing info for user dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=employee,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=61d77496-1506-11e5-aae7-00505689b3d1,cn=hbac,dc=mydomain,dc=com, returned 0 results. Skipping (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=sshldapusers,cn=groups,cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object employee (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object sshldapusers (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=mydomain,dc=com] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=895400028)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=mydomain,dc=com]. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_group] (0x0400): Processing group dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_group] (0x0400): Storing info for group dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_grpmem] (0x0400): Processing group dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [sdap_save_grpmem] (0x0400): No members for group [dummy] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_CLOSE_SESSION (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27457 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.com] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: dummy (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: auth.mydomain.com (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 27457 (Wed Jul 29 09:37:53 2015) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.com] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jul 29 14:32:42 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Jul 2015 16:32:42 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55B8D388.5090108@xtremenitro.org> References: <55B8D388.5090108@xtremenitro.org> Message-ID: <55B8E40A.3090409@redhat.com> On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: > Hello! > > I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied > some rules to specified user? > > [root at ipa ~]# ipa sudorule-show > Rule name: wheel > Rule name: Wheel > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > RunAs Group category: all > Sudo order: 1 > Users: dewangga > User Groups: wheel > Sudo Option: !authenticate > > > On ipa-client, user `dewangga` asking for password when execute command > `sudo -l` > > [dewangga at sherief-repository ~]$ sudo -l > [sudo] password for dewangga: > > Here is `ipa user-show dewangga` result : > > $ ipa user-show dewangga > User login: dewangga > First name: Dewangga > Last name: Alam > Home directory: /home/dewangga > Login shell: /bin/bash > Email address: [removed] > UID: 642000001 > GID: 642000001 > Account disabled: False > Password: False > Member of groups: wheel > Member of Sudo rule: Wheel > Kerberos keys available: False > SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) > > Any helps are appreciated. > Thanks I suspect that SSSD cache is in play. You can try to remove it ("man sss_cache" or remove it manually "stop sssd, remove /var/lib/sss/db/* and start sssd again"). From jhrozek at redhat.com Wed Jul 29 14:39:50 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 29 Jul 2015 16:39:50 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55B8E40A.3090409@redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> Message-ID: <20150729143950.GD3188@hendrix.arn.redhat.com> On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: > On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: > > Hello! > > > > I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied > > some rules to specified user? > > > > [root at ipa ~]# ipa sudorule-show > > Rule name: wheel > > Rule name: Wheel > > Enabled: TRUE > > Host category: all > > Command category: all > > RunAs User category: all > > RunAs Group category: all > > Sudo order: 1 > > Users: dewangga > > User Groups: wheel > > Sudo Option: !authenticate > > > > > > On ipa-client, user `dewangga` asking for password when execute command > > `sudo -l` > > > > [dewangga at sherief-repository ~]$ sudo -l > > [sudo] password for dewangga: > > > > Here is `ipa user-show dewangga` result : > > > > $ ipa user-show dewangga > > User login: dewangga > > First name: Dewangga > > Last name: Alam > > Home directory: /home/dewangga > > Login shell: /bin/bash > > Email address: [removed] > > UID: 642000001 > > GID: 642000001 > > Account disabled: False > > Password: False > > Member of groups: wheel > > Member of Sudo rule: Wheel > > Kerberos keys available: False > > SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) > > > > Any helps are appreciated. > > Thanks > > I suspect that SSSD cache is in play. You can try to remove it ("man sss_cache" > or remove it manually "stop sssd, remove /var/lib/sss/db/* and start sssd again"). I think restarting SSSD should help here. You can read the type of sudo refreshes sssd does in man sssd-sudo. If it doesn't, we need sssd logs. From guillermo.fuentes at modernizingmedicine.com Wed Jul 29 14:52:55 2015 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Wed, 29 Jul 2015 10:52:55 -0400 Subject: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: <55B8D18C.8030906@redhat.com> References: <55B8D18C.8030906@redhat.com> Message-ID: Thanks so much for the info David! We're using the latest version available via EPEL, which is 10.1.2. List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary would be fine. Or, if it isn't available, where can I start contributing to the port of pki 10.2.6 to CentOS 7? Thanks! Guillermo On Wed, Jul 29, 2015 at 9:13 AM, David Kupka wrote: > On 29/07/15 01:47, Guillermo Fuentes wrote: >> >> Hi all, >> >> We're also trying to migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1). >> >> Starting with FreeIPA 3.0 and to avoid the SSL certificate warning >> when accessing the GUI, we installed a 3rd part certificate for https: >> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> >> >> We're ready to migrate to FreeIPA 4.1 and we already have two 4.1 >> replicas but we're having problems cloning the CA from the 3.0 master. >> >> This is our current environment: >> master1 and master2: >> CentOS 6.6 (up to date) >> ipa-admintools-3.0.0-42.el6.centos.x86_64 >> ipa-server-3.0.0-42.el6.centos.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-1.11.6-30.el6_6.4.x86_64 >> device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 >> ipa-client-3.0.0-42.el6.centos.x86_64 >> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >> ipa-python-3.0.0-42.el6.centos.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> sssd-ipa-1.11.6-30.el6_6.4.x86_64 >> pki-selinux-9.0.3-39.el6_6.noarch >> pki-common-9.0.3-39.el6_6.noarch >> pki-native-tools-9.0.3-39.el6_6.x86_64 >> pki-setup-9.0.3-39.el6_6.noarch >> pki-util-9.0.3-39.el6_6.noarch >> pki-symkey-9.0.3-39.el6_6.x86_64 >> pki-ca-9.0.3-39.el6_6.noarch >> pki-java-tools-9.0.3-39.el6_6.noarch >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> pki-silent-9.0.3-39.el6_6.noarch >> >> >> replica1 and replica2: >> CentOS 7.1 (up to date) >> ipa-client-4.1.0-18.el7.centos.3.x86_64 >> libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> python-iniparse-0.4-9.el7.noarch >> ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >> ipa-server-4.1.0-18.el7.centos.3.x86_64 >> ipa-python-4.1.0-18.el7.centos.3.x86_64 >> libipa_hbac-1.12.2-58.el7_1.6.x86_64 >> pki-server-10.1.2-7.el7.noarch >> krb5-pkinit-1.12.2-14.el7.x86_64 >> pki-base-10.1.2-7.el7.noarch >> pki-ca-10.1.2-7.el7.noarch >> pki-symkey-10.1.2-7.el7.x86_64 >> pki-tools-10.1.2-7.el7.x86_64 >> >> >> # ipa-replica-manage list >> master1.example.com: master >> master2.example.com: master >> replica1.example.com: master >> replica2.example.com.com: master >> >> # ipa-csreplica-manage list >> Directory Manager password: >> >> replica1.example.com: CA not configured >> master1.example.com: master >> master2.example.com: master >> replica2.example.com: CA not configured >> >> >> When trying to install the CA on replica1 to do the migration: >> ipa-ca-install --skip-conncheck --skip-schema-check >> /var/lib/ipa/replica-info-replica1.example.com.gpg >> >> we're getting the following error in the >> /var/log/ipareplica-ca-install.log file: >> ... >> 2015-07-28T21:25:14Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2015-07-28T21:25:14Z DEBUG Starting external process >> 2015-07-28T21:25:14Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >> '/tmp/tmp2ON_ql' >> 2015-07-28T21:25:51Z DEBUG Process finished, return code=1 >> 2015-07-28T21:25:51Z DEBUG stdout=Loading deployment configuration >> from /tmp/tmp2ON_ql. >> Installing CA into /var/lib/pki/pki-tomcat. >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> >> Installation failed. >> >> >> 2015-07-28T21:25:51Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:771: >> InsecureRequestWarning: Unverified HTTPS request is being made. Adding >> certificate verification is strongly advised. See: >> https://urllib3.readthedocs.org/en/latest/security.html >> >> InsecureRequestWarning) >> pkispawn : WARNING ....... unable to validate security domain >> user/password through REST interface. Interface not available >> pkispawn : ERROR ....... Exception from Java Configuration >> Servlet: Failed to obtain configuration entries from the master for >> cloning java.io.IOException: Error: Not authorized >> >> 2015-07-28T21:25:51Z CRITICAL failed to configure ca instance Command >> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp2ON_ql'' returned >> non-zero exit status 1 >> 2015-07-28T21:25:51Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 382, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 372, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 673, in __spawn_instance >> raise RuntimeError('Configuration of CA failed') >> RuntimeError: Configuration of CA failed >> ... >> >> >>> From /var/log/pki/pki-ca-spawn.20150728172515.log: >> >> ... >> 2015-07-28 17:25:16 pkispawn : INFO ....... executing 'certutil >> -N -d /tmp/tmp-eUbMVB -f /root/.dogtag/pki-tomcat/ca/password.conf' >> 2015-07-28 17:25:16 pkispawn : INFO ....... executing >> 'systemctl daemon-reload' >> 2015-07-28 17:25:16 pkispawn : INFO ....... executing >> 'systemctl start pki-tomcatd at pki-tomcat.service' >> 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - >> server may still be down >> 2015-07-28 17:25:16 pkispawn : DEBUG ........... No connection - >> exception thrown: ('Connection aborted.', error(111, 'Connection >> refused')) >> 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - >> server may still be down >> 2015-07-28 17:25:17 pkispawn : DEBUG ........... No connection - >> exception thrown: ('Connection aborted.', error(111, 'Connection >> refused')) >> 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - >> server may still be down >> 2015-07-28 17:25:18 pkispawn : DEBUG ........... No connection - >> exception thrown: ('Connection aborted.', error(111, 'Connection >> refused')) >> 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - >> server may still be down >> 2015-07-28 17:25:19 pkispawn : DEBUG ........... No connection - >> exception thrown: ('Connection aborted.', error(111, 'Connection >> refused')) >> 2015-07-28 17:25:46 pkispawn : DEBUG ........... > version="1.0" encoding="UTF-8" >> >> standalone="no"?>0CArunning10.1.2-7.el7 >> 2015-07-28 17:25:47 pkispawn : INFO ....... constructing PKI >> configuration data. >> 2015-07-28 17:25:47 pkispawn : INFO ....... configuring PKI >> configuration data. >> 2015-07-28 17:25:51 pkispawn : ERROR ....... Exception from Java >> Configuration Servlet: Failed to obtain configuration entries from the >> master for cloning java.io.IOException: Error: Not authorized >> 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Type: HTTPError >> 2015-07-28 17:25:51 pkispawn : DEBUG ....... Error Message: 500 >> Server Error: Internal Server Error >> 2015-07-28 17:25:51 pkispawn : DEBUG ....... File >> "/usr/sbin/pkispawn", line 463, in main >> rv = instance.spawn(deployer) >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", >> line 126, in spawn >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", >> line 3211, in configure_pki_data >> response = client.configure(data) >> File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in >> configure >> r = self.connection.post('/rest/installer/configure', data, headers) >> File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post >> r.raise_for_status() >> File "/usr/lib/python2.7/site-packages/requests/models.py", line >> 834, in raise_for_status >> raise HTTPError(http_error_msg, response=self) >> ... >> >>> From /var/log/pki/pki-tomcat/ca/debug: >> >> ... >> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: SystemConfigService(): >> configure() called >> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: ConfigurationRequest >> [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, >> securityDomainType=existingdomain, >> securityDomainUri=https://master1.example.com:443, >> securityDomainName=null, securityDomainUser=admin, >> securityDomainPassword=XXXX, isClone=true, >> cloneUri=https://master1.example.com:443, subsystemName=CA >> replica1.example.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, >> hierarchy=root, dsHost=replica1.example.com, dsPort=389, >> baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, >> database=ipaca, secureConn=false, removeData=true, >> replicateSchema=False, masterReplicationPort=7389, >> cloneReplicationPort=389, replicationSecurity=TLS, >> systemCerts=[com.netscape.certsrv.system.SystemCertData at ac5b61d], >> issuingCA=https://master1.example.com:443, backupKeys=true, >> backupPassword=XXXX, >> backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, >> adminUID=null, adminPassword=XXXX, adminEmail=null, >> adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, >> adminName=null, adminProfileID=null, adminCert=null, >> importAdminCert=false, generateServerCert=true, standAlone=false, >> stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, >> authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, >> enableServerSideKeyGen=null, importSharedSecret=null] >> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Token Panel === >> [28/Jul/2015:17:56:25][http-bio-8443-exec-3]: === Security Domain Panel >> === >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML start >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: status=0 >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=> >> standalone="no"?>IPAmaster1.example.com44344344344380FALSEpki-cadTRUEmaster2.example.com44344344380443TRUETRUEpki-cad200000 > ou! >> >> nt> >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len is 2 >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: hostname: >> >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: admin_port: <443> >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: === Subsystem Panel === >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: len: 2 >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_host master1.example.com >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: v_port 443 >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: http >> content=type=request&xmlOutput=true&sessionID=4266586385374846691 >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange start >> host=master1.example.com adminPort=443 eePort=443 >> >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: >> content is null. >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: >> Failed to contact master using admin portjava.io.IOException: The >> server you want to contact is not available >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange: >> Attempting to contact master using EE port >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: content from ee >> interface => standalone="no"?>1Error: Not >> authorized >> [28/Jul/2015:17:56:27][http-bio-8443-exec-3]: updateNumberRange(): >> status=1 >> ... >> >> >> >> Related logs from master1 (/var/log/pki-ca/debug): >> ... >> [28/Jul/2015:17:25:50][TP-Processor2]: according to ccMode, >> authorization for servlet: caUpdateNumberRange is LDAP based, not XML >> {1}, use default authz mgr: {2}. >> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: done >> initializing... >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet:service() uri = >> /ca/ee/ca/updateNumberRange >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param >> name='type' value='request' >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param >> name='xmlOutput' value='true' >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet::service() param >> name='sessionID' value='-5799572006108726179' >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: caUpdateNumberRange >> start to service. >> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange: processing... >> [28/Jul/2015:17:25:50][TP-Processor2]: UpdateNumberRange process: >> authentication starts >> [28/Jul/2015:17:25:50][TP-Processor2]: IP: 10.10.2.45 >> [28/Jul/2015:17:25:50][TP-Processor2]: AuthMgrName: TokenAuth >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: no client certificate >> found >> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: start >> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication: >> content=sessionID=-5799572006108726179&hostname=10.10.2.45 >> [28/Jul/2015:17:25:50][TP-Processor2]: TokenAuthentication >> authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: >> SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been >> marked as not trusted by the user. >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: userid=null >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID >> auditContext {locale=en_US, ipAddress=10.10.2.45, >> authManagerId=TokenAuth} >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: >> subjectID: null >> [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: >> create() >> message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][AuthMgr=TokenAuth] >> authentication success >> >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditSubjectID >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditSubjectID >> auditContext {locale=en_US, ipAddress=10.10.2.45, >> authManagerId=TokenAuth} >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditSubjectID: >> subjectID: null >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in auditGroupID >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: auditGroupID >> auditContext {locale=en_US, ipAddress=10.10.2.45, >> authManagerId=TokenAuth} >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet auditGroupID: groupID: >> null >> [28/Jul/2015:17:25:50][TP-Processor2]: CMSServlet: in authorize... >> TokenAuth auditSubjectID unavailable, changing to auditGroupID >> [28/Jul/2015:17:25:50][TP-Processor2]: checkACLS(): ACLEntry >> expressions= group="Enterprise CA Administrators" || group="Enterprise >> KRA Administrators" || group="Enterprise RA Administrators" || >> group="Enterprise OCSP Administrators" || group="Enterprise TKS >> Administrators" >> [28/Jul/2015:17:25:50][TP-Processor2]: evaluating expressions: >> group="Enterprise CA Administrators" || group="Enterprise KRA >> Administrators" || group="Enterprise RA Administrators" || >> group="Enterprise OCSP Administrators" || group="Enterprise TKS >> Administrators" >> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid >> null >> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: >> group="Enterprise CA Administrators" to be false >> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid >> null >> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: >> group="Enterprise KRA Administrators" to be false >> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid >> null >> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: >> group="Enterprise RA Administrators" to be false >> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid >> null >> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: >> group="Enterprise OCSP Administrators" to be false >> [28/Jul/2015:17:25:50][TP-Processor2]: GroupAccessEvaluator: evaluate: uid >> null >> [28/Jul/2015:17:25:50][TP-Processor2]: evaluated expression: >> group="Enterprise TKS Administrators" to be false >> [28/Jul/2015:17:25:50][TP-Processor2]: SignedAuditEventFactory: >> create() >> message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=certServer.clone.configuration.UpdateNumberRange][Op=modify] >> authorization failure >> ... >> >> Do you guys know which certificate is the one that's failing and where >> else to look at to fix this problem? >> >> Thanks so much for any help you can provide! >> >> Guillermo >> > > Hello! > > The problem is in pki-* packages. The old version that is used with > freeipa-3.0 does not have REST API and the one that is used in freeipa-4.1 > does not expect that. > The issue is fixed in pki 10.2.6 but I'm not sure if it is available in > CentOS, yet. > > > -- > David Kupka > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Guillermo Fuentes Rodriguez Computer Systems Analyst (561) 880-2998 x1337 guillermo.fuentes at modmed.com From dewanggaba at xtremenitro.org Wed Jul 29 15:03:14 2015 From: dewanggaba at xtremenitro.org (Dewangga) Date: Wed, 29 Jul 2015 22:03:14 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <20150729143950.GD3188@hendrix.arn.redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> Message-ID: <55B8EB32.8040507@xtremenitro.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? On 7/29/2015 21:39, Jakub Hrozek wrote: > On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: >> On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after >>> applied some rules to specified user? >>> >>> [root at ipa ~]# ipa sudorule-show Rule name: wheel Rule name: >>> Wheel Enabled: TRUE Host category: all Command category: all >>> RunAs User category: all RunAs Group category: all Sudo order: >>> 1 Users: dewangga User Groups: wheel Sudo Option: >>> !authenticate >>> >>> >>> On ipa-client, user `dewangga` asking for password when >>> execute command `sudo -l` >>> >>> [dewangga at sherief-repository ~]$ sudo -l [sudo] password for >>> dewangga: >>> >>> Here is `ipa user-show dewangga` result : >>> >>> $ ipa user-show dewangga User login: dewangga First name: >>> Dewangga Last name: Alam Home directory: /home/dewangga Login >>> shell: /bin/bash Email address: [removed] UID: 642000001 GID: >>> 642000001 Account disabled: False Password: False Member of >>> groups: wheel Member of Sudo rule: Wheel Kerberos keys >>> available: False SSH public key fingerprint: [removed] >>> mahaesa-key (ssh-rsa) >>> >>> Any helps are appreciated. Thanks >> >> I suspect that SSSD cache is in play. You can try to remove it >> ("man sss_cache" or remove it manually "stop sssd, remove >> /var/lib/sss/db/* and start sssd again"). > > I think restarting SSSD should help here. You can read the type of > sudo refreshes sssd does in man sssd-sudo. > > If it doesn't, we need sssd logs. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X 5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM= =cKjO -----END PGP SIGNATURE----- From lslebodn at redhat.com Wed Jul 29 15:25:15 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 29 Jul 2015 17:25:15 +0200 Subject: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: References: <55B8D18C.8030906@redhat.com> Message-ID: <20150729152515.GJ7324@mail.corp.redhat.com> On (29/07/15 10:52), Guillermo Fuentes wrote: >Thanks so much for the info David! >We're using the latest version available via EPEL, which is 10.1.2. > pki-core is not available in epel7 https://admin.fedoraproject.org/pkgdb/package/pki-core/ So you have the latest version from base CentOS 7.1 CentOS rebuild rhel packages. So you will need to wait for CentOS 7.2 for update. >List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary >would be fine. Or, if it isn't available, where can I start >contributing to the port of pki 10.2.6 to CentOS 7? You might try to backport pki-core from Fedora. Good luck. LS From christoph.kaminski at biotronik.com Wed Jul 29 16:08:23 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 29 Jul 2015 18:08:23 +0200 Subject: [Freeipa-users] =?iso-8859-1?q?AUTO=3A_Christoph_Kaminski_is_out_?= =?iso-8859-1?q?of_the_office_=28R=FCckkehr_am_03=2E08=2E2015=29?= Message-ID: Ich kehre zur?ck am 03.08.2015. Hinweis: Dies ist eine automatische Antwort auf Ihre Nachricht "Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)" gesendet am 29.07.2015 17:25:15. Diese ist die einzige Benachrichtigung, die Sie empfangen werden, w?hrend diese Person abwesend ist. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dewanggaba at xtremenitro.org Wed Jul 29 22:18:33 2015 From: dewanggaba at xtremenitro.org (Dewangga) Date: Thu, 30 Jul 2015 05:18:33 +0700 Subject: [Freeipa-users] ipa-dnskeysyncd exited on failure state Message-ID: <55B95139.7070304@xtremenitro.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! I got many error message from ipa-dnskeysyncd. Here is the snippet from syslog http://fpaste.org/249594/20746714/raw Is it normal? I just restart the ipa server and its going back to normal again, but it come error on random times. Any debug log for this? I assume the error appears when I update to 4.1.4 from 4.1.0. IPA Environment: $ uname -a Linux ipa.mydomain.co.id 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ ipa --version VERSION: 4.1.4, API_VERSION: 2.114 [1] Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1229430 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJVuVE3AAoJEF1+odKB6YIxBkYIALEqaRmaLvIrjMxVDejlnLIh +agqF9xVsAzBtA6ppJd5HZLNoS5QSicb0/ymi3jdH/qNnPO8OB/Id66/4FOYT1co D8gkNRheUOIjuQU834J5Gyuc5IMTOakfo4/gF5Zjp2wogmj3I4aCTLdJhG6TRDqs g2+rTIPQWs6GtbDS/vfuAYmJx8cz+Wt6NBgseGFshId3d6mEmUEv16XiSKulxeZs 2uqaGc967/XLQ7CXT8O8kfjDPFGejpqwQc9WNRLRqRbmLUy7Oz8h04QuBTdZLGwE Q4Wn2IPAyCGQ2nEOp/3jbl6OiJK9OBWiW3r9tmX3ZExndpTXJI5YQAW6etvHjsY= =OTU3 -----END PGP SIGNATURE----- From mkosek at redhat.com Thu Jul 30 06:39:22 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Jul 2015 08:39:22 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55B8EB32.8040507@xtremenitro.org> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> Message-ID: <55B9C69A.1050500@redhat.com> On 07/29/2015 05:03 PM, Dewangga wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello! > > Thanks for the hints both of you, yes the sssd_cache is in play. Good! > I've set the cache to false, is it have any impact to ipa > server/client (performance, security or another issue)? Disabling cache for testing is fine, it is not that fine for production environment. Without cache enabled, SSSD would always ask server so it would have performance impact, yes. It should not be visible with couple clients, but once you work with big network, it will. > On 7/29/2015 21:39, Jakub Hrozek wrote: >> On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: >>> On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after >>>> applied some rules to specified user? >>>> >>>> [root at ipa ~]# ipa sudorule-show Rule name: wheel Rule name: >>>> Wheel Enabled: TRUE Host category: all Command category: all >>>> RunAs User category: all RunAs Group category: all Sudo order: >>>> 1 Users: dewangga User Groups: wheel Sudo Option: >>>> !authenticate >>>> >>>> >>>> On ipa-client, user `dewangga` asking for password when >>>> execute command `sudo -l` >>>> >>>> [dewangga at sherief-repository ~]$ sudo -l [sudo] password for >>>> dewangga: >>>> >>>> Here is `ipa user-show dewangga` result : >>>> >>>> $ ipa user-show dewangga User login: dewangga First name: >>>> Dewangga Last name: Alam Home directory: /home/dewangga Login >>>> shell: /bin/bash Email address: [removed] UID: 642000001 GID: >>>> 642000001 Account disabled: False Password: False Member of >>>> groups: wheel Member of Sudo rule: Wheel Kerberos keys >>>> available: False SSH public key fingerprint: [removed] >>>> mahaesa-key (ssh-rsa) >>>> >>>> Any helps are appreciated. Thanks >>> >>> I suspect that SSSD cache is in play. You can try to remove it >>> ("man sss_cache" or remove it manually "stop sssd, remove >>> /var/lib/sss/db/* and start sssd again"). >> >> I think restarting SSSD should help here. You can read the type of >> sudo refreshes sssd does in man sssd-sudo. >> >> If it doesn't, we need sssd logs. >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) > > iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b > xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T > kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf > c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X > 5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V > Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM= > =cKjO > -----END PGP SIGNATURE----- > From dewanggaba at xtremenitro.org Thu Jul 30 07:02:24 2015 From: dewanggaba at xtremenitro.org (NitrouZ) Date: Thu, 30 Jul 2015 14:02:24 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55B9C69A.1050500@redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <55B9C69A.1050500@redhat.com> Message-ID: Thanks Martin, Yes, it is for testing only, when the ipa server ready for production, I will enable the cache. Once again, thank you. On Thursday, July 30, 2015, Martin Kosek wrote: > On 07/29/2015 05:03 PM, Dewangga wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello! >> >> Thanks for the hints both of you, yes the sssd_cache is in play. >> > > Good! > > I've set the cache to false, is it have any impact to ipa >> server/client (performance, security or another issue)? >> > > Disabling cache for testing is fine, it is not that fine for production > environment. Without cache enabled, SSSD would always ask server so it > would have performance impact, yes. > > It should not be visible with couple clients, but once you work with big > network, it will. > > On 7/29/2015 21:39, Jakub Hrozek wrote: >> >>> On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: >>> >>>> On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: >>>> >>>>> Hello! >>>>> >>>>> I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after >>>>> applied some rules to specified user? >>>>> >>>>> [root at ipa ~]# ipa sudorule-show Rule name: wheel Rule name: >>>>> Wheel Enabled: TRUE Host category: all Command category: all >>>>> RunAs User category: all RunAs Group category: all Sudo order: >>>>> 1 Users: dewangga User Groups: wheel Sudo Option: >>>>> !authenticate >>>>> >>>>> >>>>> On ipa-client, user `dewangga` asking for password when >>>>> execute command `sudo -l` >>>>> >>>>> [dewangga at sherief-repository ~]$ sudo -l [sudo] password for >>>>> dewangga: >>>>> >>>>> Here is `ipa user-show dewangga` result : >>>>> >>>>> $ ipa user-show dewangga User login: dewangga First name: >>>>> Dewangga Last name: Alam Home directory: /home/dewangga Login >>>>> shell: /bin/bash Email address: [removed] UID: 642000001 GID: >>>>> 642000001 Account disabled: False Password: False Member of >>>>> groups: wheel Member of Sudo rule: Wheel Kerberos keys >>>>> available: False SSH public key fingerprint: [removed] >>>>> mahaesa-key (ssh-rsa) >>>>> >>>>> Any helps are appreciated. Thanks >>>>> >>>> >>>> I suspect that SSSD cache is in play. You can try to remove it >>>> ("man sss_cache" or remove it manually "stop sssd, remove >>>> /var/lib/sss/db/* and start sssd again"). >>>> >>> >>> I think restarting SSSD should help here. You can read the type of >>> sudo refreshes sssd does in man sssd-sudo. >>> >>> If it doesn't, we need sssd logs. >>> >>> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.17 (MingW32) >> >> iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b >> xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T >> kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf >> c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X >> 5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V >> Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM= >> =cKjO >> -----END PGP SIGNATURE----- >> >> > -- Sent from iDewangga Device -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jul 30 07:14:30 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jul 2015 09:14:30 +0200 Subject: [Freeipa-users] ipa-dnskeysyncd exited on failure state In-Reply-To: <55B95139.7070304@xtremenitro.org> References: <55B95139.7070304@xtremenitro.org> Message-ID: <55B9CED6.2000109@redhat.com> On 30/07/15 00:18, Dewangga wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello! > > I got many error message from ipa-dnskeysyncd. Here is the snippet > from syslog http://fpaste.org/249594/20746714/raw > > Is it normal? I just restart the ipa server and its going back to > normal again, but it come error on random times. Any debug log for this? > > I assume the error appears when I update to 4.1.4 from 4.1.0. > > IPA Environment: > $ uname -a > Linux ipa.mydomain.co.id 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 > 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > $ ipa --version > VERSION: 4.1.4, API_VERSION: 2.114 > > [1] Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1229430 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) > > iQEcBAEBAgAGBQJVuVE3AAoJEF1+odKB6YIxBkYIALEqaRmaLvIrjMxVDejlnLIh > +agqF9xVsAzBtA6ppJd5HZLNoS5QSicb0/ymi3jdH/qNnPO8OB/Id66/4FOYT1co > D8gkNRheUOIjuQU834J5Gyuc5IMTOakfo4/gF5Zjp2wogmj3I4aCTLdJhG6TRDqs > g2+rTIPQWs6GtbDS/vfuAYmJx8cz+Wt6NBgseGFshId3d6mEmUEv16XiSKulxeZs > 2uqaGc967/XLQ7CXT8O8kfjDPFGejpqwQc9WNRLRqRbmLUy7Oz8h04QuBTdZLGwE > Q4Wn2IPAyCGQ2nEOp/3jbl6OiJK9OBWiW3r9tmX3ZExndpTXJI5YQAW6etvHjsY= > =OTU3 > -----END PGP SIGNATURE----- > Hello, all logs from ipa-dnskeysyncd are stored in journalctl -u ipa-dnskeysyncd This error, or LDAP error may appear during restart, but it should not be often. Is your KDC working well? If you do not use DNSSEC you may safely ignore this error. -- Martin Basti From jhrozek at redhat.com Thu Jul 30 07:18:13 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Jul 2015 09:18:13 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55B8EB32.8040507@xtremenitro.org> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> Message-ID: <20150730071813.GI32525@hendrix.redhat.com> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello! > > Thanks for the hints both of you, yes the sssd_cache is in play. > I've set the cache to false, is it have any impact to ipa > server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. From dewanggaba at xtremenitro.org Thu Jul 30 07:24:31 2015 From: dewanggaba at xtremenitro.org (NitrouZ) Date: Thu, 30 Jul 2015 14:24:31 +0700 Subject: [Freeipa-users] ipa-dnskeysyncd exited on failure state In-Reply-To: <55B9CED6.2000109@redhat.com> References: <55B95139.7070304@xtremenitro.org> <55B9CED6.2000109@redhat.com> Message-ID: Hello! Yes my KDC working well and all function are OK. Just curious about this error. And currently I'm not using dnssec. Thanks On Thursday, July 30, 2015, Martin Basti wrote: > On 30/07/15 00:18, Dewangga wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello! >> >> I got many error message from ipa-dnskeysyncd. Here is the snippet >> from syslog http://fpaste.org/249594/20746714/raw >> >> Is it normal? I just restart the ipa server and its going back to >> normal again, but it come error on random times. Any debug log for this? >> >> I assume the error appears when I update to 4.1.4 from 4.1.0. >> >> IPA Environment: >> $ uname -a >> Linux ipa.mydomain.co.id 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 >> 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux >> $ ipa --version >> VERSION: 4.1.4, API_VERSION: 2.114 >> >> [1] Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1229430 >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.17 (MingW32) >> >> iQEcBAEBAgAGBQJVuVE3AAoJEF1+odKB6YIxBkYIALEqaRmaLvIrjMxVDejlnLIh >> +agqF9xVsAzBtA6ppJd5HZLNoS5QSicb0/ymi3jdH/qNnPO8OB/Id66/4FOYT1co >> D8gkNRheUOIjuQU834J5Gyuc5IMTOakfo4/gF5Zjp2wogmj3I4aCTLdJhG6TRDqs >> g2+rTIPQWs6GtbDS/vfuAYmJx8cz+Wt6NBgseGFshId3d6mEmUEv16XiSKulxeZs >> 2uqaGc967/XLQ7CXT8O8kfjDPFGejpqwQc9WNRLRqRbmLUy7Oz8h04QuBTdZLGwE >> Q4Wn2IPAyCGQ2nEOp/3jbl6OiJK9OBWiW3r9tmX3ZExndpTXJI5YQAW6etvHjsY= >> =OTU3 >> -----END PGP SIGNATURE----- >> >> Hello, > > all logs from ipa-dnskeysyncd are stored in journalctl -u ipa-dnskeysyncd > > This error, or LDAP error may appear during restart, but it should not be > often. > > Is your KDC working well? > > If you do not use DNSSEC you may safely ignore this error. > > -- > Martin Basti > > -- Sent from iDewangga Device -------------- next part -------------- An HTML attachment was scrubbed... URL: From root at xtremenitro.org Thu Jul 30 07:26:03 2015 From: root at xtremenitro.org (NitrouZ) Date: Thu, 30 Jul 2015 14:26:03 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <20150730071813.GI32525@hendrix.redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> Message-ID: Hello! I set the cache value to False on sssd.conf. (On IPA server and client). On Thursday, July 30, 2015, Jakub Hrozek wrote: > On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hello! > > > > Thanks for the hints both of you, yes the sssd_cache is in play. > > I've set the cache to false, is it have any impact to ipa > > server/client (performance, security or another issue)? > > How exactly did you 'disable' the cache? The sssd cache can't be > disabled, it can either be removed manually or the cache lifetime can be > set short.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Sent from iDewangga Device -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Jul 30 07:33:30 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Jul 2015 09:33:30 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> Message-ID: <20150730073330.GJ32525@hendrix.redhat.com> On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: > Hello! > > I set the cache value to False on sssd.conf. (On IPA server and client). Can you show me the exact config directive you used? > > On Thursday, July 30, 2015, Jakub Hrozek wrote: > > > On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Hello! > > > > > > Thanks for the hints both of you, yes the sssd_cache is in play. > > > I've set the cache to false, is it have any impact to ipa > > > server/client (performance, security or another issue)? > > > > How exactly did you 'disable' the cache? The sssd cache can't be > > disabled, it can either be removed manually or the cache lifetime can be > > set short.. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > -- > Sent from iDewangga Device From dewanggaba at xtremenitro.org Thu Jul 30 12:09:47 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 30 Jul 2015 19:09:47 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <20150730073330.GJ32525@hendrix.redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> <20150730073330.GJ32525@hendrix.redhat.com> Message-ID: <55BA140B.4080400@xtremenitro.org> Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. I tried modified my user `dewangga` to remove sudo rules, the cache still active even I restart the sssd service and delete all ccache* files. There's no information on sssd log folder. -rw-------. 1 root root 0 Jul 29 19:26 krb5_child.log -rw-------. 1 root root 105K Jul 30 04:49 ldap_child.log -rw-------. 1 root root 0 Jul 29 19:26 sssd.log -rw-------. 1 root root 0 Jul 29 19:26 sssd_merahciptamedia.co.id.log -rw-------. 1 root root 0 Jul 29 19:26 sssd_nss.log -rw-------. 1 root root 0 Jul 29 19:26 sssd_pac.log -rw-------. 1 root root 0 Jul 29 19:26 sssd_pam.log -rw-------. 1 root root 0 Jul 29 19:26 sssd_ssh.log -rw-------. 1 root root 0 Jul 29 19:26 sssd_sudo.log On 07/30/2015 02:33 PM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: >> Hello! >> >> I set the cache value to False on sssd.conf. (On IPA server and client). > > Can you show me the exact config directive you used? > >> >> On Thursday, July 30, 2015, Jakub Hrozek wrote: >> >>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hello! >>>> >>>> Thanks for the hints both of you, yes the sssd_cache is in play. >>>> I've set the cache to false, is it have any impact to ipa >>>> server/client (performance, security or another issue)? >>> >>> How exactly did you 'disable' the cache? The sssd cache can't be >>> disabled, it can either be removed manually or the cache lifetime can be >>> set short.. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> Sent from iDewangga Device From guillermo.fuentes at modernizingmedicine.com Thu Jul 30 12:39:30 2015 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Thu, 30 Jul 2015 08:39:30 -0400 Subject: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: <20150729152515.GJ7324@mail.corp.redhat.com> References: <55B8D18C.8030906@redhat.com> <20150729152515.GJ7324@mail.corp.redhat.com> Message-ID: On Wed, Jul 29, 2015 at 11:25 AM, Lukas Slebodnik wrote: > On (29/07/15 10:52), Guillermo Fuentes wrote: >>Thanks so much for the info David! >>We're using the latest version available via EPEL, which is 10.1.2. >> > pki-core is not available in epel7 > https://admin.fedoraproject.org/pkgdb/package/pki-core/ > > So you have the latest version from base CentOS 7.1 > CentOS rebuild rhel packages. So you will need > to wait for CentOS 7.2 for update. Thanks for clarifying this. > >>List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary >>would be fine. Or, if it isn't available, where can I start >>contributing to the port of pki 10.2.6 to CentOS 7? > > You might try to backport pki-core from Fedora. > Good luck. > > LS Best, Guillermo From jhrozek at redhat.com Thu Jul 30 13:54:51 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Jul 2015 15:54:51 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55BA140B.4080400@xtremenitro.org> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> <20150730073330.GJ32525@hendrix.redhat.com> <55BA140B.4080400@xtremenitro.org> Message-ID: <20150730135451.GO32525@hendrix.redhat.com> On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: > Hello Jakub! > > Sorry for delayed email, > My bad, I disabled cache_credentials, not sssd_cache. Then I think it's completely unrelated to the sudo rules problem. > > I tried modified my user `dewangga` to remove sudo rules, the cache > still active even I restart the sssd service and delete all ccache* files. Yes, cache can't be completely disabled with sssd. See: https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ > > There's no information on sssd log folder. > > -rw-------. 1 root root 0 Jul 29 19:26 krb5_child.log > -rw-------. 1 root root 105K Jul 30 04:49 ldap_child.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd_merahciptamedia.co.id.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd_nss.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd_pac.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd_pam.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd_ssh.log > -rw-------. 1 root root 0 Jul 29 19:26 sssd_sudo.log > > > On 07/30/2015 02:33 PM, Jakub Hrozek wrote: > > On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: > >> Hello! > >> > >> I set the cache value to False on sssd.conf. (On IPA server and client). > > > > Can you show me the exact config directive you used? > > > >> > >> On Thursday, July 30, 2015, Jakub Hrozek wrote: > >> > >>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>> Hash: SHA1 > >>>> > >>>> Hello! > >>>> > >>>> Thanks for the hints both of you, yes the sssd_cache is in play. > >>>> I've set the cache to false, is it have any impact to ipa > >>>> server/client (performance, security or another issue)? > >>> > >>> How exactly did you 'disable' the cache? The sssd cache can't be > >>> disabled, it can either be removed manually or the cache lifetime can be > >>> set short.. > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >> > >> > >> -- > >> Sent from iDewangga Device From dewanggaba at xtremenitro.org Thu Jul 30 14:50:23 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 30 Jul 2015 21:50:23 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <20150730135451.GO32525@hendrix.redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> <20150730073330.GJ32525@hendrix.redhat.com> <55BA140B.4080400@xtremenitro.org> <20150730135451.GO32525@hendrix.redhat.com> Message-ID: <55BA39AF.7060208@xtremenitro.org> Hello! I don't know start from where to tracking down this issue. I found another something interesting. 1. Set `global_policy` password expired (both min and max) to 0 (zero) 2. Add user called `dummy` 3. Set global_policy password expired min (1) and max (90). 4. Add user called `dummy2` Both user dummy and dummy2 have same password expiration :D This problem is same with assign sudo/group to user. I was set debug_level = 7 to following section in sssd.conf : [domain/mydomain.co.id] .. debug_level = 7 .. [sssd] .. debug_level = 7 .. [sudo] .. debug_level = 7 .. I didn't find any related information about the 4 step above. On 07/30/2015 08:54 PM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: >> Hello Jakub! >> >> Sorry for delayed email, >> My bad, I disabled cache_credentials, not sssd_cache. > > Then I think it's completely unrelated to the sudo rules problem. > >> >> I tried modified my user `dewangga` to remove sudo rules, the cache >> still active even I restart the sssd service and delete all ccache* files. > > Yes, cache can't be completely disabled with sssd. See: > https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ > >> >> There's no information on sssd log folder. >> >> -rw-------. 1 root root 0 Jul 29 19:26 krb5_child.log >> -rw-------. 1 root root 105K Jul 30 04:49 ldap_child.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_merahciptamedia.co.id.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_nss.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_pac.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_pam.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_ssh.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_sudo.log >> >> >> On 07/30/2015 02:33 PM, Jakub Hrozek wrote: >>> On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: >>>> Hello! >>>> >>>> I set the cache value to False on sssd.conf. (On IPA server and client). >>> >>> Can you show me the exact config directive you used? >>> >>>> >>>> On Thursday, July 30, 2015, Jakub Hrozek wrote: >>>> >>>>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> Hello! >>>>>> >>>>>> Thanks for the hints both of you, yes the sssd_cache is in play. >>>>>> I've set the cache to false, is it have any impact to ipa >>>>>> server/client (performance, security or another issue)? >>>>> >>>>> How exactly did you 'disable' the cache? The sssd cache can't be >>>>> disabled, it can either be removed manually or the cache lifetime can be >>>>> set short.. >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>>> -- >>>> Sent from iDewangga Device From orion at cora.nwra.com Thu Jul 30 15:28:38 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Thu, 30 Jul 2015 09:28:38 -0600 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55B85FF0.4000304@redhat.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> <55A6AD1E.2070604@cora.nwra.com> <55AC9BDE.4020505@redhat.com> <55AD3570.8020400@cora.nwra.com> <55B85FF0.4000304@redhat.com> Message-ID: <55BA42A6.7020902@cora.nwra.com> On 07/28/2015 11:09 PM, Jan Cholasta wrote: > Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a): >> On 07/20/2015 12:57 AM, Jan Cholasta wrote: >>> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): >>>> On 07/14/2015 11:53 PM, Jan Cholasta wrote: >>>>> >>>>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >>>> >>>> Directory Manager (existing master) password: >>>> >>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. I was able to debug this in gdb and tracked it down to a low entropy condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117. Looks like prng_instantiate is being called 2-3 times and there just isn't enough entropy: Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 , bytes=bytes at entry=0x7fffffffc220 "\304(\336\350F8\375?\177\325\017+\302 \230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263", len=110) at drbg.c:160 160 if (len < PRNG_SEEDLEN) { 1: len = 110 (gdb) c Continuing. Breakpoint 1, prng_instantiate (rng=rng at entry=0x7fffe5f9f620 , bytes=bytes at entry=0x2153b70 "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002", len=len at entry=32) at drbg.c:160 160 if (len < PRNG_SEEDLEN) { 1: len = 32 PRNG_SEEDLEN is 55 I think. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From jhrozek at redhat.com Thu Jul 30 18:47:25 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Jul 2015 20:47:25 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55BA39AF.7060208@xtremenitro.org> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> <20150730073330.GJ32525@hendrix.redhat.com> <55BA140B.4080400@xtremenitro.org> <20150730135451.GO32525@hendrix.redhat.com> <55BA39AF.7060208@xtremenitro.org> Message-ID: <20150730184725.GA10365@hendrix.redhat.com> On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: > Hello! > > I don't know start from where to tracking down this issue. I found > another something interesting. > > 1. Set `global_policy` password expired (both min and max) to 0 (zero) > 2. Add user called `dummy` > 3. Set global_policy password expired min (1) and max (90). > 4. Add user called `dummy2` > > Both user dummy and dummy2 have same password expiration :D > This problem is same with assign sudo/group to user. > > I was set debug_level = 7 to following section in sssd.conf : > > [domain/mydomain.co.id] > .. debug_level = 7 .. > > [sssd] > .. debug_level = 7 .. > > [sudo] > .. debug_level = 7 .. > > I didn't find any related information about the 4 step above. I'm sorry, but I'm getting a bit confused about what is and what is not the problem. Can we take a step back and see what works in your environment and what does not? Can you describe the workflow? From danofsatx at gmail.com Thu Jul 30 22:35:53 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Thu, 30 Jul 2015 17:35:53 -0500 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment Message-ID: <55BAA6C9.90406@fedoraproject.org> Greetings, folks. So, I've been fighting with getting a trust set up between FreeIPA 4.1 on CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came to a conclusion as to what my issue is. I operate a secure network in which we have configuration guidlines for securing Windows that we have to meet in order to recieve what's known as an "Authority to Operate", or ATO. A lot of this configuration is done in the Global Policies. Today I stumbled across one error buried in the Windows Security event log, and when correllated with the errors I was seeing from FreeIPA led me to our policy. The error that popped up in the event log was "The user has not been granted the requested logon type at this machine." The logon type was "3", which is network, and the Logon Process and Authorization Package were both Kerberos. Cross referenced with the error on the IPA server: "WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 569, v1db1 Invalid Credentials" Digging into our Domain Controller policy, I found that "Access this computer from the network" is restricted to Domain Users, Domain Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I attempted to add a context that would allow the IPA server to log on, and got so far through the wizard that it let me select the trusted domain to search and returned a list of security contexts, but when I attempted to add one (Authenticated Users), I recieved the error that it couldn't be found because the server was inaccessable. I saw no errors on the IPA side during this transaction. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From dewanggaba at xtremenitro.org Fri Jul 31 02:19:30 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Fri, 31 Jul 2015 09:19:30 +0700 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <20150730184725.GA10365@hendrix.redhat.com> References: <55B8D388.5090108@xtremenitro.org> <55B8E40A.3090409@redhat.com> <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> <20150730073330.GJ32525@hendrix.redhat.com> <55BA140B.4080400@xtremenitro.org> <20150730135451.GO32525@hendrix.redhat.com> <55BA39AF.7060208@xtremenitro.org> <20150730184725.GA10365@hendrix.redhat.com> Message-ID: <55BADB32.5010405@xtremenitro.org> Hello! Sorry for making you confused. The main problem is the cache on ipa server/client. How long the cache remain active and refresh with correct policy/rules. Whenever I set the sudo rules, modify another configuration (policy, etc), it's always have delay. And until now, the global_policy still didn't use correct configuration. It's still using min 0, max 0 configuration (I set this policy yesterday, and was revert it back to min 1 max 90 on yesterday too) Any hints? On 07/31/2015 01:47 AM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: >> Hello! >> >> I don't know start from where to tracking down this issue. I found >> another something interesting. >> >> 1. Set `global_policy` password expired (both min and max) to 0 (zero) >> 2. Add user called `dummy` >> 3. Set global_policy password expired min (1) and max (90). >> 4. Add user called `dummy2` >> >> Both user dummy and dummy2 have same password expiration :D >> This problem is same with assign sudo/group to user. >> >> I was set debug_level = 7 to following section in sssd.conf : >> >> [domain/mydomain.co.id] >> .. debug_level = 7 .. >> >> [sssd] >> .. debug_level = 7 .. >> >> [sudo] >> .. debug_level = 7 .. >> >> I didn't find any related information about the 4 step above. > > I'm sorry, but I'm getting a bit confused about what is and what is not > the problem. Can we take a step back and see what works in your > environment and what does not? > > Can you describe the workflow? > From jcholast at redhat.com Fri Jul 31 05:39:23 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 31 Jul 2015 07:39:23 +0200 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55BA42A6.7020902@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> <55A6AD1E.2070604@cora.nwra.com> <55AC9BDE.4020505@redhat.com> <55AD3570.8020400@cora.nwra.com> <55B85FF0.4000304@redhat.com> <55BA42A6.7020902@cora.nwra.com> Message-ID: <55BB0A0B.9090002@redhat.com> Dne 30.7.2015 v 17:28 Orion Poplawski napsal(a): > On 07/28/2015 11:09 PM, Jan Cholasta wrote: >> Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a): >>> On 07/20/2015 12:57 AM, Jan Cholasta wrote: >>>> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): >>>>> On 07/14/2015 11:53 PM, Jan Cholasta wrote: >>>>>> >>>>>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >>>>> >>>>> Directory Manager (existing master) password: >>>>> >>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > I was able to debug this in gdb and tracked it down to a low entropy > condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117. > Looks like prng_instantiate is being called 2-3 times and there just isn't > enough entropy: > > > Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 , > bytes=bytes at entry=0x7fffffffc220 "\304(\336\350F8\375?\177\325\017+\302 > \230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263", > len=110) at drbg.c:160 > 160 if (len < PRNG_SEEDLEN) { > 1: len = 110 > (gdb) c > Continuing. > > Breakpoint 1, prng_instantiate (rng=rng at entry=0x7fffe5f9f620 , > bytes=bytes at entry=0x2153b70 > "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002", > len=len at entry=32) at drbg.c:160 > 160 if (len < PRNG_SEEDLEN) { > 1: len = 32 > > PRNG_SEEDLEN is 55 I think. > I wouldn't have thought that this might be the cause. Thank you for the investigation! -- Jan Cholasta From mkosek at redhat.com Fri Jul 31 07:48:26 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 31 Jul 2015 09:48:26 +0200 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55BA42A6.7020902@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> <556C723F.3080508@redhat.com> <559D5E6F.5010902@cora.nwra.com> <55A02C07.3090906@cora.nwra.com> <55A5F55A.6090203@redhat.com> <55A6AD1E.2070604@cora.nwra.com> <55AC9BDE.4020505@redhat.com> <55AD3570.8020400@cora.nwra.com> <55B85FF0.4000304@redhat.com> <55BA42A6.7020902@cora.nwra.com> Message-ID: <55BB284A.3070405@redhat.com> On 07/30/2015 05:28 PM, Orion Poplawski wrote: > On 07/28/2015 11:09 PM, Jan Cholasta wrote: >> Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a): >>> On 07/20/2015 12:57 AM, Jan Cholasta wrote: >>>> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): >>>>> On 07/14/2015 11:53 PM, Jan Cholasta wrote: >>>>>> >>>>>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX >>>>> >>>>> Directory Manager (existing master) password: >>>>> >>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > I was able to debug this in gdb and tracked it down to a low entropy > condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117. > Looks like prng_instantiate is being called 2-3 times and there just isn't > enough entropy: > > > Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 , > bytes=bytes at entry=0x7fffffffc220 "\304(\336\350F8\375?\177\325\017+\302 > \230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263", > len=110) at drbg.c:160 > 160 if (len < PRNG_SEEDLEN) { > 1: len = 110 > (gdb) c > Continuing. > > Breakpoint 1, prng_instantiate (rng=rng at entry=0x7fffe5f9f620 , > bytes=bytes at entry=0x2153b70 > "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002", > len=len at entry=32) at drbg.c:160 > 160 if (len < PRNG_SEEDLEN) { > 1: len = 32 > > PRNG_SEEDLEN is 55 I think. > Thank you for the thorough investigation! I saw your ticket comment and move it back to Triage s othat we can keep investigating it. We already have some code checking available entropy and/or waits for sufficient entropy in ipa-server-install code. Maybe we will need to do something also in ipa-replica-prepare, we will see. We can continue with discussion in the ticket directly. From sbose at redhat.com Fri Jul 31 07:52:36 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 31 Jul 2015 09:52:36 +0200 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment In-Reply-To: <55BAA6C9.90406@fedoraproject.org> References: <55BAA6C9.90406@fedoraproject.org> Message-ID: <20150731075236.GJ20980@p.redhat.com> On Thu, Jul 30, 2015 at 05:35:53PM -0500, Dan Mossor wrote: > Greetings, folks. > > So, I've been fighting with getting a trust set up between FreeIPA 4.1 on > CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came > to a conclusion as to what my issue is. > > I operate a secure network in which we have configuration guidlines for > securing Windows that we have to meet in order to recieve what's known as an > "Authority to Operate", or ATO. A lot of this configuration is done in the > Global Policies. > > Today I stumbled across one error buried in the Windows Security event log, > and when correllated with the errors I was seeing from FreeIPA led me to our > policy. The error that popped up in the event log was "The user has not been > granted the requested logon type at this machine." The logon type was "3", > which is network, and the Logon Process and Authorization Package were both > Kerberos. > > Cross referenced with the error on the IPA server: > "WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: > Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: > AcceptSecurityContext error, data 569, v1db1 Invalid Credentials" > > Digging into our Domain Controller policy, I found that "Access this > computer from the network" is restricted to Domain Users, Domain > Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I > attempted to add a context that would allow the IPA server to log on, and > got so far through the wizard that it let me select the trusted domain to > search and returned a list of security contexts, but when I attempted to add > one (Authenticated Users), I recieved the error that it couldn't be found > because the server was inaccessable. I saw no errors on the IPA side during > this transaction. Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. > > So, to those of y'all that operate in secure environments, what trick do you > use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the "Access this computer from the network" policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit > > -- > Dan Mossor, RHCSA > Systems Engineer > Fedora Server WG | Fedora KDE WG | Fedora QA Team > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From natxo.asenjo at gmail.com Fri Jul 31 08:10:12 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 31 Jul 2015 10:10:12 +0200 Subject: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate In-Reply-To: <55B1EA37.3060004@redhat.com> References: <55B1EA37.3060004@redhat.com> Message-ID: Hi, Maybe just one more redirect if people come directly to https://freeipa.org? $ curl -LIv https://freeipa.org * Rebuilt URL to: https://freeipa.org/ * Hostname was NOT found in DNS cache * Trying 209.132.183.105... * Connected to freeipa.org (209.132.183.105) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=dmox-zPOCChZGgYyWu9xg8JTHSbjFg9P * start date: Sep 09 18:07:24 2013 GMT * expire date: Dec 12 02:08:43 2015 GMT * common name: *.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) * Unable to communicate securely with peer: requested domain name does not match the server's certificate. * Closing connection 0 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname was NOT found in DNS cache * Trying 54.227.25.77... * Connected to www.freeipa.org (54.227.25.77) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: * subject: CN=www.freeipa.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US * start date: Jul 16 00:00:00 2014 GMT * expire date: Jul 19 12:00:00 2016 GMT * common name: www.freeipa.org * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.37.0 > Host: www.freeipa.org > Accept: */* > < HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently < Date: Fri, 31 Jul 2015 08:09:29 GMT Date: Fri, 31 Jul 2015 08:09:29 GMT * Server Apache/2.2.15 (Red Hat) is not blacklisted < Server: Apache/2.2.15 (Red Hat) Server: Apache/2.2.15 (Red Hat) < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Vary: Accept-Encoding,Cookie Vary: Accept-Encoding,Cookie < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Cache-Control: private, must-revalidate, max-age=0 Cache-Control: private, must-revalidate, max-age=0 < Last-Modified: Fri, 31 Jul 2015 08:09:29 GMT Last-Modified: Fri, 31 Jul 2015 08:09:29 GMT < Location: https://www.freeipa.org/page/Main_Page Location: https://www.freeipa.org/page/Main_Page < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < * Connection #0 to host www.freeipa.org left intact * Issue another request to this URL: 'https://www.freeipa.org/page/Main_Page ' * Found bundle for host www.freeipa.org: 0x1e1d850 * Re-using existing connection! (#0) with host www.freeipa.org * Connected to www.freeipa.org (54.227.25.77) port 443 (#0) > HEAD /page/Main_Page HTTP/1.1 > User-Agent: curl/7.37.0 > Host: www.freeipa.org > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Fri, 31 Jul 2015 08:09:29 GMT Date: Fri, 31 Jul 2015 08:09:29 GMT * Server Apache/2.2.15 (Red Hat) is not blacklisted < Server: Apache/2.2.15 (Red Hat) Server: Apache/2.2.15 (Red Hat) < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Content-language: en Content-language: en < X-UA-Compatible: IE=Edge X-UA-Compatible: IE=Edge < Vary: Accept-Encoding,Cookie Vary: Accept-Encoding,Cookie < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Cache-Control: private, must-revalidate, max-age=0 Cache-Control: private, must-revalidate, max-age=0 < Last-Modified: Thu, 16 Jul 2015 13:22:10 GMT Last-Modified: Thu, 16 Jul 2015 13:22:10 GMT < Content-Type: text/html; charset=UTF-8 Content-Type: text/html; charset=UTF-8 < * Connection #0 to host www.freeipa.org left intact Thanks! --- regards, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jul 31 08:19:03 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 31 Jul 2015 10:19:03 +0200 Subject: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate In-Reply-To: References: <55B1EA37.3060004@redhat.com> Message-ID: <55BB2F77.3050800@redhat.com> On 07/31/2015 10:10 AM, Natxo Asenjo wrote: > Hi, > > > Maybe just one more redirect if people come directly to https://freeipa.org? Right, this is the last missing part. I did not implement it yet as I would first need to set up some own redirecting machine that I could trust and upload FreeIPA HTTPS key there. From yamakasi.014 at gmail.com Fri Jul 31 14:03:03 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 31 Jul 2015 16:03:03 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA Message-ID: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 CentOS 7.1 -> FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt From piolet.y at gmail.com Fri Jul 31 14:19:01 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Fri, 31 Jul 2015 16:19:01 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piolet.y at gmail.com 2015-07-31 16:03 GMT+02:00 Matt . : > Hi Guys, > > I'm really struggeling getting a NON AD Samba server authing against a > FreeIPA server: > > Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 > CentOS 7.1 -> FreeIPA 4.1 > > Now this seems to be the way: > > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > But as this, which I also found on the mailinglists: > > NOTE: Only Kerberos authentication will work when accessing Samba > shares using this method. This means that Windows clients not joined > to Active Directory forest trusted by IPA would not be able to access > the shares. This is related to SSSD not yet being able to handle > NTLMSSP authentication. > > It might not be that easy to have a Samba Shares only server. > > Any idea here how to accomplish ? > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danofsatx at gmail.com Fri Jul 31 14:23:53 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Fri, 31 Jul 2015 09:23:53 -0500 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment In-Reply-To: <20150731075236.GJ20980@p.redhat.com> References: <55BAA6C9.90406@fedoraproject.org> <20150731075236.GJ20980@p.redhat.com> Message-ID: <55BB84F9.1050905@fedoraproject.org> On 07/31/2015 02:52 AM, Sumit Bose wrote: > > Thank you for the detailed analysis. I guess the 'server was > inaccessible' error is due to the fact that currently FreeIPA does not > have a global catalog, because Windows typically tries to get SIDs from > remote objects from the Global Catalog. > >> >> So, to those of y'all that operate in secure environments, what trick do you >> use to fully integrate IPA and Active Directory? > > With FreeIPA-4.2 the one-way trust feature is introduced. The main > difference to the current scheme is that with one-way trust the FreeIPA > server does not use its host credentials (host keytab) from the IPA > domain to access the AD DC but uses the trusted domain user > (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from > the AD domain it should be possible to assign the needed permissions to > this object. > > Currently I have no idea how this can be solved with older version. > Maybe there is a toll on the Windows side which lets you add SIDs > manually into the "Access this computer from the network" policy? If > there is one you can try to add IPA-SID-515 (where you have to replace > IPA-SID by the IPA domain SID). > > HTH > > bye, > Sumit > I didn't think the SID was even being evaluated - the authentication being attempted was through Kerberos, which I uderstand only uses host keytabs, not SIDs. Am I correct in this situation? Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From christopher.lamb at ch.ibm.com Fri Jul 31 14:55:14 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 31 Jul 2015 16:55:14 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the "shares" using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until "suddenly" their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET To: "Matt ." Cc: "freeipa-users at redhat.com" Date: 31.07.2015 16:21 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-bounces at redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piolet.y at gmail.com 2015-07-31 16:03 GMT+02:00 Matt . : Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 CentOS 7.1 -> FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Fri Jul 31 14:57:07 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 31 Jul 2015 16:57:07 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb : > Hi > > We use the Samba extensions for FreeIPA. Windows 7 users connect to the > "shares" using their FreeIPA credentials. The only password mgmt problem > that we have is, that the users get no notice of password expiry until > "suddenly" their Samba user (really the FreeIPA user) password is not > accepted when trying to connect to a share. Once the password is reset (via > CLI or FreeIPA WebUi), they can access the shares again. > > Chris > > > > From: Youenn PIOLET > To: "Matt ." > Cc: "freeipa-users at redhat.com" > Date: 31.07.2015 16:21 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > Hi, > I asked the very same question a few weeks ago, but no answer yet. > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 > > The only method I see is to install samba extensions in FreeIPA's LDAP > directory, and bind samba with LDAP. There may be a lot of difficulties > with password management doing this, that's why I'd like to get a better > solution :) > > Anyone? > > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-07-31 16:03 GMT+02:00 Matt . : > Hi Guys, > > I'm really struggeling getting a NON AD Samba server authing against a > FreeIPA server: > > Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 > CentOS 7.1 -> FreeIPA 4.1 > > Now this seems to be the way: > > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > > But as this, which I also found on the mailinglists: > > NOTE: Only Kerberos authentication will work when accessing Samba > shares using this method. This means that Windows clients not joined > to Active Directory forest trusted by IPA would not be able to access > the shares. This is related to SSSD not yet being able to handle > NTLMSSP authentication. > > It might not be that easy to have a Samba Shares only server. > > Any idea here how to accomplish ? > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > From sbose at redhat.com Fri Jul 31 15:08:48 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 31 Jul 2015 17:08:48 +0200 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment In-Reply-To: <55BB84F9.1050905@fedoraproject.org> References: <55BAA6C9.90406@fedoraproject.org> <20150731075236.GJ20980@p.redhat.com> <55BB84F9.1050905@fedoraproject.org> Message-ID: <20150731150848.GD10777@p.redhat.com> On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: > On 07/31/2015 02:52 AM, Sumit Bose wrote: > > > >Thank you for the detailed analysis. I guess the 'server was > >inaccessible' error is due to the fact that currently FreeIPA does not > >have a global catalog, because Windows typically tries to get SIDs from > >remote objects from the Global Catalog. > > > >> > >>So, to those of y'all that operate in secure environments, what trick do you > >>use to fully integrate IPA and Active Directory? > > > >With FreeIPA-4.2 the one-way trust feature is introduced. The main > >difference to the current scheme is that with one-way trust the FreeIPA > >server does not use its host credentials (host keytab) from the IPA > >domain to access the AD DC but uses the trusted domain user > >(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from > >the AD domain it should be possible to assign the needed permissions to > >this object. > > > >Currently I have no idea how this can be solved with older version. > >Maybe there is a toll on the Windows side which lets you add SIDs > >manually into the "Access this computer from the network" policy? If > >there is one you can try to add IPA-SID-515 (where you have to replace > >IPA-SID by the IPA domain SID). > > > >HTH > > > >bye, > >Sumit > > > > I didn't think the SID was even being evaluated - the authentication being > attempted was through Kerberos, which I uderstand only uses host keytabs, > not SIDs. Am I correct in this situation? yes and no :-) The keytab is used to get a TGT and then a cross-realm TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which contains additional authorization data including SIDs. The PAC is then used on the Windows side to evaluate if access is granted or not. bye, Sumit > > Dan > > -- > Dan Mossor, RHCSA > Systems Engineer > Fedora Server WG | Fedora KDE WG | Fedora QA Team > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA From lslebodn at redhat.com Fri Jul 31 15:21:38 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 31 Jul 2015 17:21:38 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: <20150731152138.GB9366@mail.corp.redhat.com> On (31/07/15 16:03), Matt . wrote: >Hi Guys, > >I'm really struggeling getting a NON AD Samba server authing against a >FreeIPA server: > >Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >CentOS 7.1 -> FreeIPA 4.1 > >Now this seems to be the way: > >https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > As you can see this howto is mainly written for rpm based distributions. The most important difference between sssd 1.12.5 for ubuntu[1] and sssd >= 1.12 in fedora[2] is packaging of sssd-libwbclient. sssd-libwbclient and libwbclient(from samba) use alternatives to switch between these libraries. Ubuntu 14.04 root at 48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/libwbclient* lrwxrwxrwx. 1 root root 19 Jul 1 15:38 /usr/lib/x86_64-linux-gnu/libwbclient.so.0 -> libwbclient.so.0.11 -rw-r--r--. 1 root root 43216 Jul 1 15:38 /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 root at 48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient* lrwxrwxrwx. 1 root root 21 Jun 15 18:14 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0 -> libwbclient.so.0.12.0 -rw-r--r--. 1 root root 30800 Jun 15 18:14 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 Fedora 21 bash-4.3# alternatives --display libwbclient.so.0.11-64 libwbclient.so.0.11-64 - status is auto. link currently points to /usr/lib64/samba/wbclient/libwbclient.so.0.11 /usr/lib64/samba/wbclient/libwbclient.so.0.11 - priority 10 /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 5 Current `best' version is /usr/lib64/samba/wbclient/libwbclient.so.0.11. So if you want to use this howto on ubuntu then you need to create symbolic links on your own. Feel free to update Howto page with additional information if you manage solve it on ubuntu. LS [1] https://launchpad.net/~sssd/+archive/ubuntu/updates [2] https://admin.fedoraproject.org/updates/sssd From danofsatx at gmail.com Fri Jul 31 16:04:04 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Fri, 31 Jul 2015 11:04:04 -0500 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment In-Reply-To: <20150731150848.GD10777@p.redhat.com> References: <55BAA6C9.90406@fedoraproject.org> <20150731075236.GJ20980@p.redhat.com> <55BB84F9.1050905@fedoraproject.org> <20150731150848.GD10777@p.redhat.com> Message-ID: <55BB9C74.3030804@fedoraproject.org> On 07/31/2015 10:08 AM, Sumit Bose wrote: > On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: >> On 07/31/2015 02:52 AM, Sumit Bose wrote: >>> >>> Thank you for the detailed analysis. I guess the 'server was >>> inaccessible' error is due to the fact that currently FreeIPA does not >>> have a global catalog, because Windows typically tries to get SIDs from >>> remote objects from the Global Catalog. >>> >>>> >>>> So, to those of y'all that operate in secure environments, what trick do you >>>> use to fully integrate IPA and Active Directory? >>> >>> With FreeIPA-4.2 the one-way trust feature is introduced. The main >>> difference to the current scheme is that with one-way trust the FreeIPA >>> server does not use its host credentials (host keytab) from the IPA >>> domain to access the AD DC but uses the trusted domain user >>> (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from >>> the AD domain it should be possible to assign the needed permissions to >>> this object. >>> >>> Currently I have no idea how this can be solved with older version. >>> Maybe there is a toll on the Windows side which lets you add SIDs >>> manually into the "Access this computer from the network" policy? If >>> there is one you can try to add IPA-SID-515 (where you have to replace >>> IPA-SID by the IPA domain SID). >>> >>> HTH >>> >>> bye, >>> Sumit >>> >> >> I didn't think the SID was even being evaluated - the authentication being >> attempted was through Kerberos, which I uderstand only uses host keytabs, >> not SIDs. Am I correct in this situation? > > yes and no :-) The keytab is used to get a TGT and then a cross-realm > TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which > contains additional authorization data including SIDs. The PAC is then > used on the Windows side to evaluate if access is granted or not. > > bye, > Sumit > Building on what you said regarding the one-way trust, I already have an IPA user in Active Directory that I created when I was initially setting this up as a synchronized domain instead of a trust. There are two ways I can go here - I can either revert back to the password sync and replication, or somehow convince IPA to use that user for the trust relationship. I suspect it will impossible without a patch to use a user account instead of Kerberos for the trust, so that leaves going back to the replication setup. Our ultimate goal in the environment is single sign on - when our users log into their Windows 7 workstations, they shouldn't then have to log into the chat server, the wiki, and mercurial; all those extra services running on Linux should be able to accept the Active Directory credentials. One final option I have, since this is a very small network, is to just join my Linux servers to the Active Directory domain, and not use the FreeIPA intermediary. -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From yamakasi.014 at gmail.com Fri Jul 31 16:15:17 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 31 Jul 2015 18:15:17 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <20150731152138.GB9366@mail.corp.redhat.com> References: <20150731152138.GB9366@mail.corp.redhat.com> Message-ID: Hi Lucas, Thank you for this reply. In this case it simply should work as it shoul by creating the symlinks, Or are there other issues we might get ? Thanks, Matt 2015-07-31 17:21 GMT+02:00 Lukas Slebodnik : > On (31/07/15 16:03), Matt . wrote: >>Hi Guys, >> >>I'm really struggeling getting a NON AD Samba server authing against a >>FreeIPA server: >> >>Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>CentOS 7.1 -> FreeIPA 4.1 >> >>Now this seems to be the way: >> >>https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> > As you can see this howto is mainly written for rpm based distributions. > The most important difference between sssd 1.12.5 for ubuntu[1] > and sssd >= 1.12 in fedora[2] is packaging of sssd-libwbclient. > > sssd-libwbclient and libwbclient(from samba) use alternatives > to switch between these libraries. > > > Ubuntu 14.04 > root at 48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/libwbclient* > lrwxrwxrwx. 1 root root 19 Jul 1 15:38 > /usr/lib/x86_64-linux-gnu/libwbclient.so.0 -> libwbclient.so.0.11 > -rw-r--r--. 1 root root 43216 Jul 1 15:38 > /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 > > root at 48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient* > lrwxrwxrwx. 1 root root 21 Jun 15 18:14 > /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0 -> > libwbclient.so.0.12.0 > -rw-r--r--. 1 root root 30800 Jun 15 18:14 > /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 > > > Fedora 21 > bash-4.3# alternatives --display libwbclient.so.0.11-64 > libwbclient.so.0.11-64 - status is auto. > link currently points to /usr/lib64/samba/wbclient/libwbclient.so.0.11 > /usr/lib64/samba/wbclient/libwbclient.so.0.11 - priority 10 > /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 5 > Current `best' version is /usr/lib64/samba/wbclient/libwbclient.so.0.11. > > > So if you want to use this howto on ubuntu then you need to create > symbolic links on your own. > > > Feel free to update Howto page with additional information > if you manage solve it on ubuntu. > > LS > > [1] https://launchpad.net/~sssd/+archive/ubuntu/updates > [2] https://admin.fedoraproject.org/updates/sssd From lslebodn at redhat.com Fri Jul 31 21:31:21 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 31 Jul 2015 23:31:21 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: <20150731152138.GB9366@mail.corp.redhat.com> Message-ID: <20150731213121.GB23270@mail.corp.redhat.com> On (31/07/15 18:15), Matt . wrote: >Hi Lucas, > >Thank you for this reply. > >In this case it simply should work as it shoul by creating the >symlinks, Or are there other issues we might get ? > 1st problem: current samba version of libwbclient need to be moved ot other place. 2nd problem: manualy created symbolic links will be broken with next update of sssd or samba (e.g. security update) 3rd problem: such changes in might cause troubles for other application they need to be carefully tested (which are not on ubuntu) LS