From notify.sina at gmail.com Mon Jun 1 00:19:55 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Mon, 1 Jun 2015 01:19:55 +0100 Subject: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master Message-ID: Hi! I am still stumbling along with this, I have had my IPA domain destroyed and currently only a CA-less replica is left running the network. The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. I am trying to setup a fresh CA-master and I have exported the data in the replica into ldif and bak folders in /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories. I have copied these files and folders to the fresh install, which is running RHEL7.1. If I can complete an install, I plan to destroy the existing replica and install from scratch 2 new ones just to be safe. Please can someone direct me in properly editing the ldif file or the bak archivedir to make it useful for the new CA master? I have already deleted the existing replication agreements between the CA-less replica and the lost CA master (the new fresh install is the same hostname). Importing data is successful, but then IPA refuses to run afterwords with different error messages. Thanks for any light shown my way. From bahanw042014 at gmail.com Mon Jun 1 07:47:33 2015 From: bahanw042014 at gmail.com (bahan w) Date: Mon, 1 Jun 2015 09:47:33 +0200 Subject: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4 In-Reply-To: <24b13f8e-c7a7-4fdb-a81c-e0ef33e0f4d9@email.android.com> References: <20150530121021.GA11243@mail.corp.redhat.com> <24b13f8e-c7a7-4fdb-a81c-e0ef33e0f4d9@email.android.com> Message-ID: Hello everyone. I modified the /etc/selinux/config file : ######################################################### # This file controls the state of SELinux on the system. # SELINUX=disabled # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted ######################################################### Then I rebooted. ######################################################### reboot ######################################################### Here is the result of getenforce : ######################################################### Permissive ######################################################### I removed the ipa-server that I had and I tried te 3.0.0-42 : ######################################################### yum install ipa-server-3.0.0-42.el6.x86_64 Loaded plugins: security Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed --> Processing Dependency: ipa-client = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Processing Dependency: ipa-python = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Running transaction check ---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed ---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed ---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed ---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================== Installing: ipa-server x86_64 3.0.0-42.el6 standard 1.1 M Installing for dependencies: ipa-admintools x86_64 3.0.0-42.el6 standard 67 k ipa-client x86_64 3.0.0-42.el6 standard 145 k ipa-python x86_64 3.0.0-42.el6 standard 928 k ipa-server-selinux x86_64 3.0.0-42.el6 standard 66 k Transaction Summary ====================================================================================================================================== Install 5 Package(s) Total download size: 2.3 M Installed size: 9.2 M Is this ok [y/N]: y Downloading Packages: (1/5): ipa-admintools-3.0.0-42.el6.x86_64.rpm | 67 kB 00:00 (2/5): ipa-client-3.0.0-42.el6.x86_64.rpm | 145 kB 00:00 (3/5): ipa-python-3.0.0-42.el6.x86_64.rpm | 928 kB 00:00 (4/5): ipa-server-3.0.0-42.el6.x86_64.rpm | 1.1 MB 00:00 (5/5): ipa-server-selinux-3.0.0-42.el6.x86_64.rpm | 66 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------- Total 6.8 MB/s | 2.3 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : ipa-python-3.0.0-42.el6.x86_64 1/5 Installing : ipa-client-3.0.0-42.el6.x86_64 2/5 Installing : ipa-admintools-3.0.0-42.el6.x86_64 3/5 Installing : ipa-server-3.0.0-42.el6.x86_64 4/5 Installing : ipa-server-selinux-3.0.0-42.el6.x86_64 5/5 libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Verifying : ipa-server-3.0.0-42.el6.x86_64 1/5 Verifying : ipa-server-selinux-3.0.0-42.el6.x86_64 2/5 Verifying : ipa-python-3.0.0-42.el6.x86_64 3/5 Verifying : ipa-client-3.0.0-42.el6.x86_64 4/5 Verifying : ipa-admintools-3.0.0-42.el6.x86_64 5/5 Installed: ipa-server.x86_64 0:3.0.0-42.el6 Dependency Installed: ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6 ipa-server-selinux.x86_64 0:3.0.0-42.el6 Complete! ######################################################### The errors linked with dogtag is still there. Now, when I tried to run the ipa-server-install command here is what I have : ######################################################### Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM -ca_server_cert_subject_name CN=MYHOST,O=MYREALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM -external false -clone false' returned non-zero exit status 255 Configuration of CA failed ######################################################### And here is what I found in the ipasrever-install.log : ######################################################### 2015-06-01T07:38:43Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.(Socket.java:392) at java.net.Socket.(Socket.java:235) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) 2015-06-01T07:38:43Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM -ca_server_cert_subject_name CN=MYHOST,O=MYREALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM -external false -clone false' returned non-zero exit status 255 2015-06-01T07:38:43Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 942, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2015-06-01T07:38:43Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed ######################################################### I'm not really sure permissive mode with SELinux is helping in fact. Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 1 07:52:24 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 01 Jun 2015 09:52:24 +0200 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <55689A7D.30707@alumni.ethz.ch> References: <55689A7D.30707@alumni.ethz.ch> Message-ID: <556C0F38.3010909@redhat.com> On 29/05/15 18:57, Thomas Sailer wrote: > Hello everyone. > > I upgraded a freeipa server from fedora 20 to fedora 22. It mostly > worked ok, but there are a few issues: > > - pki-tomcat didn't start after the upgrade, and that in turn made > ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg > had the wrong owner (root). > > - ipa-ldap-updater stumbles over two problems: > - Pre schema upgrade failed > - when trying to modify cn=encryption,cn=config, it stumbles over > allowWeakCipher not allowed > > Does anyone know how to fix this? Is the pre schema upgrade failure > spurious? what bits am I missing about the allowWeakCipher issue? > > Thomas > > > > 2015-05-28T13:04:55Z DEBUG [4/10]: starting directory server > 2015-05-28T13:04:55Z DEBUG Starting external process > 2015-05-28T13:04:55Z DEBUG args='/bin/systemctl' 'start' > 'dirsrv at XXXXX-COM.service' > 2015-05-28T13:04:55Z DEBUG Process finished, return code=0 > 2015-05-28T13:04:55Z DEBUG stdout= > 2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request. > > 2015-05-28T13:04:55Z DEBUG duration: 0 seconds > 2015-05-28T13:04:55Z DEBUG [5/10]: preparing server upgrade > 2015-05-28T13:05:36Z ERROR Pre schema upgrade failed with [Errno 2] No > such file or directory > 2015-05-28T13:05:36Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 128, in __pre_schema_upgrade > ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, > live_run=self.live_run, plugins=True) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 220, in __init__ > self.create_connection() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 783, in create_connection > dm_password=self.dm_password, pw_name=self.pw_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 65, in connect > conn.do_external_bind(pw_name) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1761, in do_external_bind > self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1747, in __bind_with_wait > self.__wait_for_connection(timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1733, in __wait_for_connection > wait_for_open_socket(lurl.hostport, timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 1183, in wait_for_open_socket > raise e > error: [Errno 2] No such file or directory > > 2015-05-28T13:05:36Z DEBUG duration: 40 seconds > 2015-05-28T13:05:36Z DEBUG [6/10]: updating schema > 2015-05-28T13:05:46Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 388, in start_creation > run_step(full_msg, method) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 378, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 145, in __update_schema > dm_password='', ldapi=True, live_run=self.live_run) or self.modified > File > "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", > line 112, in update_schema > fqdn=installutils.get_fqdn()) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 65, in connect > conn.do_external_bind(pw_name) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1761, in do_external_bind > self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1747, in __bind_with_wait > self.__wait_for_connection(timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1733, in __wait_for_connection > wait_for_open_socket(lurl.hostport, timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 1183, in wait_for_open_socket > raise e > error: [Errno 2] No such file or directory > > 2015-05-28T13:05:46Z DEBUG [error] error: [Errno 2] No such file or > directory > 2015-05-28T13:05:46Z DEBUG [cleanup]: stopping directory server > 2015-05-28T13:05:46Z DEBUG Starting external process > 2015-05-28T13:05:46Z DEBUG args='/bin/systemctl' 'stop' > 'dirsrv at XXXXX-COM.service' > 2015-05-28T13:05:46Z DEBUG Process finished, return code=0 > 2015-05-28T13:05:46Z DEBUG stdout= > 2015-05-28T13:05:46Z DEBUG stderr=Running in chroot, ignoring request. > > 2015-05-28T13:05:46Z DEBUG duration: 0 seconds > 2015-05-28T13:05:46Z DEBUG [cleanup]: restoring configuration > 2015-05-28T13:05:46Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-05-28T13:05:46Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-05-28T13:05:46Z DEBUG duration: 0 seconds > 2015-05-28T13:05:46Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", > line 144, in run > upgrade.create_instance() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 93, in create_instance > show_service_name=False) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 388, in start_creation > run_step(full_msg, method) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 378, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 145, in __update_schema > dm_password='', ldapi=True, live_run=self.live_run) or self.modified > File > "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", > line 112, in update_schema > fqdn=installutils.get_fqdn()) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 65, in connect > conn.do_external_bind(pw_name) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1761, in do_external_bind > self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1747, in __bind_with_wait > self.__wait_for_connection(timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1733, in __wait_for_connection > wait_for_open_socket(lurl.hostport, timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 1183, in wait_for_open_socket > raise e > > 2015-05-28T13:05:46Z DEBUG The ipa-ldap-updater command failed, > exception: error: [Errno 2] No such file or directory > 2015-05-28T13:05:46Z ERROR [Errno 2] No such file or directory > 2015-05-28T13:05:47Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked > with options: {'debug': False, 'quiet': True} > 2015-05-28T13:05:47Z DEBUG IPA version 4.1.4-2.fc22 > 2015-05-28T13:05:47Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2015-05-28T13:05:47Z DEBUG importing all plugin modules in > '/usr/lib/python2.7/site-packages/ipalib/plugins'... > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' > 2015-05-28T13:05:47Z DEBUG Starting external process > 2015-05-28T13:05:47Z DEBUG args='klist' '-V' > 2015-05-28T13:05:47Z DEBUG Process finished, return code=0 > 2015-05-28T13:05:47Z DEBUG stdout=Kerberos 5 version 1.13.1 > > 2015-05-28T13:05:47Z DEBUG stderr= > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' > 2015-05-28T13:05:47Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' > > > > > 2015-05-28T17:11:53Z INFO Updating existing entry: > cn=encryption,cn=config > 2015-05-28T17:11:53Z DEBUG --------------------------------------------- > 2015-05-28T17:11:53Z DEBUG Initial value > 2015-05-28T17:11:53Z DEBUG dn: cn=encryption,cn=config > 2015-05-28T17:11:53Z DEBUG nsSSL3: > 2015-05-28T17:11:53Z DEBUG off > 2015-05-28T17:11:53Z DEBUG nsSSL2: > 2015-05-28T17:11:53Z DEBUG off > 2015-05-28T17:11:53Z DEBUG cn: > 2015-05-28T17:11:53Z DEBUG encryption > 2015-05-28T17:11:53Z DEBUG objectClass: > 2015-05-28T17:11:53Z DEBUG top > 2015-05-28T17:11:53Z DEBUG nsEncryptionConfig > 2015-05-28T17:11:53Z DEBUG sslVersionMax: > 2015-05-28T17:11:53Z DEBUG TLS1.2 > 2015-05-28T17:11:53Z DEBUG nsSSLSessionTimeout: > 2015-05-28T17:11:53Z DEBUG 0 > 2015-05-28T17:11:53Z DEBUG sslVersionMin: > 2015-05-28T17:11:53Z DEBUG TLS1.0 > 2015-05-28T17:11:53Z DEBUG nsSSLSupportedCiphers: > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_MD5::NULL::MD5::0 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192 > 2015-05-28T17:11:53Z DEBUG > SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128 > 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG > SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG nsSSLClientAuth: > 2015-05-28T17:11:53Z DEBUG allowed > 2015-05-28T17:11:53Z DEBUG nssslenabledciphers: > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG nsTLS1: > 2015-05-28T17:11:53Z DEBUG on > 2015-05-28T17:11:53Z DEBUG nsSSL3Ciphers: > 2015-05-28T17:11:53Z DEBUG > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > 2015-05-28T17:11:53Z DEBUG only: set nsSSL3Ciphers to '+all', current > value > ['-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha'] > 2015-05-28T17:11:53Z DEBUG only: updated value ['+all'] > 2015-05-28T17:11:53Z DEBUG addifnew: 'off' to allowWeakCipher, current > value [] > 2015-05-28T17:11:53Z DEBUG addifnew: set allowWeakCipher to ['off'] > 2015-05-28T17:11:53Z DEBUG --------------------------------------------- > 2015-05-28T17:11:53Z DEBUG Final value after applying updates > 2015-05-28T17:11:53Z DEBUG dn: cn=encryption,cn=config > 2015-05-28T17:11:53Z DEBUG nsSSL3: > 2015-05-28T17:11:53Z DEBUG off > 2015-05-28T17:11:53Z DEBUG nsSSL2: > 2015-05-28T17:11:53Z DEBUG off > 2015-05-28T17:11:53Z DEBUG cn: > 2015-05-28T17:11:53Z DEBUG encryption > 2015-05-28T17:11:53Z DEBUG objectClass: > 2015-05-28T17:11:53Z DEBUG top > 2015-05-28T17:11:53Z DEBUG nsEncryptionConfig > 2015-05-28T17:11:53Z DEBUG sslVersionMax: > 2015-05-28T17:11:53Z DEBUG TLS1.2 > 2015-05-28T17:11:53Z DEBUG nsSSLSessionTimeout: > 2015-05-28T17:11:53Z DEBUG 0 > 2015-05-28T17:11:53Z DEBUG sslVersionMin: > 2015-05-28T17:11:53Z DEBUG TLS1.0 > 2015-05-28T17:11:53Z DEBUG nsSSLSupportedCiphers: > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_MD5::NULL::MD5::0 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG > SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192 > 2015-05-28T17:11:53Z DEBUG > SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128 > 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 > 2015-05-28T17:11:53Z DEBUG > TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128 > 2015-05-28T17:11:53Z DEBUG > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 > 2015-05-28T17:11:53Z DEBUG > SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 > 2015-05-28T17:11:53Z DEBUG nsSSLClientAuth: > 2015-05-28T17:11:53Z DEBUG allowed > 2015-05-28T17:11:53Z DEBUG nssslenabledciphers: > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 > 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 > 2015-05-28T17:11:53Z DEBUG > SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 > 2015-05-28T17:11:53Z DEBUG nsTLS1: > 2015-05-28T17:11:53Z DEBUG on > 2015-05-28T17:11:53Z DEBUG allowWeakCipher: > 2015-05-28T17:11:53Z DEBUG off > 2015-05-28T17:11:53Z DEBUG nsSSL3Ciphers: > 2015-05-28T17:11:53Z DEBUG +all > 2015-05-28T17:11:53Z DEBUG [(2, u'allowWeakCipher', ['off']), (0, > u'nsSSL3Ciphers', ['+all']), (1, u'nsSSL3Ciphers', > ['-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha'])] > 2015-05-28T17:11:53Z DEBUG Live 1, updated 1 > 2015-05-28T17:11:53Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", > line 213, in run > modified = ld.update(self.files, ordered=True) or modified > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 854, in update > self._run_updates(all_updates) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 799, in _run_updates > self._update_record(update) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 720, in _update_record > self.conn.update_entry(entry) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1628, in update_entry > self.conn.modify_s(entry.dn, modlist) > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1191, in error_handler > raise errors.ObjectclassViolation(info=info) > > 2015-05-28T17:11:53Z DEBUG The ipa-ldap-updater command failed, > exception: ObjectclassViolation: attribute "allowWeakCipher" not allowed > 2015-05-28T17:11:53Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > ObjectclassViolation: attribute "allowWeakCipher" not allowed > 2015-05-29T12:46:04Z DEBUG Logging to /var/log/ipaupgrade.log > Hello, 1) Actually you have there more errors, This causes the neither pre-schema upgrade or schema upgrade are executed. error: [Errno 2] No such file or directory Could DS in chroot, cause the ipa-ldap-updater --upgrade cannot locate the DS socket? 2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request. 2) Allow weak ciphers. can you check objectclass definitions in /etc/dirsrv/slapd-XXXXX-COM/schema # grep 'allowWeakCipher' * If you find more than on objectclass definition, please remove the old from the ldif files and restart DS. (Probably there will be old in 99user.ldif) Martin -- Martin Basti From pvoborni at redhat.com Mon Jun 1 08:55:24 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 01 Jun 2015 10:55:24 +0200 Subject: [Freeipa-users] problem with keytab for ipa user-add In-Reply-To: <556AE0B9.8010704@jackland.demon.co.uk> References: <556AE0B9.8010704@jackland.demon.co.uk> Message-ID: <556C1DFC.4060109@redhat.com> On 05/31/2015 12:21 PM, Bob Hinton wrote: > Hello, > > I've written a Ruby script to add IPA users from CSV files. This works > fine when specifying a username and password. However, using a keytab > produces an error (see below). This seems to happen whatever I put in > the keytab file. > > Any suggestions ? > > The VM in question has had its database restored using ipa-restore a > number of times, so I don't know if this is a factor. > > Thanks > > Bob > > -sh-4.2$ ./ipa-import-users -h > Usage ipa-import-users [options] file1.csv ... > -u, --user USER Kerberos principal that can add users > -p, --password PASSWORD Password for the above > -k, --keytab KEYTAB Login with the specified keytab > instead of user and pass > -v, --verbose enable verbose mode > -d, --debug enable debug mode > -c, --check check input files without applying them > -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv > Importing file example_users_file.csv... > header line ["Username", " First Name", " Last Name", " Email Address", > " Password"] > Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"] > username auser already defined > Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com", > "secrets2"] > echo "secrets2" | ipa user-add james23 --first="James" --last="Jones" > --email="jamesjones at somewhere.com" --password 2>&1 > Problem with file example_users_file.csv ipa error on james23 - ipa: > ERROR: Insufficient access: Could not read UPG Definition originfilter. > Check your permissions. > -sh-4.2$ klist -kt ipa004.keytab > Keytab name: FILE:ipa004.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK > 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK > 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK > 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK > 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK > 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK > 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK > 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK How does the script obtain ticket granting ticket if keytab is used? Does it run just: kinit -k If so then it will get TGT for principal: host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for useradder at TEST.JACKLAND.UK . By default hosts don't have permissions to add users. > -sh-4.2$ > > Installed Packages > Name : ipa-server > Arch : x86_64 > Version : 4.1.0 > Release : 18.el7_1.3 > Size : 4.2 M > Repo : installed >>From repo : rhel-7-server-rpms > Summary : The IPA authentication server > URL : http://www.freeipa.org/ > Licence : GPLv3+ > Description : IPA is an integrated solution to provide centrally managed > Identity (machine, > : user, virtual machines, groups, authentication > credentials), Policy > : (configuration settings, access control information) and > Audit (events, > : logs, analysis thereof). If you are installing an IPA > server you need > : to install this package (in other words, most people > should NOT install > : this package). > -- Petr Vobornik From Duncan.Innes at virginmoney.com Mon Jun 1 08:56:00 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Mon, 1 Jun 2015 09:56:00 +0100 Subject: [Freeipa-users] Which client is noisy? Message-ID: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> I've got an IPA installation with 8 servers replicating between each other across various parts of our network. Recently I've started pushing the dirsrv logs to a remote log collector from 4 of these machines and see a huge disparity in the number of entries being sent. ipa01 - ~42,000 logs per hour ipa02 - ~13,000 logs per hour ipa03 - ~80,000 logs per hour ipa04 - ~20,000 logs per hour ipa01 & 02 are used as a failover pair for clients in one datacentre. ipa03 & 04 are used as a failover pair for clients in another datacentre. >From the logs, is there a way to see if I've got an imbalance of clients connecting to each IPA server? Or a completely different log message scenario? We don't have access to the _SRV_ records as the AD domain controls that, so we had to hard code the main and failover servers on the ipa_server line in /etc/sssd/sssd.conf, the kdc line in /etc/krb5.conf, and the URI line in /etc/openldap/ldap.conf. As such, it's reasonable to suggest that our randomised script for allocating primary/secondary on a client isn't as random as we think. Might it also be possible that due to the hard coding option we had to take, our clients end up failing over to a certain server, but then never failing back when the primary returns? Under maintenance we generally patch and reboot the odd numbered servers, followed by the even servers once the odd servers are back. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 1 09:13:54 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 01 Jun 2015 11:13:54 +0200 Subject: [Freeipa-users] Which client is noisy? In-Reply-To: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> Message-ID: <556C2252.1050405@redhat.com> Hello, From a DS point of view, you may use logconv.pl to get a rapid summary of the received activity (DS access logs). You may take the same period of time on each server and compare the results. It will give hints to know if the difference comes from bind, connections, replication session, or ... thanks theirry On 06/01/2015 10:56 AM, Innes, Duncan wrote: > I've got an IPA installation with 8 servers replicating between each > other across various parts of our network. Recently I've started > pushing the dirsrv logs to a remote log collector from 4 of these > machines and see a huge disparity in the number of entries being sent. > ipa01 - ~42,000 logs per hour > ipa02 - ~13,000 logs per hour > ipa03 - ~80,000 logs per hour > ipa04 - ~20,000 logs per hour > ipa01 & 02 are used as a failover pair for clients in one datacentre. > ipa03 & 04 are used as a failover pair for clients in another datacentre. > From the logs, is there a way to see if I've got an imbalance of > clients connecting to each IPA server? Or a completely different > log message scenario? > We don't have access to the _SRV_ records as the AD domain controls > that, so we had to hard code the main and failover servers on the > ipa_server line in /etc/sssd/sssd.conf, the kdc line in > /etc/krb5.conf, and the URI line in /etc/openldap/ldap.conf. As such, > it's reasonable to suggest that our randomised script for > allocating primary/secondary on a client isn't as random as we think. > Might it also be possible that due to the hard coding option we had to > take, our clients end up failing over to a certain server, but then > never failing back when the primary returns? Under maintenance we > generally patch and reboot the odd numbered servers, followed by the > even servers once the odd servers are back. > Thanks > Duncan > > This message has been checked for viruses and spam by the Virgin Money > email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money plc - Registered in England and Wales (Company no. > 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon > Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority > and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both > authorised and regulated by the Financial Conduct Authority, are > registered in England and Wales and have their registered office at > Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money > Personal Financial Service Limited (Company no. 3072766) and Virgin > Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our > website at virginmoney.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bob at jackland.demon.co.uk Mon Jun 1 09:36:18 2015 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Mon, 01 Jun 2015 10:36:18 +0100 Subject: [Freeipa-users] problem with keytab for ipa user-add In-Reply-To: <556C1DFC.4060109@redhat.com> References: <556AE0B9.8010704@jackland.demon.co.uk> <556C1DFC.4060109@redhat.com> Message-ID: <556C2792.4090406@jackland.demon.co.uk> On 01/06/2015 09:55, Petr Vobornik wrote: > On 05/31/2015 12:21 PM, Bob Hinton wrote: >> Hello, >> >> I've written a Ruby script to add IPA users from CSV files. This works >> fine when specifying a username and password. However, using a keytab >> produces an error (see below). This seems to happen whatever I put in >> the keytab file. >> >> Any suggestions ? >> >> The VM in question has had its database restored using ipa-restore a >> number of times, so I don't know if this is a factor. >> >> Thanks >> >> Bob >> >> -sh-4.2$ ./ipa-import-users -h >> Usage ipa-import-users [options] file1.csv ... >> -u, --user USER Kerberos principal that can add >> users >> -p, --password PASSWORD Password for the above >> -k, --keytab KEYTAB Login with the specified keytab >> instead of user and pass >> -v, --verbose enable verbose mode >> -d, --debug enable debug mode >> -c, --check check input files without >> applying them >> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv >> Importing file example_users_file.csv... >> header line ["Username", " First Name", " Last Name", " Email Address", >> " Password"] >> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"] >> username auser already defined >> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com", >> "secrets2"] >> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones" >> --email="jamesjones at somewhere.com" --password 2>&1 >> Problem with file example_users_file.csv ipa error on james23 - ipa: >> ERROR: Insufficient access: Could not read UPG Definition originfilter. >> Check your permissions. >> -sh-4.2$ klist -kt ipa004.keytab >> Keytab name: FILE:ipa004.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK > > > How does the script obtain ticket granting ticket if keytab is used? > Does it run just: > > kinit -k > > If so then it will get TGT for principal: > host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for > useradder at TEST.JACKLAND.UK . By default hosts don't have permissions > to add users. > > It uses kinit -kt. I got a "no suitable keys" error when the keytab only included useradder so I included the host to get around this (see below). -sh-4.2$ klist -kt useradder.keytab Keytab name: FILE:useradder.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK -sh-4.2$ kinit -kt useradder.keytab kinit: Keytab contains no suitable keys for host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial credentials -sh-4.2$ >> -sh-4.2$ >> >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 4.1.0 >> Release : 18.el7_1.3 >> Size : 4.2 M >> Repo : installed >>> From repo : rhel-7-server-rpms >> Summary : The IPA authentication server >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If you are installing an IPA >> server you need >> : to install this package (in other words, most people >> should NOT install >> : this package). >> > > From pvoborni at redhat.com Mon Jun 1 10:01:58 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 01 Jun 2015 12:01:58 +0200 Subject: [Freeipa-users] problem with keytab for ipa user-add In-Reply-To: <556C2792.4090406@jackland.demon.co.uk> References: <556AE0B9.8010704@jackland.demon.co.uk> <556C1DFC.4060109@redhat.com> <556C2792.4090406@jackland.demon.co.uk> Message-ID: <556C2D96.2060004@redhat.com> On 06/01/2015 11:36 AM, Bob Hinton wrote: > On 01/06/2015 09:55, Petr Vobornik wrote: >> On 05/31/2015 12:21 PM, Bob Hinton wrote: >>> Hello, >>> >>> I've written a Ruby script to add IPA users from CSV files. This works >>> fine when specifying a username and password. However, using a keytab >>> produces an error (see below). This seems to happen whatever I put in >>> the keytab file. >>> >>> Any suggestions ? >>> >>> The VM in question has had its database restored using ipa-restore a >>> number of times, so I don't know if this is a factor. >>> >>> Thanks >>> >>> Bob >>> >>> -sh-4.2$ ./ipa-import-users -h >>> Usage ipa-import-users [options] file1.csv ... >>> -u, --user USER Kerberos principal that can add >>> users >>> -p, --password PASSWORD Password for the above >>> -k, --keytab KEYTAB Login with the specified keytab >>> instead of user and pass >>> -v, --verbose enable verbose mode >>> -d, --debug enable debug mode >>> -c, --check check input files without >>> applying them >>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv >>> Importing file example_users_file.csv... >>> header line ["Username", " First Name", " Last Name", " Email Address", >>> " Password"] >>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"] >>> username auser already defined >>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com", >>> "secrets2"] >>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones" >>> --email="jamesjones at somewhere.com" --password 2>&1 >>> Problem with file example_users_file.csv ipa error on james23 - ipa: >>> ERROR: Insufficient access: Could not read UPG Definition originfilter. >>> Check your permissions. >>> -sh-4.2$ klist -kt ipa004.keytab >>> Keytab name: FILE:ipa004.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- >>> -------------------------------------------------------- >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >> >> >> How does the script obtain ticket granting ticket if keytab is used? >> Does it run just: >> >> kinit -k >> >> If so then it will get TGT for principal: >> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for >> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions >> to add users. >> >> > > It uses kinit -kt. I got a "no suitable keys" error when the keytab only > included useradder so I included the host to get around this (see below). > > -sh-4.2$ klist -kt useradder.keytab > Keytab name: FILE:useradder.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > -sh-4.2$ kinit -kt useradder.keytab > kinit: Keytab contains no suitable keys for > host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial > credentials Default principal is used when klist -kt is called without specifying the principal. Default principal is the local host principal. That is the reason why you are able to get TGT if you add the host principal into the keytab. But, as I wrote, this principal doesn't have rights to add users. Correct way is: kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK > -sh-4.2$ > >>> -sh-4.2$ >>> >>> Installed Packages >>> Name : ipa-server >>> Arch : x86_64 >>> Version : 4.1.0 >>> Release : 18.el7_1.3 >>> Size : 4.2 M >>> Repo : installed >>>> From repo : rhel-7-server-rpms >>> Summary : The IPA authentication server >>> URL : http://www.freeipa.org/ >>> Licence : GPLv3+ >>> Description : IPA is an integrated solution to provide centrally managed >>> Identity (machine, >>> : user, virtual machines, groups, authentication >>> credentials), Policy >>> : (configuration settings, access control information) and >>> Audit (events, >>> : logs, analysis thereof). If you are installing an IPA >>> server you need >>> : to install this package (in other words, most people >>> should NOT install >>> : this package). >>> >> >> > -- Petr Vobornik From abokovoy at redhat.com Mon Jun 1 10:02:43 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 1 Jun 2015 13:02:43 +0300 Subject: [Freeipa-users] problem with keytab for ipa user-add In-Reply-To: <556C2792.4090406@jackland.demon.co.uk> References: <556AE0B9.8010704@jackland.demon.co.uk> <556C1DFC.4060109@redhat.com> <556C2792.4090406@jackland.demon.co.uk> Message-ID: <20150601100243.GC15837@redhat.com> On Mon, 01 Jun 2015, Bob Hinton wrote: >On 01/06/2015 09:55, Petr Vobornik wrote: >> On 05/31/2015 12:21 PM, Bob Hinton wrote: >>> Hello, >>> >>> I've written a Ruby script to add IPA users from CSV files. This works >>> fine when specifying a username and password. However, using a keytab >>> produces an error (see below). This seems to happen whatever I put in >>> the keytab file. >>> >>> Any suggestions ? >>> >>> The VM in question has had its database restored using ipa-restore a >>> number of times, so I don't know if this is a factor. >>> >>> Thanks >>> >>> Bob >>> >>> -sh-4.2$ ./ipa-import-users -h >>> Usage ipa-import-users [options] file1.csv ... >>> -u, --user USER Kerberos principal that can add >>> users >>> -p, --password PASSWORD Password for the above >>> -k, --keytab KEYTAB Login with the specified keytab >>> instead of user and pass >>> -v, --verbose enable verbose mode >>> -d, --debug enable debug mode >>> -c, --check check input files without >>> applying them >>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab example_users_file.csv >>> Importing file example_users_file.csv... >>> header line ["Username", " First Name", " Last Name", " Email Address", >>> " Password"] >>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"] >>> username auser already defined >>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com", >>> "secrets2"] >>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones" >>> --email="jamesjones at somewhere.com" --password 2>&1 >>> Problem with file example_users_file.csv ipa error on james23 - ipa: >>> ERROR: Insufficient access: Could not read UPG Definition originfilter. >>> Check your permissions. >>> -sh-4.2$ klist -kt ipa004.keytab >>> Keytab name: FILE:ipa004.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- >>> -------------------------------------------------------- >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >> >> >> How does the script obtain ticket granting ticket if keytab is used? >> Does it run just: >> >> kinit -k >> >> If so then it will get TGT for principal: >> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for >> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions >> to add users. >> >> > >It uses kinit -kt. I got a "no suitable keys" error when the keytab only >included useradder so I included the host to get around this (see below). > >-sh-4.2$ klist -kt useradder.keytab >Keytab name: FILE:useradder.keytab >KVNO Timestamp Principal >---- ----------------- >-------------------------------------------------------- > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK > 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK >-sh-4.2$ kinit -kt useradder.keytab >kinit: Keytab contains no suitable keys for >host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial >credentials And that is correct because 'kinit -k' defaults to host/fqdn.hostname principal if principal is not specified. kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK would be the correct way to call it. See manual page for kinit for more details. -- / Alexander Bokovoy From bob at jackland.demon.co.uk Mon Jun 1 10:46:46 2015 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Mon, 01 Jun 2015 11:46:46 +0100 Subject: [Freeipa-users] problem with keytab for ipa user-add In-Reply-To: <556C2D96.2060004@redhat.com> References: <556AE0B9.8010704@jackland.demon.co.uk> <556C1DFC.4060109@redhat.com> <556C2792.4090406@jackland.demon.co.uk> <556C2D96.2060004@redhat.com> Message-ID: <556C3816.30005@jackland.demon.co.uk> On 01/06/2015 11:01, Petr Vobornik wrote: > On 06/01/2015 11:36 AM, Bob Hinton wrote: >> On 01/06/2015 09:55, Petr Vobornik wrote: >>> On 05/31/2015 12:21 PM, Bob Hinton wrote: >>>> Hello, >>>> >>>> I've written a Ruby script to add IPA users from CSV files. This works >>>> fine when specifying a username and password. However, using a keytab >>>> produces an error (see below). This seems to happen whatever I put in >>>> the keytab file. >>>> >>>> Any suggestions ? >>>> >>>> The VM in question has had its database restored using ipa-restore a >>>> number of times, so I don't know if this is a factor. >>>> >>>> Thanks >>>> >>>> Bob >>>> >>>> -sh-4.2$ ./ipa-import-users -h >>>> Usage ipa-import-users [options] file1.csv ... >>>> -u, --user USER Kerberos principal that can add >>>> users >>>> -p, --password PASSWORD Password for the above >>>> -k, --keytab KEYTAB Login with the specified keytab >>>> instead of user and pass >>>> -v, --verbose enable verbose mode >>>> -d, --debug enable debug mode >>>> -c, --check check input files without >>>> applying them >>>> -sh-4.2$ ./ipa-import-users -vd -k ipa004.keytab >>>> example_users_file.csv >>>> Importing file example_users_file.csv... >>>> header line ["Username", " First Name", " Last Name", " Email >>>> Address", >>>> " Password"] >>>> Line 2 is ["auser", "Another", "User", "auser at test.com", "pass"] >>>> username auser already defined >>>> Line 3 is ["james23", "James", "Jones", "jamesjones at somewhere.com", >>>> "secrets2"] >>>> echo "secrets2" | ipa user-add james23 --first="James" --last="Jones" >>>> --email="jamesjones at somewhere.com" --password 2>&1 >>>> Problem with file example_users_file.csv ipa error on james23 - ipa: >>>> ERROR: Insufficient access: Could not read UPG Definition >>>> originfilter. >>>> Check your permissions. >>>> -sh-4.2$ klist -kt ipa004.keytab >>>> Keytab name: FILE:ipa004.keytab >>>> KVNO Timestamp Principal >>>> ---- ----------------- >>>> -------------------------------------------------------- >>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>>> 2 18/05/15 14:23:24 host/ipa004.jackland.uk at TEST.JACKLAND.UK >>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>>> 4 31/05/15 10:55:37 useradder at TEST.JACKLAND.UK >>> >>> >>> How does the script obtain ticket granting ticket if keytab is used? >>> Does it run just: >>> >>> kinit -k >>> >>> If so then it will get TGT for principal: >>> host/ipa004.jackland.uk at TEST.JACKLAND.UK and not for >>> useradder at TEST.JACKLAND.UK . By default hosts don't have permissions >>> to add users. >>> >>> >> >> It uses kinit -kt. I got a "no suitable keys" error when the keytab only >> included useradder so I included the host to get around this (see >> below). >> >> -sh-4.2$ klist -kt useradder.keytab >> Keytab name: FILE:useradder.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK >> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK >> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK >> 3 31/05/15 10:37:07 useradder at TEST.JACKLAND.UK >> -sh-4.2$ kinit -kt useradder.keytab >> kinit: Keytab contains no suitable keys for >> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK while getting initial >> credentials > > > Default principal is used when klist -kt is called without specifying > the principal. Default principal is the local host principal. That is > the reason why you are able to get TGT if you add the host principal > into the keytab. But, as I wrote, this principal doesn't have rights > to add users. > > Correct way is: > kinit -k -t useradder.keytab useradder at TEST.JACKLAND.UK > > Ah, that explains it. Many thanks Bob >> -sh-4.2$ >> >>>> -sh-4.2$ >>>> >>>> Installed Packages >>>> Name : ipa-server >>>> Arch : x86_64 >>>> Version : 4.1.0 >>>> Release : 18.el7_1.3 >>>> Size : 4.2 M >>>> Repo : installed >>>>> From repo : rhel-7-server-rpms >>>> Summary : The IPA authentication server >>>> URL : http://www.freeipa.org/ >>>> Licence : GPLv3+ >>>> Description : IPA is an integrated solution to provide centrally >>>> managed >>>> Identity (machine, >>>> : user, virtual machines, groups, authentication >>>> credentials), Policy >>>> : (configuration settings, access control >>>> information) and >>>> Audit (events, >>>> : logs, analysis thereof). If you are installing an IPA >>>> server you need >>>> : to install this package (in other words, most people >>>> should NOT install >>>> : this package). >>>> >>> >>> >> > > From thibaut.pouzet at lyra-network.com Mon Jun 1 14:12:02 2015 From: thibaut.pouzet at lyra-network.com (Thibaut Pouzet) Date: Mon, 01 Jun 2015 16:12:02 +0200 Subject: [Freeipa-users] Status on Sub-CAs for FreeIPA v4.2 Message-ID: <556C6832.4080108@lyra-network.com> Hi, I am currently trying to use FreeIPA to issue client certificates for some internal application we have. (More precisely, SSL double authentication between two of my applications, client side would be java, server-side would be apache httpd.) I considered two options : 1. Issue client certificates directly from FreeIPA : It do not seems that it's currently "supported". I can actually generate a client certificate by creating a new principal for a host, and use ipa-getcert to generate a certificate for it. However, this certificate is valid for both user and server authentication, and I cannot change it. Furthermore, I cannot change the CN of the certificate, it is the server's hostname for which the pincipal has been generated. That's a poor solution. 2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to do whatever I want to do. I tried to use the dogtag profiles with the ipa-getcert -T option, but the profiles were ignored when I tried to use them. And I always got 'regular' certificates. I did some research, and found this RFE : http://www.freeipa.org/page/V4/Sub-CAs And this Sub-CA notions seems to be perfect for what I want to do. When I'm looking at the ticket, it seems that it is quietly sleeping somewhere, remaining not updated. I would love to see this feature in FreeIPA v4.2, has anyone a status on this RFE and it's current status ? Cheers, -- Thibaut Pouzet Lyra Network Ing?nieur Syst?mes et R?seaux (+33) 5 31 22 40 08 www.lyra-network.com From abokovoy at redhat.com Mon Jun 1 14:19:20 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 1 Jun 2015 17:19:20 +0300 Subject: [Freeipa-users] Status on Sub-CAs for FreeIPA v4.2 In-Reply-To: <556C6832.4080108@lyra-network.com> References: <556C6832.4080108@lyra-network.com> Message-ID: <20150601141920.GD15837@redhat.com> On Mon, 01 Jun 2015, Thibaut Pouzet wrote: >Hi, > >I am currently trying to use FreeIPA to issue client certificates for >some internal application we have. (More precisely, SSL double >authentication between two of my applications, client side would be >java, server-side would be apache httpd.) I considered two options : > >1. Issue client certificates directly from FreeIPA : It do not seems >that it's currently "supported". I can actually generate a client >certificate by creating a new principal for a host, and use ipa-getcert >to generate a certificate for it. However, this certificate is valid for >both user and server authentication, and I cannot change it. >Furthermore, I cannot change the CN of the certificate, it is the >server's hostname for which the pincipal has been generated. That's a >poor solution. > > >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to >do whatever I want to do. I tried to use the dogtag profiles with the >ipa-getcert -T option, but the profiles were ignored when I tried to use >them. And I always got 'regular' certificates. > >I did some research, and found this RFE : >http://www.freeipa.org/page/V4/Sub-CAs > >And this Sub-CA notions seems to be perfect for what I want to do. When >I'm looking at the ticket, it seems that it is quietly sleeping >somewhere, remaining not updated. > >I would love to see this feature in FreeIPA v4.2, has anyone a status on >this RFE and it's current status ? Design page is there, the work happens on freeipa-devel at . There are multiple patches in the review process right now. If you are willing to help with testing them, welcome to the development list. -- / Alexander Bokovoy From pspacek at redhat.com Mon Jun 1 14:39:41 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 01 Jun 2015 16:39:41 +0200 Subject: [Freeipa-users] Which client is noisy? In-Reply-To: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> Message-ID: <556C6EAD.9020209@redhat.com> On 1.6.2015 10:56, Innes, Duncan wrote: > We don't have access to the _SRV_ records as the AD domain controls > that, so we had to hard code the main and failover servers on the Side note: It sounds that your FreeIPA setup is using the same domain name as AD realm. This is directly against http://www.freeipa.org/page/Deployment_Recommendations#DNS and will cause pain moving forward as AD Trusts and DNSSEC validation will be impossible. Please follow http://www.freeipa.org/page/Deployment_Recommendations for the next deployment :-) -- Petr^2 Spacek From ivars.strazdins at sets.lv Mon Jun 1 14:42:53 2015 From: ivars.strazdins at sets.lv (=?utf-8?Q?Ivars_Strazdi=C5=86=C5=A1?=) Date: Mon, 1 Jun 2015 15:42:53 +0100 Subject: [Freeipa-users] login delay with sssd Message-ID: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> Hi, how could I possibly trace why there is a noticeable delay when logging into sssd enabled server? With ssh there is a 2-3 second delay before users logs in. But most users notice this with webmail, which uses dovecot->pam->sssd as authentication backend. Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant. Client also running Centos 7.1 with sssd. Installation as per IPA handbook. DNS is proper (or so I think :) ). Nothing special in logs that I could attribute to this problem except maybe that for each successful login there is a pam_unix failure entry in /var/log/secure log like: Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com But when user is logged in, ?id? command result is instantaneous. All machines have selinux enabled, of course. Thanks in advance, Ivars sssd.conf file from client: [domain/company.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = company.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mail.company.com chpass_provider = ipa ipa_server = server1.company.com, _srv_ ldap_tls_cacert = /etc/ipa/ca.crt enumerate = true [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = company.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jun 1 14:50:17 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 1 Jun 2015 16:50:17 +0200 Subject: [Freeipa-users] login delay with sssd In-Reply-To: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> Message-ID: <20150601145017.GJ4996@hendrix> On Mon, Jun 01, 2015 at 03:42:53PM +0100, Ivars Strazdi?? wrote: > Hi, > how could I possibly trace why there is a noticeable delay when logging into sssd enabled server? Using SSSD logs: https://fedorahosted.org/sssd/wiki/Troubleshooting > With ssh there is a 2-3 second delay before users logs in. But most users notice this with webmail, which uses dovecot->pam->sssd as authentication backend. > Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant. > Client also running Centos 7.1 with sssd. > Installation as per IPA handbook. DNS is proper (or so I think :) ). > Nothing special in logs that I could attribute to this problem except maybe that for each successful login there is a pam_unix failure entry in /var/log/secure log like: > Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com > Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com > > But when user is logged in, ?id? command result is instantaneous. The behaviour of id from command line and during login is different. During login, we always ignore the cache to make sure the group membership is correct, because in Linux, group membership is only set during login. This RFE might be of interest to you: https://fedorahosted.org/sssd/ticket/1807 We plan on more performance enhancements in the next (1.14) planned release. From rcritten at redhat.com Mon Jun 1 14:50:40 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Jun 2015 10:50:40 -0400 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <55689A7D.30707@alumni.ethz.ch> References: <55689A7D.30707@alumni.ethz.ch> Message-ID: <556C7140.1040800@redhat.com> Thomas Sailer wrote: > Hello everyone. > > I upgraded a freeipa server from fedora 20 to fedora 22. It mostly > worked ok, but there are a few issues: > > - pki-tomcat didn't start after the upgrade, and that in turn made > ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg > had the wrong owner (root). > > - ipa-ldap-updater stumbles over two problems: > - Pre schema upgrade failed > - when trying to modify cn=encryption,cn=config, it stumbles over > allowWeakCipher not allowed > > Does anyone know how to fix this? Is the pre schema upgrade failure > spurious? what bits am I missing about the allowWeakCipher issue? I think the issue was that the upgrade was done in a chroot, so systemd couldn't start 389-ds. I'm guessing, but I'll bet the "No such file or directory" is the ldapi socket. You can safely re-run the upgrade scripts: # /usr/sbin/ipa-ldap-updater --upgrade # /usr/sbin/ipa-upgradeconfig I'd re-run those and see if the errors change, or hopefully, go away completely. rob From rcritten at redhat.com Mon Jun 1 14:54:55 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Jun 2015 10:54:55 -0400 Subject: [Freeipa-users] ipa-replica-prepare error In-Reply-To: <55679591.4000101@cora.nwra.com> References: <55677E25.5020705@cora.nwra.com> <5567840D.2090701@redhat.com> <55679591.4000101@cora.nwra.com> Message-ID: <556C723F.3080508@redhat.com> Orion Poplawski wrote: > On 05/28/2015 03:09 PM, Rob Crittenden wrote: >> Orion Poplawski wrote: >>> We did a CAless install: >>> >>> ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat >>> /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt >>> --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 >>> --http_pin=XXXX --idstart=8000 >>> >>> But now when we try to setup a replica: >>> >>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 >>> --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX >>> Directory Manager (existing master) password: >>> >>> The full certificate chain is not present in nwra.com.p12 >>> >>> >>> p12 file was created with: >>> >>> openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey >>> /etc/pki/tls/private/nwra.com.key -certfile >>> /etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12 >>> >>> ipa-server-4.1.0-18.sl7_1.3.x86_64 >>> >>> Any thoughts? >>> >> >> At a glance your creation steps look ok. Strangely, the same code that loads >> the PKCS#12 files are used both in the server install and replica prepare, the >> only difference it seems is that with the server install we get a copy of the >> CA separately too. >> >> Can you provide the output of: pk12util -l nwra.com.p12 >> >> Maybe we can work out what it thinks is missing. >> >> rob > > I think I need to redo our install with an updated (SHA-2?) certificate, but I > wouldn't think that would affect this issue either. I don't believe this is related to the signature. It looks like the right certs are there so I'm not sure what is going on. It may be that the built-ins aren't being found and this is needed because the AddTrust External Root isn't included, and it shouldn't need to be. What is really blowing my mind is the same function that loads the PKCS#12 file is called both on install and replica prepare but only failing on the later. Maybe Honza has some ideas. rob From rcritten at redhat.com Mon Jun 1 14:58:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Jun 2015 10:58:01 -0400 Subject: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4 In-Reply-To: References: <20150530121021.GA11243@mail.corp.redhat.com> <24b13f8e-c7a7-4fdb-a81c-e0ef33e0f4d9@email.android.com> Message-ID: <556C72F9.7080904@redhat.com> bahan w wrote: > Hello everyone. > > I modified the /etc/selinux/config file : > ######################################################### > # This file controls the state of SELinux on the system. > # SELINUX=disabled > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=permissive > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > ######################################################### > > Then I rebooted. > ######################################################### > reboot > ######################################################### > > Here is the result of getenforce : > ######################################################### > Permissive > ######################################################### > > I removed the ipa-server that I had and I tried te 3.0.0-42 : > ######################################################### > yum install ipa-server-3.0.0-42.el6.x86_64 > Loaded plugins: security > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed > --> Processing Dependency: ipa-client = 3.0.0-42.el6 for package: > ipa-server-3.0.0-42.el6.x86_64 > --> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for package: > ipa-server-3.0.0-42.el6.x86_64 > --> Processing Dependency: ipa-python = 3.0.0-42.el6 for package: > ipa-server-3.0.0-42.el6.x86_64 > --> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for > package: ipa-server-3.0.0-42.el6.x86_64 > --> Running transaction check > ---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed > ---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed > ---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed > ---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be installed > --> Finished Dependency Resolution > > Dependencies Resolved > > ====================================================================================================================================== > Package Arch > Version Repository Size > ====================================================================================================================================== > Installing: > ipa-server x86_64 > 3.0.0-42.el6 standard 1.1 M > Installing for dependencies: > ipa-admintools x86_64 > 3.0.0-42.el6 standard 67 k > ipa-client x86_64 > 3.0.0-42.el6 standard 145 k > ipa-python x86_64 > 3.0.0-42.el6 standard 928 k > ipa-server-selinux x86_64 > 3.0.0-42.el6 standard 66 k > > Transaction Summary > ====================================================================================================================================== > Install 5 Package(s) > > Total download size: 2.3 M > Installed size: 9.2 M > Is this ok [y/N]: y > Downloading Packages: > (1/5): > ipa-admintools-3.0.0-42.el6.x86_64.rpm > | 67 kB 00:00 > (2/5): > ipa-client-3.0.0-42.el6.x86_64.rpm > | 145 kB 00:00 > (3/5): > ipa-python-3.0.0-42.el6.x86_64.rpm > | 928 kB 00:00 > (4/5): > ipa-server-3.0.0-42.el6.x86_64.rpm > | 1.1 MB 00:00 > (5/5): > ipa-server-selinux-3.0.0-42.el6.x86_64.rpm > | 66 kB 00:00 > -------------------------------------------------------------------------------------------------------------------------------------- > Total > 6.8 MB/s | 2.3 MB 00:00 > Running rpm_check_debug > Running Transaction Test > Transaction Test Succeeded > Running Transaction > Installing : > ipa-python-3.0.0-42.el6.x86_64 > 1/5 > Installing : > ipa-client-3.0.0-42.el6.x86_64 > 2/5 > Installing : > ipa-admintools-3.0.0-42.el6.x86_64 > 3/5 > Installing : > ipa-server-3.0.0-42.el6.x86_64 > 4/5 > Installing : > ipa-server-selinux-3.0.0-42.el6.x86_64 > 5/5 > libsepol.print_missing_requirements: ipa_dogtag's global requirements > were not met: type/attribute pki_ca_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file or > directory). > semodule: Failed! > Verifying : > ipa-server-3.0.0-42.el6.x86_64 > 1/5 > Verifying : > ipa-server-selinux-3.0.0-42.el6.x86_64 > 2/5 > Verifying : > ipa-python-3.0.0-42.el6.x86_64 > 3/5 > Verifying : > ipa-client-3.0.0-42.el6.x86_64 > 4/5 > Verifying : > ipa-admintools-3.0.0-42.el6.x86_64 > 5/5 > > Installed: > ipa-server.x86_64 0:3.0.0-42.el6 > > Dependency Installed: > ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 > 0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6 > ipa-server-selinux.x86_64 0:3.0.0-42.el6 > > Complete! > ######################################################### > > The errors linked with dogtag is still there. > Now, when I tried to run the ipa-server-install command here is what I > have : > ######################################################### > Continue to configure the system with these values? [no]: yes > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server for the CA (pkids): Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > Done configuring directory server for the CA (pkids). > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 > seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST > -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd > XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA -admin_user > admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM > -ca_server_cert_subject_name CN=MYHOST,O=MYREALM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM -external > false -clone false' returned non-zero exit status 255 > Configuration of CA failed > ######################################################### > > And here is what I found in the ipasrever-install.log : > ######################################################### > 2015-06-01T07:38:43Z DEBUG stderr=Exception: Unable to Send > Request:java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385) > at java.net.Socket.connect(Socket.java:546) > at java.net.Socket.connect(Socket.java:495) > at java.net.Socket.(Socket.java:392) > at java.net.Socket.(Socket.java:235) > at HTTPClient.sslConnect(HTTPClient.java:326) > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > java.lang.NullPointerException > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > > 2015-06-01T07:38:43Z CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST > -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd > XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA -admin_user > admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM > -ca_server_cert_subject_name CN=MYHOST,O=MYREALM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM -external > false -clone false' returned non-zero exit status 255 > 2015-06-01T07:38:43Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-server-install", line 942, in main > subject_base=options.subject) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > 626, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", > line 358, in start_creation > method() > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > 888, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > 2015-06-01T07:38:43Z INFO The ipa-server-install command failed, > exception: RuntimeError: Configuration of CA failed > ######################################################### > > I'm not really sure permissive mode with SELinux is helping in fact. I'd poke around in the CA logs in /var/log/pki-ca. It may be that the CA isn't really starting up, or the web app isn't starting. There are a lot of red herrings in the logs, and things can cascade, so I'd start at the top and work my way down. rob From Duncan.Innes at virginmoney.com Mon Jun 1 15:10:40 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Mon, 1 Jun 2015 16:10:40 +0100 Subject: [Freeipa-users] Which client is noisy? In-Reply-To: <556C6EAD.9020209@redhat.com> References: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> <556C6EAD.9020209@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950BD1FBA0@EXVS2.nrplc.localnet> Petr, We're using a different domain for IPA thankfully (unix.example.com), but the AD guys control DNS and don't want to touch anything in the DNS that might affect their example.com records. Everything is on the same VLANs, so I didn't want to press with any configuration request that might have broken things. Thierry, Looking at the logconv output, rebooting the noisiest IPA server, looking at the data again - it's becoming more clear that the failover of the clients is moving to the next system in the list, but then remaining there until it's forced to by that one going offline too. I knew this might happen when we designed the system, but as I said above, we didn't meet a very flexible AD team. Cheers all, Duncan -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: 01 June 2015 15:40 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Which client is noisy? On 1.6.2015 10:56, Innes, Duncan wrote: > We don't have access to the _SRV_ records as the AD domain controls > that, so we had to hard code the main and failover servers on the Side note: It sounds that your FreeIPA setup is using the same domain name as AD realm. This is directly against http://www.freeipa.org/page/Deployment_Recommendations#DNS and will cause pain moving forward as AD Trusts and DNSSEC validation will be impossible. Please follow http://www.freeipa.org/page/Deployment_Recommendations for the next deployment :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From t.sailer at alumni.ethz.ch Mon Jun 1 16:51:02 2015 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Mon, 01 Jun 2015 18:51:02 +0200 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <556C0F38.3010909@redhat.com> References: <55689A7D.30707@alumni.ethz.ch> <556C0F38.3010909@redhat.com> Message-ID: <556C8D76.1040307@alumni.ethz.ch> Martin, Rob, thanks for your answers! On 06/01/2015 09:52 AM, Martin Basti wrote: > Could DS in chroot, cause the ipa-ldap-updater --upgrade cannot locate > the DS socket? > 2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request. I used fedup for the distro upgrade, so yes initially it ran in a chroot. However, the log excerpts were from a second run I manually initiated, after the machine rebooted after the update. I am pretty sure I ensured that enough of freeipa ran to successfully run ipa user-status and kinit. > > 2) > Allow weak ciphers. > can you check objectclass definitions in > /etc/dirsrv/slapd-XXXXX-COM/schema > # grep 'allowWeakCipher' * > > If you find more than on objectclass definition, please remove the old > from the ldif files and restart DS. (Probably there will be old in > 99user.ldif) I indeed had a file named 99user.ldif with a date from yesterday (even newer than 01core389.ldif). I removed this. Now ipa-ldap-updater --upgrade completes successfully, on one machine. On the other replica, /usr/sbin/ipa-upgradeconfig fails. There's something wrong with pki-tomcatd: access_log: a.b.c.d - - [01/Jun/2015:18:22:35 +0200] "GET /ca/admin/ca/getStatus HTTP/1.1" 500 2108 Jun 01 18:47:03 server2.xxxxx.com server[9651]: Jun 01, 2015 6:47:03 PM org.apache.catalina.core.ContainerBase backgroundProcess Jun 01 18:47:03 server2.xxxxx.com server[9651]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 548d946f background process Jun 01 18:47:03 server2.xxxxx.com server[9651]: java.lang.NullPointerException Jun 01 18:47:03 server2.xxxxx.com server[9651]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:108) Jun 01 18:47:03 server2.xxxxx.com server[9651]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1360) Jun 01 18:47:03 server2.xxxxx.com server[9651]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1546) Jun 01 18:47:03 server2.xxxxx.com server[9651]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1556) Jun 01 18:47:03 server2.xxxxx.com server[9651]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1556) Jun 01 18:47:03 server2.xxxxx.com server[9651]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1524) Jun 01 18:47:03 server2.xxxxx.com server[9651]: at java.lang.Thread.run(Thread.java:745) Apparently, I'm not the only one :) http://pastebin.com/CtsW0GAt From christopher.lamb at ch.ibm.com Mon Jun 1 17:35:11 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 1 Jun 2015 19:35:11 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Message-ID: Hi All Bad news. Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 host (FreeIPA client) to authenticate FreeiPA users (my test being ssh remote login with FreeIPA user and password). Today I tried a second machine, and had the same problem, ssh connections with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check failed" Ahh I thought, I have a solution for that: just remove ipa-client and reinstall via yum, register with the new FreeIPA server .... Only with this second machine I still can't ssh in with a FreeIPA user. Argg..... b.t.w, as this machine is a real physical server, I was able to try logging in direct with my FreeIPA user --> "Authentication Failure" I now have * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old FreeIPA server to the new without a hitch (i.e. they successfully authenticate FreeIPA users.) * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but with problems * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to authenticate with a FreeIPA user * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new FreeIPA server, and successfully authenticates FreeIPA users. Any ideas? Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , freeipa-users at redhat.com Date: 30.05.2015 18:52 Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 --> Solved Sent by: freeipa-users-bounces at redhat.com Hi All It gives me pleasure to report the problem is solved - a minute ago I was able to login via ssh with my FreeIPA user to the problem server, while sitting on my terrace with a glass of wine! Thanks to Alexander for his helpful advice - we had some mail exchange outside the user list as I did not wish to broadcast content of keys, config files etc. Regardless of what I did with commands like klist, kvno everything seemed "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. Therefore I decided to opt for brute force and (partial) ignorance. I completely uninstalled the FreeIPA client, and then reinstalled, configured - ?t voil? I could ssh in! This leaves the enigma: what caused the problem? I suspect the following: The host is an EL 7.1, but the first FreeIPA client installed was version 3.3.3 (installed as set of standard packages that we bung on all our servers). This worked fine to authenticate against our "old" 3.x FreeIPA server, but did not work against the "new" 4.1 FreeIPA Server. When I realised I could not ssh in, one of the first things I did was to yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. The solution was to yum remove the FreeIPA client, then yum install the 4.1 client. I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so it will be interesting to see it the problem can be reproduced. Keep up the good work, Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 29.05.2015 18:04 Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 On Fri, 29 May 2015, Christopher Lamb wrote: > >Hi All > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated >across the users. > >We have 50 odd Servers that are FreeIPA clients. Today I started migrating >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >server by doing an ipa-client-install --uninstall from the old, and >ipa-client-install to register with the new 4.1.0 server. > >Most of the FreeIPA clients are running OEL 6.5, and for these the >migration process above worked perfectly. After migrating the server, I >could ssh in with my FreeIPA user. > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, and >getent passwd was successful for my FreeIPA user. However when I try and >ssh in, my FreeIPA user / password is not accepted. > >Before the migration I could ssh into the problem server (though evidently >it was using my FreeIPA user from the old FreeIPA server). > >I can ssh in with a local (non ldap) user, so ssh is running and working. > >>From user root I can successfully su to my FreeIPA user. > >Further investigation showed that version of ipa-client installed was >3.3.3, so I yum updated this to 4.1.0. > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The >same user continues to work for the 6.5 boxes. > >A colleague tried to ssh in with his FreeIPA user, and was also rejected, >so the problem is not my user, but is probably for all FreeIPA users. > >A failed ssh login attempt causes the following error in /var/log/messages > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed It means /etc/krb5.keytab contains keys from older system and SSSD picks them up. Can you show output of 'klist -kKet'? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jpazdziora at redhat.com Mon Jun 1 17:48:50 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 1 Jun 2015 19:48:50 +0200 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <55689A7D.30707@alumni.ethz.ch> References: <55689A7D.30707@alumni.ethz.ch> Message-ID: <20150601174850.GA24604@redhat.com> On Fri, May 29, 2015 at 06:57:33PM +0200, Thomas Sailer wrote: > > I upgraded a freeipa server from fedora 20 to fedora 22. It mostly worked > ok, but there are a few issues: > > - pki-tomcat didn't start after the upgrade, and that in turn made > ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg had > the wrong owner (root). I saw this issue in containers as well, when upgrading from Fedora 21 to 22. Do we have a bugzilla / ticket filed? Do we need one? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From tompos at martos.bme.hu Mon Jun 1 17:50:34 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 01 Jun 2015 19:50:34 +0200 Subject: [Freeipa-users] password expiration Message-ID: <556C9B6A.2090401@martos.bme.hu> hi All, I'm stuck: $ kinit admin Password for admin at CXCLIENTS: kinit: Password incorrect while getting initial credentials [root at ipa-clients1 ~]$ kinit admin Password for admin at CXCLIENTS: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials $ kinit admin Password for admin at CXCLIENTS: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected: Current password's minimum life has not expired Password not changed.. Please try again. Enter new password: What can I do now? Thanks, tamas From ftweedal at redhat.com Mon Jun 1 22:34:07 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 2 Jun 2015 08:34:07 +1000 Subject: [Freeipa-users] Status on Sub-CAs for FreeIPA v4.2 In-Reply-To: <20150601141920.GD15837@redhat.com> References: <556C6832.4080108@lyra-network.com> <20150601141920.GD15837@redhat.com> Message-ID: <20150601223407.GM23523@dhcp-40-8.bne.redhat.com> On Mon, Jun 01, 2015 at 05:19:20PM +0300, Alexander Bokovoy wrote: > On Mon, 01 Jun 2015, Thibaut Pouzet wrote: > >Hi, > > > >I am currently trying to use FreeIPA to issue client certificates for > >some internal application we have. (More precisely, SSL double > >authentication between two of my applications, client side would be > >java, server-side would be apache httpd.) I considered two options : > > > >1. Issue client certificates directly from FreeIPA : It do not seems > >that it's currently "supported". I can actually generate a client > >certificate by creating a new principal for a host, and use ipa-getcert > >to generate a certificate for it. However, this certificate is valid for > >both user and server authentication, and I cannot change it. > >Furthermore, I cannot change the CN of the certificate, it is the > >server's hostname for which the pincipal has been generated. That's a > >poor solution. > > > > > >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to > >do whatever I want to do. I tried to use the dogtag profiles with the > >ipa-getcert -T option, but the profiles were ignored when I tried to use > >them. And I always got 'regular' certificates. > > > >I did some research, and found this RFE : > >http://www.freeipa.org/page/V4/Sub-CAs > > > >And this Sub-CA notions seems to be perfect for what I want to do. When > >I'm looking at the ticket, it seems that it is quietly sleeping > >somewhere, remaining not updated. > > > >I would love to see this feature in FreeIPA v4.2, has anyone a status on > >this RFE and it's current status ? > > Hi Thibaut, I'm working on user certificates, profiles and sub-CAs. User certificates and custom profiles are a near-certainty to make 4.2. Sub-CAs will not make it into the alpha; hopefully I can finish the feature and squeeze it into 4.2 but it's a possibility that sub-CAs will arrive in a follow-up release. Would you be willing to help test all these features and provide feedback? I will soon be preparing a COPR with test builds so if you would like to help in this way, I can help you get set up to do this. I (we) would really appreciate your feedback. Cheers, Fraser > Design page is there, the work happens on freeipa-devel at . There are > multiple patches in the review process right now. If you are willing to > help with testing them, welcome to the development list. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mexigabacho at gmail.com Tue Jun 2 00:37:30 2015 From: mexigabacho at gmail.com (Christopher Young) Date: Mon, 1 Jun 2015 20:37:30 -0400 Subject: [Freeipa-users] Status on Sub-CAs for FreeIPA v4.2 In-Reply-To: <20150601223407.GM23523@dhcp-40-8.bne.redhat.com> References: <556C6832.4080108@lyra-network.com> <20150601141920.GD15837@redhat.com> <20150601223407.GM23523@dhcp-40-8.bne.redhat.com> Message-ID: I, too, am very much in need of user certificates. If it is possible to setup an additional FreeIPA server to test this out, then I could help out in testing the feature. I obviously don't want to impact my production environment too much, but it is rather stagnant, so if I can backup the LDAP db every once in a while, that could work. Otherwise, I could possible find some time to set up another instance for testing. I definitely need this feature! Thank you so much for working on it. Chris On Mon, Jun 1, 2015 at 6:34 PM, Fraser Tweedale wrote: > On Mon, Jun 01, 2015 at 05:19:20PM +0300, Alexander Bokovoy wrote: > > On Mon, 01 Jun 2015, Thibaut Pouzet wrote: > > >Hi, > > > > > >I am currently trying to use FreeIPA to issue client certificates for > > >some internal application we have. (More precisely, SSL double > > >authentication between two of my applications, client side would be > > >java, server-side would be apache httpd.) I considered two options : > > > > > >1. Issue client certificates directly from FreeIPA : It do not seems > > >that it's currently "supported". I can actually generate a client > > >certificate by creating a new principal for a host, and use ipa-getcert > > >to generate a certificate for it. However, this certificate is valid for > > >both user and server authentication, and I cannot change it. > > >Furthermore, I cannot change the CN of the certificate, it is the > > >server's hostname for which the pincipal has been generated. That's a > > >poor solution. > > > > > > > > >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to > > >do whatever I want to do. I tried to use the dogtag profiles with the > > >ipa-getcert -T option, but the profiles were ignored when I tried to use > > >them. And I always got 'regular' certificates. > > > > > >I did some research, and found this RFE : > > >http://www.freeipa.org/page/V4/Sub-CAs > > > > > >And this Sub-CA notions seems to be perfect for what I want to do. When > > >I'm looking at the ticket, it seems that it is quietly sleeping > > >somewhere, remaining not updated. > > > > > >I would love to see this feature in FreeIPA v4.2, has anyone a status on > > >this RFE and it's current status ? > > > > Hi Thibaut, > > I'm working on user certificates, profiles and sub-CAs. User > certificates and custom profiles are a near-certainty to make 4.2. > Sub-CAs will not make it into the alpha; hopefully I can finish the > feature and squeeze it into 4.2 but it's a possibility that sub-CAs > will arrive in a follow-up release. > > Would you be willing to help test all these features and provide > feedback? I will soon be preparing a COPR with test builds so if > you would like to help in this way, I can help you get set up to do > this. I (we) would really appreciate your feedback. > > Cheers, > Fraser > > > > Design page is there, the work happens on freeipa-devel at . There are > > multiple patches in the review process right now. If you are willing to > > help with testing them, welcome to the development list. > > > > -- > > / Alexander Bokovoy > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Jun 2 01:11:35 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 01 Jun 2015 18:11:35 -0700 Subject: [Freeipa-users] how to delete duplicate? Message-ID: <556D02C7.3060102@gmail.com> I have a duplicate user. Same exact name, but different UID's. But there does not seem to be a way to do "ipa user-del" on anything other than username, which ends up returning: # ipa user-del another_username ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. Any ideas on how I can delete this user? ~J From lslebodn at redhat.com Tue Jun 2 06:21:59 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 2 Jun 2015 08:21:59 +0200 Subject: [Freeipa-users] login delay with sssd In-Reply-To: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> Message-ID: <20150602062158.GA26100@mail.corp.redhat.com> On (01/06/15 15:42), Ivars Strazdi?? wrote: >Hi, >how could I possibly trace why there is a noticeable delay when logging into sssd enabled server? >With ssh there is a 2-3 second delay before users logs in. But most users notice this with webmail, which uses dovecot->pam->sssd as authentication backend. >Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant. >Client also running Centos 7.1 with sssd. >Installation as per IPA handbook. DNS is proper (or so I think :) ). >Nothing special in logs that I could attribute to this problem except maybe that for each successful login there is a pam_unix failure entry in /var/log/secure log like: >Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com >Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com > >But when user is logged in, ?id? command result is instantaneous. >All machines have selinux enabled, of course. How many groups does problematic user have? Some performance degradation caused by semanage. Here is an upstream ticket https://fedorahosted.org/sssd/ticket/2624. It is already fixed in fedora, but you can test with prerelease of sssd-1.12.5 https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ HTH LS From Alexander.Frolushkin at megafon.ru Tue Jun 2 06:21:59 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 2 Jun 2015 06:21:59 +0000 Subject: [Freeipa-users] AD user password change via ssh login Message-ID: Hello. Maybe this is a little off topic, sorry if so. Faced a strange behavior of server when trying to login a newly created user from AD, which have a password must be changed on first login. Using this user to login via ssh to server feeds to ssh session termination without any messages regarding to password expire. If I do kinit this user on same server, it does request password change. In secure log: Jun 2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): received for user sdemiden at ad.com: 12 (Authentication token is no longer valid; new one required) Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:account): Access denied for user sdemiden at ad.com: 6 (Permission denied) Jun 2 12:18:15 server sshd[9830]: Failed password for sdemiden at ad.com from 10.10.100.1 port 41859 ssh2 Jun 2 12:18:15 server sshd[9831]: fatal: Access denied for user sdemiden at ad.com by PAM account configuration If I further change the password of user manually from Windows, login works as expected. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 2 07:08:23 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 02 Jun 2015 09:08:23 +0200 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <20150601174850.GA24604@redhat.com> References: <55689A7D.30707@alumni.ethz.ch> <20150601174850.GA24604@redhat.com> Message-ID: <556D5667.8070600@redhat.com> On 01/06/15 19:48, Jan Pazdziora wrote: > On Fri, May 29, 2015 at 06:57:33PM +0200, Thomas Sailer wrote: >> I upgraded a freeipa server from fedora 20 to fedora 22. It mostly worked >> ok, but there are a few issues: >> >> - pki-tomcat didn't start after the upgrade, and that in turn made >> ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg had >> the wrong owner (root). > I saw this issue in containers as well, when upgrading from Fedora 21 > to 22. Do we have a bugzilla / ticket filed? Do we need one? > I don't think so, please file a ticket. -- Martin Basti From tbordaz at redhat.com Tue Jun 2 07:20:33 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 02 Jun 2015 09:20:33 +0200 Subject: [Freeipa-users] Which client is noisy? In-Reply-To: <56343345B145C043AE990701E3D193950BD1FBA0@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FB9A@EXVS2.nrplc.localnet> <556C6EAD.9020209@redhat.com> <56343345B145C043AE990701E3D193950BD1FBA0@EXVS2.nrplc.localnet> Message-ID: <556D5941.6060502@redhat.com> On 06/01/2015 05:10 PM, Innes, Duncan wrote: > Petr, > > We're using a different domain for IPA thankfully (unix.example.com), > but the AD guys control DNS and don't want to touch anything in the DNS > that might affect their example.com records. Everything is on the same > VLANs, so I didn't want to press with any configuration request that > might have broken things. > > Thierry, > > Looking at the logconv output, rebooting the noisiest IPA server, > looking at the data again - it's becoming more clear that the failover > of the clients is moving to the next system in the list, but then > remaining there until it's forced to by that one going offline too. I > knew this might happen when we designed the system, but as I said above, > we didn't meet a very flexible AD team. Hello Innes, The routing of the ldap client resquest is usually done by a proxy or something acting like a proxy. It is sometime preferable that after a failover to a backup server the ldap client stick to the backup server as we do not know exactly when the principal server will be able to handle the load. thanks thierry > > Cheers all, > > Duncan > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: 01 June 2015 15:40 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Which client is noisy? > > On 1.6.2015 10:56, Innes, Duncan wrote: >> We don't have access to the _SRV_ records as the AD domain controls >> that, so we had to hard code the main and failover servers on the > Side note: > It sounds that your FreeIPA setup is using the same domain name as AD > realm. > This is directly against > http://www.freeipa.org/page/Deployment_Recommendations#DNS > and will cause pain moving forward as AD Trusts and DNSSEC validation > will be impossible. > > Please follow > http://www.freeipa.org/page/Deployment_Recommendations > for the next deployment :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > This message has been checked for viruses and spam by the Virgin Money > email scanning system powered by Messagelabs. > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our website at virginmoney.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jun 2 07:21:32 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 09:21:32 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: References: Message-ID: <20150602072132.GI2805@hendrix> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > Hi All > > Bad news. > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > remote login with FreeIPA user and password). > > Today I tried a second machine, and had the same problem, ssh connections > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check > failed" This really just means wrong password, can you kinit as that user using the same password? > > Ahh I thought, I have a solution for that: just remove ipa-client and > reinstall via yum, register with the new FreeIPA server .... > > Only with this second machine I still can't ssh in with a FreeIPA user. > Argg..... > > b.t.w, as this machine is a real physical server, I was able to try logging > in direct with my FreeIPA user --> "Authentication Failure" > > I now have > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > FreeIPA server to the new without a hitch (i.e. they successfully > authenticate FreeIPA users.) > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > with problems > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to > authenticate with a FreeIPA user > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > FreeIPA server, and successfully authenticates FreeIPA users. > > Any ideas? > > Chris > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > ----- > > From: Christopher Lamb/Switzerland/IBM at IBMCH > To: Alexander Bokovoy , > freeipa-users at redhat.com > Date: 30.05.2015 18:52 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on > EL7.1 --> Solved > Sent by: freeipa-users-bounces at redhat.com > > > > Hi All > > It gives me pleasure to report the problem is solved - a minute ago I was > able to login via ssh with my FreeIPA user to the problem server, while > sitting on my terrace with a glass of wine! > > Thanks to Alexander for his helpful advice - we had some mail exchange > outside the user list as I did not wish to broadcast content of keys, > config files etc. > > Regardless of what I did with commands like klist, kvno everything seemed > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > Therefore I decided to opt for brute force and (partial) ignorance. I > completely uninstalled the FreeIPA client, and then reinstalled, configured > - ?t voil? I could ssh in! > > This leaves the enigma: what caused the problem? I suspect the following: > > The host is an EL 7.1, but the first FreeIPA client installed was version > 3.3.3 (installed as set of standard packages that we bung on all our > servers). > > This worked fine to authenticate against our "old" 3.x FreeIPA server, but > did not work against the "new" 4.1 FreeIPA Server. > > When I realised I could not ssh in, one of the first things I did was to > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > The solution was to yum remove the FreeIPA client, then yum install the 4.1 > client. > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so > it will be interesting to see it the problem can be reproduced. > > Keep up the good work, > > Chris > > > > > > > > > From: Alexander Bokovoy > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: freeipa-users at redhat.com > Date: 29.05.2015 18:04 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > EL7.1 > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > >Hi All > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > >across the users. > > > >We have 50 odd Servers that are FreeIPA clients. Today I started migrating > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > >server by doing an ipa-client-install --uninstall from the old, and > >ipa-client-install to register with the new 4.1.0 server. > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > >migration process above worked perfectly. After migrating the server, I > >could ssh in with my FreeIPA user. > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > and > >getent passwd was successful for my FreeIPA user. However when I try and > >ssh in, my FreeIPA user / password is not accepted. > > > >Before the migration I could ssh into the problem server (though evidently > >it was using my FreeIPA user from the old FreeIPA server). > > > >I can ssh in with a local (non ldap) user, so ssh is running and working. > > > >>From user root I can successfully su to my FreeIPA user. > > > >Further investigation showed that version of ipa-client installed was > >3.3.3, so I yum updated this to 4.1.0. > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The > >same user continues to work for the 6.5 boxes. > > > >A colleague tried to ssh in with his FreeIPA user, and was also rejected, > >so the problem is not my user, but is probably for all FreeIPA users. > > > >A failed ssh login attempt causes the following error in /var/log/messages > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > It means /etc/krb5.keytab contains keys from older system and SSSD > picks them up. > Can you show output of 'klist -kKet'? > -- > / Alexander Bokovoy > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Tue Jun 2 07:23:58 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 09:23:58 +0200 Subject: [Freeipa-users] AD user password change via ssh login In-Reply-To: References: Message-ID: <20150602072358.GJ2805@hendrix> On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote: > Hello. > Maybe this is a little off topic, sorry if so. > > Faced a strange behavior of server when trying to login a newly created user from AD, which have a password must be changed on first login. > Using this user to login via ssh to server feeds to ssh session termination without any messages regarding to password expire. If I do kinit this user on same server, it does request password change. > > In secure log: > Jun 2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com > Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com > Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): received for user sdemiden at ad.com: 12 (Authentication token is no longer valid; new one required) > Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:account): Access denied for user sdemiden at ad.com: 6 (Permission denied) It would be interesting to see the logs, because you're being denied in the account phase, where I would expect the user being either expired, locked or denied by HBAC rules. Does the login work with such user if you (temporarily!!) set access_provider=permit ? > Jun 2 12:18:15 server sshd[9830]: Failed password for sdemiden at ad.com from 10.10.100.1 port 41859 ssh2 > Jun 2 12:18:15 server sshd[9831]: fatal: Access denied for user sdemiden at ad.com by PAM account configuration > > If I further change the password of user manually from Windows, login works as expected. > > WBR, > Alexander Frolushkin > Cell +79232508764 > Work +79232507764 > > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mkosek at redhat.com Tue Jun 2 07:36:56 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 09:36:56 +0200 Subject: [Freeipa-users] vSphere and freeIPA In-Reply-To: <892b1cc5e31af711e60d22844fecb9cc@webmail.zy.io> References: <892b1cc5e31af711e60d22844fecb9cc@webmail.zy.io> Message-ID: <556D5D18.50703@redhat.com> On 05/29/2015 01:59 PM, sam at zy.io wrote: > Afternoon, > > I'm currently attempting to set up an existing vsphere environment to use freeipa 4.1.0 for authentication, following this guide: > > http://www.freeipa.org/page/HowTo/vsphere5_integration > > I've followed it all through, and for the purposes for testing, I've created a user called sam that's a member of a group called samtest: > > [root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: cn=samtest > # requesting: ALL > # > > # samtest, groups, compat, example.hostname.co.uk > dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk > objectClass: groupOfUniqueNames > objectClass: top > uniqueMember: uid=sam,cn=users,cn=compat,dc=example,dc=hostname,dc=co,dc= > uk > cn: samtest > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > With only sam in the samtest group, the uniqueMember attribute that vsphere seems to depend on displays fine, and you can log into vsphere as the sam user if samtest has been given the correct permissions. > > The issue arises when a second user (chris) is added to the samtest group. > > [root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: cn=samtest > # requesting: ALL > # > > # samtest, groups, compat, example.hostname.co.uk > dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk > objectClass: groupOfUniqueNames > objectClass: top > cn: samtest > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > This causes the uniqueMember attribute to not display for either sam or chris, and neither user can access vsphere. However if sam is removed from samtest, then uniqueMember is once again shown: > > [root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: cn=samtest > # requesting: ALL > # > > # samtest, groups, compat, example.hostname.co.uk > dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk > objectClass: groupOfUniqueNames > objectClass: top > uniqueMember: uid=chris,cn=users,cn=compat,dc=example,dc=hostname,dc=co,d > c=uk > cn: samtest > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > If anyone could shed any light on this behaviour, or point out any flaws in my logic/understanding, it would be greatly appreciated. > > Kind regards, > > Sam > CCing Nalin and Alexander. This sounds like the slapi-nis configuration for generating uniqueMember attribute does not work with multi-valued "member" attribute: schema-compat-entry-attribute: uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") Martin From christopher.lamb at ch.ibm.com Tue Jun 2 07:43:48 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 2 Jun 2015 09:43:48 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: <20150602072132.GI2805@hendrix> References: <20150602072132.GI2805@hendrix> Message-ID: Hi Jakub The same user / password works with all our FreeIPA hosts - just this one box is the problem. So the password should be good. Of course a type is always possible (especially for strong passwords), but I have tried many times which should eliminate the odd password typo. The user / password should also be good for both the old and the new FreeIPA Server. As I can neither log in direct, or via ssh to this box with my FreeIPA user, I assume Kinit with my user won't work- i will try later in the day. My working assumption is that the problem is related in some way to the fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 throwaway EL 7.1 VMs to better test this. On one I will first install 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 client. Cheers Chris From: Jakub Hrozek To: freeipa-users at redhat.com Date: 02.06.2015 09:22 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by: freeipa-users-bounces at redhat.com On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > Hi All > > Bad news. > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > remote login with FreeIPA user and password). > > Today I tried a second machine, and had the same problem, ssh connections > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check > failed" This really just means wrong password, can you kinit as that user using the same password? > > Ahh I thought, I have a solution for that: just remove ipa-client and > reinstall via yum, register with the new FreeIPA server .... > > Only with this second machine I still can't ssh in with a FreeIPA user. > Argg..... > > b.t.w, as this machine is a real physical server, I was able to try logging > in direct with my FreeIPA user --> "Authentication Failure" > > I now have > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > FreeIPA server to the new without a hitch (i.e. they successfully > authenticate FreeIPA users.) > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > with problems > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to > authenticate with a FreeIPA user > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > FreeIPA server, and successfully authenticates FreeIPA users. > > Any ideas? > > Chris > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > ----- > > From: Christopher Lamb/Switzerland/IBM at IBMCH > To: Alexander Bokovoy , > freeipa-users at redhat.com > Date: 30.05.2015 18:52 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on > EL7.1 --> Solved > Sent by: freeipa-users-bounces at redhat.com > > > > Hi All > > It gives me pleasure to report the problem is solved - a minute ago I was > able to login via ssh with my FreeIPA user to the problem server, while > sitting on my terrace with a glass of wine! > > Thanks to Alexander for his helpful advice - we had some mail exchange > outside the user list as I did not wish to broadcast content of keys, > config files etc. > > Regardless of what I did with commands like klist, kvno everything seemed > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > Therefore I decided to opt for brute force and (partial) ignorance. I > completely uninstalled the FreeIPA client, and then reinstalled, configured > - ?t voil? I could ssh in! > > This leaves the enigma: what caused the problem? I suspect the following: > > The host is an EL 7.1, but the first FreeIPA client installed was version > 3.3.3 (installed as set of standard packages that we bung on all our > servers). > > This worked fine to authenticate against our "old" 3.x FreeIPA server, but > did not work against the "new" 4.1 FreeIPA Server. > > When I realised I could not ssh in, one of the first things I did was to > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > The solution was to yum remove the FreeIPA client, then yum install the 4.1 > client. > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so > it will be interesting to see it the problem can be reproduced. > > Keep up the good work, > > Chris > > > > > > > > > From: Alexander Bokovoy > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: freeipa-users at redhat.com > Date: 29.05.2015 18:04 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > EL7.1 > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > >Hi All > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > >across the users. > > > >We have 50 odd Servers that are FreeIPA clients. Today I started migrating > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > >server by doing an ipa-client-install --uninstall from the old, and > >ipa-client-install to register with the new 4.1.0 server. > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > >migration process above worked perfectly. After migrating the server, I > >could ssh in with my FreeIPA user. > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > and > >getent passwd was successful for my FreeIPA user. However when I try and > >ssh in, my FreeIPA user / password is not accepted. > > > >Before the migration I could ssh into the problem server (though evidently > >it was using my FreeIPA user from the old FreeIPA server). > > > >I can ssh in with a local (non ldap) user, so ssh is running and working. > > > >>From user root I can successfully su to my FreeIPA user. > > > >Further investigation showed that version of ipa-client installed was > >3.3.3, so I yum updated this to 4.1.0. > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The > >same user continues to work for the 6.5 boxes. > > > >A colleague tried to ssh in with his FreeIPA user, and was also rejected, > >so the problem is not my user, but is probably for all FreeIPA users. > > > >A failed ssh login attempt causes the following error in /var/log/messages > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > It means /etc/krb5.keytab contains keys from older system and SSSD > picks them up. > Can you show output of 'klist -kKet'? > -- > / Alexander Bokovoy > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Tue Jun 2 07:50:41 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 09:50:41 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: References: <20150602072132.GI2805@hendrix> Message-ID: <20150602075041.GK2805@hendrix> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: > Hi Jakub > > The same user / password works with all our FreeIPA hosts - just this one > box is the problem. So the password should be good. Of course a type is > always possible (especially for strong passwords), but I have tried many > times which should eliminate the odd password typo. The user / password > should also be good for both the old and the new FreeIPA Server. Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. > > As I can neither log in direct, or via ssh to this box with my FreeIPA > user, I assume Kinit with my user won't work- i will try later in the day. Well, login as a UNIX user (root) should work.. > > My working assumption is that the problem is related in some way to the > fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA > 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 > throwaway EL 7.1 VMs to better test this. On one I will first install > 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 > client. > > Cheers > > Chris > > > > From: Jakub Hrozek > To: freeipa-users at redhat.com > Date: 02.06.2015 09:22 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-bounces at redhat.com > > > > On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > > > Hi All > > > > Bad news. > > > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA > 4.1 > > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > > remote login with FreeIPA user and password). > > > > Today I tried a second machine, and had the same problem, ssh connections > > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity > check > > failed" > > This really just means wrong password, can you kinit as that user using > the same password? > > > > > Ahh I thought, I have a solution for that: just remove ipa-client and > > reinstall via yum, register with the new FreeIPA server .... > > > > Only with this second machine I still can't ssh in with a FreeIPA user. > > Argg..... > > > > b.t.w, as this machine is a real physical server, I was able to try > logging > > in direct with my FreeIPA user --> "Authentication Failure" > > > > I now have > > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > > FreeIPA server to the new without a hitch (i.e. they successfully > > authenticate FreeIPA users.) > > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > > with problems > > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts > to > > authenticate with a FreeIPA user > > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > > FreeIPA server, and successfully authenticates FreeIPA users. > > > > Any ideas? > > > > Chris > > > > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > > ----- > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > To: Alexander Bokovoy , > > freeipa-users at redhat.com > > Date: 30.05.2015 18:52 > > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > > EL7.1 --> Solved > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > Hi All > > > > It gives me pleasure to report the problem is solved - a minute ago I was > > able to login via ssh with my FreeIPA user to the problem server, while > > sitting on my terrace with a glass of wine! > > > > Thanks to Alexander for his helpful advice - we had some mail exchange > > outside the user list as I did not wish to broadcast content of keys, > > config files etc. > > > > Regardless of what I did with commands like klist, kvno everything seemed > > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > > > Therefore I decided to opt for brute force and (partial) ignorance. I > > completely uninstalled the FreeIPA client, and then reinstalled, > configured > > - ?t voil? I could ssh in! > > > > This leaves the enigma: what caused the problem? I suspect the following: > > > > The host is an EL 7.1, but the first FreeIPA client installed was version > > 3.3.3 (installed as set of standard packages that we bung on all our > > servers). > > > > This worked fine to authenticate against our "old" 3.x FreeIPA server, > but > > did not work against the "new" 4.1 FreeIPA Server. > > > > When I realised I could not ssh in, one of the first things I did was to > > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > > The solution was to yum remove the FreeIPA client, then yum install the > 4.1 > > client. > > > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, > so > > it will be interesting to see it the problem can be reproduced. > > > > Keep up the good work, > > > > Chris > > > > > > > > > > > > > > > > > > From: Alexander Bokovoy > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: freeipa-users at redhat.com > > Date: 29.05.2015 18:04 > > Subject: Re: [Freeipa-users] ssh problem with > migrated FreeIPA > > client on > > EL7.1 > > > > > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > > > >Hi All > > > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to > replace > > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > > >across the users. > > > > > >We have 50 odd Servers that are FreeIPA clients. Today I started > migrating > > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > > >server by doing an ipa-client-install --uninstall from the old, and > > >ipa-client-install to register with the new 4.1.0 server. > > > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > > >migration process above worked perfectly. After migrating the server, I > > >could ssh in with my FreeIPA user. > > > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > > and > > >getent passwd was successful for my FreeIPA user. However when I try and > > >ssh in, my FreeIPA user / password is not accepted. > > > > > >Before the migration I could ssh into the problem server (though > evidently > > >it was using my FreeIPA user from the old FreeIPA server). > > > > > >I can ssh in with a local (non ldap) user, so ssh is running and > working. > > > > > >>From user root I can successfully su to my FreeIPA user. > > > > > >Further investigation showed that version of ipa-client installed was > > >3.3.3, so I yum updated this to 4.1.0. > > > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. > The > > >same user continues to work for the 6.5 boxes. > > > > > >A colleague tried to ssh in with his FreeIPA user, and was also > rejected, > > >so the problem is not my user, but is probably for all FreeIPA users. > > > > > >A failed ssh login attempt causes the following error > in /var/log/messages > > > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > > It means /etc/krb5.keytab contains keys from older system and SSSD > > picks them up. > > Can you show output of 'klist -kKet'? > > -- > > / Alexander Bokovoy > > > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From mkosek at redhat.com Tue Jun 2 07:51:39 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 09:51:39 +0200 Subject: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master In-Reply-To: References: Message-ID: <556D608B.9080004@redhat.com> On 06/01/2015 02:19 AM, Sina Owolabi wrote: > Hi! > > I am still stumbling along with this, I have had my IPA domain > destroyed and currently only a CA-less replica is left running the > network. > The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. > I am trying to setup a fresh CA-master and I have exported the data in > the replica into ldif and bak folders in > /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories. > I have copied these files and folders to the fresh install, which is > running RHEL7.1. > If I can complete an install, I plan to destroy the existing replica > and install from scratch 2 new ones just to be safe. > > Please can someone direct me in properly editing the ldif file or the > bak archivedir to make it useful for the new CA master? I have already > deleted the existing replication agreements between the CA-less > replica and the lost CA master (the new fresh install is the same > hostname). > Importing data is successful, but then IPA refuses to run afterwords > with different error messages. > > Thanks for any light shown my way. > Let me reiterate to see if I understood your scenario correctly: - you had CA-powered FreeIPA infrastructure, with just one FreeIPA server with CA service running - the single FreeIPA+CA server was lost (I would suggest having more of those in the future or using backup (snapshot or ipa-backup)) - you now want to install a brand new FreeIPA server and add data from the old FreeIPA installation. This is quite tricky, you can just add data from old FreeIPA server to the new server - the new FreeIPA server will have different Kerberos master key, different CA key. All this and derived data would be invalid. If you backed up the FreeIPA+CA master, I assume the PKI could be recreated, but it does not seem as the case. In that case, I am afraid you would need to start a new infrastructure and migrate old data, I put short description on how to migrate one FreeIPA to other FreeIPA on the wiki: https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA HTH, Martin From mkosek at redhat.com Tue Jun 2 07:54:43 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 09:54:43 +0200 Subject: [Freeipa-users] password expiration In-Reply-To: <556C9B6A.2090401@martos.bme.hu> References: <556C9B6A.2090401@martos.bme.hu> Message-ID: <556D6143.2060402@redhat.com> On 06/01/2015 07:50 PM, Tamas Papp wrote: > hi All, > > I'm stuck: > > > $ kinit admin > Password for admin at CXCLIENTS: > kinit: Password incorrect while getting initial credentials > [root at ipa-clients1 ~]$ kinit admin > Password for admin at CXCLIENTS: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Password has expired while getting initial credentials > > > > > $ kinit admin > Password for admin at CXCLIENTS: > Password expired. You must change it now. > Enter new password: > Enter it again: > Password change rejected: Current password's minimum life has not expired > > Password not changed.. Please try again. > > Enter new password: > > > > > What can I do now? > > > Thanks, > tamas > Hi Tamas, What platform and FreeIPA version do you use? What actions did you do before this happened? Were you for example changing the (global) password policy? Setting a too high password life may case the Year 2038 problem and have password validity in the past. From abokovoy at redhat.com Tue Jun 2 07:55:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 2 Jun 2015 10:55:05 +0300 Subject: [Freeipa-users] vSphere and freeIPA In-Reply-To: <556D5D18.50703@redhat.com> References: <892b1cc5e31af711e60d22844fecb9cc@webmail.zy.io> <556D5D18.50703@redhat.com> Message-ID: <20150602075505.GG15837@redhat.com> On Tue, 02 Jun 2015, Martin Kosek wrote: >CCing Nalin and Alexander. This sounds like the slapi-nis >configuration for generating uniqueMember attribute does not work with >multi-valued "member" attribute: > >schema-compat-entry-attribute: >uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") No, this should work just fine. The original wiki page had just %regsub() which is indeed a single element replacement. %mregsub() processes multiple possible expression matching. I just tried myself: # ldapmodify -x -D "cn=Directory Manager" -f vsphere.ldif -W Enter LDAP Password: modifying entry "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" modifying entry "cn=users,cn=Schema Compatibility,cn=plugins,cn=config" # ipa permission-mod "System: Read User Compat Tree" --includedattrs sn --------------------------------------------------- Modified permission "System: Read User Compat Tree" --------------------------------------------------- Permission name: System: Read User Compat Tree Granted rights: read, compare, search Effective attributes: cn, createtimestamp, entryusn, gecos, gidnumber, homedirectory, loginshell, modifytimestamp, objectclass, sn, uid, uidnumber Included attributes: sn Default attributes: cn, objectclass, loginshell, uidnumber, gidnumber, gecos, homedirectory, uid Bind rule type: anonymous Subtree: dc=t,dc=vda,dc=li Target DN: cn=users,cn=compat,dc=t,dc=vda,dc=li # ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember ---------------------------------------------------- Modified permission "System: Read Group Compat Tree" ---------------------------------------------------- Permission name: System: Read Group Compat Tree Granted rights: read, compare, search Effective attributes: cn, createtimestamp, entryusn, gidnumber, memberuid, modifytimestamp, objectclass, uniquemember Included attributes: uniquemember Default attributes: objectclass, memberuid, gidnumber, cn Bind rule type: anonymous Subtree: dc=t,dc=vda,dc=li Target DN: cn=groups,cn=compat,dc=t,dc=vda,dc=li # ipa group-add foo-bar-zed ------------------------- Added group "foo-bar-zed" ------------------------- Group name: foo-bar-zed GID: 895600028 # ipa user-add bar First name: bar Last name: bar ---------------- Added user "bar" ---------------- User login: bar First name: bar Last name: bar Full name: bar bar Display name: bar bar Initials: bb Home directory: /home/bar GECOS: bar bar Login shell: /bin/sh Kerberos principal: bar at T.VDA.LI Email address: bar at t.vda.li UID: 895600029 GID: 895600029 Password: False Member of groups: ipausers Kerberos keys available: False # ipa user-add foo First name: foo Last name: foo ---------------- Added user "foo" ---------------- User login: foo First name: foo Last name: foo Full name: foo foo Display name: foo foo Initials: ff Home directory: /home/foo GECOS: foo foo Login shell: /bin/sh Kerberos principal: foo at T.VDA.LI Email address: foo at t.vda.li UID: 895600030 GID: 895600030 Password: False Member of groups: ipausers Kerberos keys available: False # ipa user-add zed First name: zed Last name: zed ---------------- Added user "zed" ---------------- User login: zed First name: zed Last name: zed Full name: zed zed Display name: zed zed Initials: zz Home directory: /home/zed GECOS: zed zed Login shell: /bin/sh Kerberos principal: zed at T.VDA.LI Email address: zed at t.vda.li UID: 895600031 GID: 895600031 Password: False Member of groups: ipausers Kerberos keys available: False # ipa group-add-member foo-bar-zed --users={foo,bar,zed} Group name: foo-bar-zed GID: 895600028 Member users: foo, bar, zed ------------------------- Number of members added 3 ------------------------- # ldapsearch -x -b cn=groups,cn=compat,dc=t,dc=vda,dc=li '(cn=foo-bar-zed)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (cn=foo-bar-zed) # requesting: ALL # # foo-bar-zed, groups, compat, t.vda.li dn: cn=foo-bar-zed,cn=groups,cn=compat,dc=t,dc=vda,dc=li memberUid: foo memberUid: bar memberUid: zed gidNumber: 895600028 objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top uniqueMember: uid=foo,cn=users,cn=compat,dc=t,dc=vda,dc=li uniqueMember: uid=bar,cn=users,cn=compat,dc=t,dc=vda,dc=li uniqueMember: uid=zed,cn=users,cn=compat,dc=t,dc=vda,dc=li cn: foo-bar-zed # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- / Alexander Bokovoy From mkosek at redhat.com Tue Jun 2 08:00:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 10:00:00 +0200 Subject: [Freeipa-users] how to delete duplicate? In-Reply-To: <556D02C7.3060102@gmail.com> References: <556D02C7.3060102@gmail.com> Message-ID: <556D6280.9080700@redhat.com> On 06/02/2015 03:11 AM, Janelle wrote: > I have a duplicate user. > > Same exact name, but different UID's. But there does not seem to be a way to do > "ipa user-del" on anything other than username, which ends up returning: > > # ipa user-del another_username > ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. > > Any ideas on how I can delete this user? > > ~J Hello Janelle, This sounds as a replication conflict problem. More info here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#repl-conflicts HTH, Martin From sjuhasz at chemaxon.com Tue Jun 2 08:30:43 2015 From: sjuhasz at chemaxon.com (Sandor Juhasz) Date: Tue, 2 Jun 2015 10:30:43 +0200 (CEST) Subject: [Freeipa-users] password expiration In-Reply-To: <556D6143.2060402@redhat.com> References: <556C9B6A.2090401@martos.bme.hu> <556D6143.2060402@redhat.com> Message-ID: <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> It is confirmed, the password policy was changed with password expiration beyond 2038. Question is, how can we restore the pw policy without a working admin user? S?ndor Juh?sz System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 From: "Martin Kosek" To: "Tamas Papp" , freeipa-users at redhat.com Sent: Tuesday, June 2, 2015 9:54:43 AM Subject: Re: [Freeipa-users] password expiration On 06/01/2015 07:50 PM, Tamas Papp wrote: > hi All, > > I'm stuck: > > > $ kinit admin > Password for admin at CXCLIENTS: > kinit: Password incorrect while getting initial credentials > [root at ipa-clients1 ~]$ kinit admin > Password for admin at CXCLIENTS: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Password has expired while getting initial credentials > > > > > $ kinit admin > Password for admin at CXCLIENTS: > Password expired. You must change it now. > Enter new password: > Enter it again: > Password change rejected: Current password's minimum life has not expired > > Password not changed.. Please try again. > > Enter new password: > > > > > What can I do now? > > > Thanks, > tamas > Hi Tamas, What platform and FreeIPA version do you use? What actions did you do before this happened? Were you for example changing the (global) password policy? Setting a too high password life may case the Year 2038 problem and have password validity in the past. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jun 2 08:35:43 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 10:35:43 +0200 Subject: [Freeipa-users] password expiration In-Reply-To: <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> References: <556C9B6A.2090401@martos.bme.hu> <556D6143.2060402@redhat.com> <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> Message-ID: <556D6ADF.7050405@redhat.com> You would need to do the modifications as Directory Manager or other user in "admins"group. To resolve this, you would need manually fix admin entry attribute krbPasswordExpiration to some future date, kinit as admin and then fixing the global policy with some sane value (pwpolicy-mod). Martin On 06/02/2015 10:30 AM, Sandor Juhasz wrote: > It is confirmed, the password policy was changed with password expiration > beyond 2038. > Question is, how can we restore the pw policy without a working admin user? > > *S?ndor Juh?sz* > System Administrator > *ChemAxon**Ltd*. > Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > ------------------------------------------------------------------------------- > *From: *"Martin Kosek" > *To: *"Tamas Papp" , freeipa-users at redhat.com > *Sent: *Tuesday, June 2, 2015 9:54:43 AM > *Subject: *Re: [Freeipa-users] password expiration > > On 06/01/2015 07:50 PM, Tamas Papp wrote: > > hi All, > > > > I'm stuck: > > > > > > $ kinit admin > > Password for admin at CXCLIENTS: > > kinit: Password incorrect while getting initial credentials > > [root at ipa-clients1 ~]$ kinit admin > > Password for admin at CXCLIENTS: > > Password expired. You must change it now. > > Enter new password: > > Enter it again: > > kinit: Password has expired while getting initial credentials > > > > > > > > > > $ kinit admin > > Password for admin at CXCLIENTS: > > Password expired. You must change it now. > > Enter new password: > > Enter it again: > > Password change rejected: Current password's minimum life has not expired > > > > Password not changed.. Please try again. > > > > Enter new password: > > > > > > > > > > What can I do now? > > > > > > Thanks, > > tamas > > > > Hi Tamas, > > What platform and FreeIPA version do you use? What actions did you do before > this happened? Were you for example changing the (global) password policy? > Setting a too high password life may case the Year 2038 problem and have > password validity in the past. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From tompos at martos.bme.hu Tue Jun 2 08:35:45 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Tue, 02 Jun 2015 10:35:45 +0200 Subject: [Freeipa-users] password expiration In-Reply-To: <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> References: <556C9B6A.2090401@martos.bme.hu> <556D6143.2060402@redhat.com> <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> Message-ID: <556D6AE1.7050702@martos.bme.hu> On 06/02/2015 10:30 AM, Sandor Juhasz wrote: > It is confirmed, the password policy was changed with password > expiration beyond 2038. > Question is, how can we restore the pw policy without a working admin > user? hi Martin, Additional info: ipa-server-3.0.0-42.el6.centos.x86_64 CentOS 6.6 Thanks, tamas -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Tue Jun 2 08:39:31 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 2 Jun 2015 10:39:31 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: <20150602075041.GK2805@hendrix> References: <20150602072132.GI2805@hendrix> <20150602075041.GK2805@hendrix> Message-ID: Hi Jakub Yes root login works, that's how I've been getting into the box. Surprisingly, kinit with my user seems to work on that box. After entering my password when prompted, it returns to the commandline without error. However if I try kinit with another FreeIPA user, then instead of prompting for a password, it gives "Generic preauthentication failure while getting initial credentials" error. Having set debug_level=10, when I try and ssh in with my FreeIPA user, I find errors like "Retrieving host .... with result: .. Matching credential not found" "Received error from KDC ... Additional pre-authentication required" "Received error from KDC... Decrypt integrity check failed" "Received error code 1432158219" Cheers Chris From: Jakub Hrozek To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 02.06.2015 09:50 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: > Hi Jakub > > The same user / password works with all our FreeIPA hosts - just this one > box is the problem. So the password should be good. Of course a type is > always possible (especially for strong passwords), but I have tried many > times which should eliminate the odd password typo. The user / password > should also be good for both the old and the new FreeIPA Server. Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. > > As I can neither log in direct, or via ssh to this box with my FreeIPA > user, I assume Kinit with my user won't work- i will try later in the day. Well, login as a UNIX user (root) should work.. > > My working assumption is that the problem is related in some way to the > fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA > 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 > throwaway EL 7.1 VMs to better test this. On one I will first install > 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 > client. > > Cheers > > Chris > > > > From: Jakub Hrozek > To: freeipa-users at redhat.com > Date: 02.06.2015 09:22 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-bounces at redhat.com > > > > On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > > > Hi All > > > > Bad news. > > > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA > 4.1 > > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > > remote login with FreeIPA user and password). > > > > Today I tried a second machine, and had the same problem, ssh connections > > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity > check > > failed" > > This really just means wrong password, can you kinit as that user using > the same password? > > > > > Ahh I thought, I have a solution for that: just remove ipa-client and > > reinstall via yum, register with the new FreeIPA server .... > > > > Only with this second machine I still can't ssh in with a FreeIPA user. > > Argg..... > > > > b.t.w, as this machine is a real physical server, I was able to try > logging > > in direct with my FreeIPA user --> "Authentication Failure" > > > > I now have > > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > > FreeIPA server to the new without a hitch (i.e. they successfully > > authenticate FreeIPA users.) > > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > > with problems > > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts > to > > authenticate with a FreeIPA user > > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > > FreeIPA server, and successfully authenticates FreeIPA users. > > > > Any ideas? > > > > Chris > > > > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > > ----- > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > To: Alexander Bokovoy , > > freeipa-users at redhat.com > > Date: 30.05.2015 18:52 > > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > > EL7.1 --> Solved > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > Hi All > > > > It gives me pleasure to report the problem is solved - a minute ago I was > > able to login via ssh with my FreeIPA user to the problem server, while > > sitting on my terrace with a glass of wine! > > > > Thanks to Alexander for his helpful advice - we had some mail exchange > > outside the user list as I did not wish to broadcast content of keys, > > config files etc. > > > > Regardless of what I did with commands like klist, kvno everything seemed > > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > > > Therefore I decided to opt for brute force and (partial) ignorance. I > > completely uninstalled the FreeIPA client, and then reinstalled, > configured > > - ?t voil? I could ssh in! > > > > This leaves the enigma: what caused the problem? I suspect the following: > > > > The host is an EL 7.1, but the first FreeIPA client installed was version > > 3.3.3 (installed as set of standard packages that we bung on all our > > servers). > > > > This worked fine to authenticate against our "old" 3.x FreeIPA server, > but > > did not work against the "new" 4.1 FreeIPA Server. > > > > When I realised I could not ssh in, one of the first things I did was to > > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > > The solution was to yum remove the FreeIPA client, then yum install the > 4.1 > > client. > > > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, > so > > it will be interesting to see it the problem can be reproduced. > > > > Keep up the good work, > > > > Chris > > > > > > > > > > > > > > > > > > From: Alexander Bokovoy > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: freeipa-users at redhat.com > > Date: 29.05.2015 18:04 > > Subject: Re: [Freeipa-users] ssh problem with > migrated FreeIPA > > client on > > EL7.1 > > > > > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > > > >Hi All > > > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to > replace > > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > > >across the users. > > > > > >We have 50 odd Servers that are FreeIPA clients. Today I started > migrating > > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > > >server by doing an ipa-client-install --uninstall from the old, and > > >ipa-client-install to register with the new 4.1.0 server. > > > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > > >migration process above worked perfectly. After migrating the server, I > > >could ssh in with my FreeIPA user. > > > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > > and > > >getent passwd was successful for my FreeIPA user. However when I try and > > >ssh in, my FreeIPA user / password is not accepted. > > > > > >Before the migration I could ssh into the problem server (though > evidently > > >it was using my FreeIPA user from the old FreeIPA server). > > > > > >I can ssh in with a local (non ldap) user, so ssh is running and > working. > > > > > >>From user root I can successfully su to my FreeIPA user. > > > > > >Further investigation showed that version of ipa-client installed was > > >3.3.3, so I yum updated this to 4.1.0. > > > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. > The > > >same user continues to work for the 6.5 boxes. > > > > > >A colleague tried to ssh in with his FreeIPA user, and was also > rejected, > > >so the problem is not my user, but is probably for all FreeIPA users. > > > > > >A failed ssh login attempt causes the following error > in /var/log/messages > > > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > > It means /etc/krb5.keytab contains keys from older system and SSSD > > picks them up. > > Can you show output of 'klist -kKet'? > > -- > > / Alexander Bokovoy > > > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From yves at degauquier.net Tue Jun 2 09:11:56 2015 From: yves at degauquier.net (Yves Degauquier) Date: Tue, 2 Jun 2015 11:11:56 +0200 Subject: [Freeipa-users] FreeIPA, Netgroup and access.conf Message-ID: <556D735C.5070707@degauquier.net> Hi, I have a FreeIPA server in place with netgroup in order to limit access to some users only to some hosts (by environment). It works fine on AIX clients. But now I try to do the same with Linux. I register the client in the server, without any problem, all users from FreeIPA can login in the Linux boxes. I activate now pam_access and configure the /etc/security/access.conf to allow local root user and users from netgroup. But my users in the netgroup can't login... If in place of the netgroup I put the name of the users, the users defined can login... But this is not anymore a centally managed user... Any idea of what the problem could be? Thanks in advance for your help. Yves From ivars.strazdins at sets.lv Tue Jun 2 09:28:29 2015 From: ivars.strazdins at sets.lv (=?utf-8?Q?Ivars_Strazdi=C5=86=C5=A1?=) Date: Tue, 2 Jun 2015 10:28:29 +0100 Subject: [Freeipa-users] login delay with sssd In-Reply-To: <20150602062158.GA26100@mail.corp.redhat.com> References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> <20150602062158.GA26100@mail.corp.redhat.com> Message-ID: Ar laipniem sveicieniem, Ivars Strazdi?? > On 2. j?n. 2015, at 07:21, Lukas Slebodnik wrote: > > How many groups does problematic user have? I can call any user problematic, because all have login delays. sitaadmin user, being able to to login via ssh, probably has most groups - 4. Doesn?t seem too many, does it? siteadmin at mail:~$ id uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) groups=9268000XX(siteadmin),92680000Y(vpnusers),92680000Z(mailusers),92680000W(scanned) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I have sssh-1.12.2 installed as per Centos 7.1. I will have to wait until 1.12.4 or 5 is coming down the pipe with Centos updates. Hopefully that will resolve or mitigate the issue. I cannot create mess by putting Fedora updates into Centos, not sure if that's even possible. Kind regards, Ivars From tompos at martos.bme.hu Tue Jun 2 09:42:46 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Tue, 02 Jun 2015 11:42:46 +0200 Subject: [Freeipa-users] password expiration In-Reply-To: <556D6ADF.7050405@redhat.com> References: <556C9B6A.2090401@martos.bme.hu> <556D6143.2060402@redhat.com> <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> <556D6ADF.7050405@redhat.com> Message-ID: <556D7A96.2020400@martos.bme.hu> On 06/02/2015 10:35 AM, Martin Kosek wrote: > You would need to do the modifications as Directory Manager or other > user in "admins"group. > > To resolve this, you would need manually fix admin entry attribute > krbPasswordExpiration to some future date, kinit as admin and then > fixing the global policy with some sane value (pwpolicy-mod). How can this work? It forces me to change the password again after kinit. For some reason another user with admin rights was able to login and we were able to fix the policy so far. Cheers, tamas From vangass at gazeta.pl Tue Jun 2 09:45:44 2015 From: vangass at gazeta.pl (Vangass) Date: Tue, 2 Jun 2015 11:45:44 +0200 Subject: [Freeipa-users] Copy attributes to compat tree Message-ID: Hi, Is it possible to copy all of "memberOf" users attributes from cn=users,cn=accounts,dc=example,dc=com to cn=users,cn=compat,dc=example,dc=com? If yes, how can I do this? Thanks, V. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jun 2 10:10:19 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 12:10:19 +0200 Subject: [Freeipa-users] FreeIPA, Netgroup and access.conf In-Reply-To: <556D735C.5070707@degauquier.net> References: <556D735C.5070707@degauquier.net> Message-ID: <20150602101019.GL2805@hendrix> On Tue, Jun 02, 2015 at 11:11:56AM +0200, Yves Degauquier wrote: > Hi, > > I have a FreeIPA server in place with netgroup in order to limit access to > some users only to some hosts (by environment). > > It works fine on AIX clients. > > But now I try to do the same with Linux. > > I register the client in the server, without any problem, all users from > FreeIPA can login in the Linux boxes. > > I activate now pam_access and configure the /etc/security/access.conf to > allow local root user and users from netgroup. > > But my users in the netgroup can't login... If in place of the netgroup I > put the name of the users, the users defined can login... > > But this is not anymore a centally managed user... > > Any idea of what the problem could be? > > Thanks in advance for your help. Does getent netgr report the host as a member of the netgroup? From jhrozek at redhat.com Tue Jun 2 10:11:57 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 12:11:57 +0200 Subject: [Freeipa-users] login delay with sssd In-Reply-To: References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> <20150602062158.GA26100@mail.corp.redhat.com> Message-ID: <20150602101157.GM2805@hendrix> On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdi?? wrote: > > > > Ar laipniem sveicieniem, > Ivars Strazdi?? > > > On 2. j?n. 2015, at 07:21, Lukas Slebodnik wrote: > > > > How many groups does problematic user have? > > I can call any user problematic, because all have login delays. > sitaadmin user, being able to to login via ssh, probably has most groups - 4. Doesn?t seem too many, does it? > > siteadmin at mail:~$ id > uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) groups=9268000XX(siteadmin),92680000Y(vpnusers),92680000Z(mailusers),92680000W(scanned) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > I have sssh-1.12.2 installed as per Centos 7.1. > I will have to wait until 1.12.4 or 5 is coming down the pipe with Centos updates. We plan on 7.1.z update, but with different bugzillas. Then we plan on putting 1.13 to 7.2 > Hopefully that will resolve or mitigate the issue. > I cannot create mess by putting Fedora updates into Centos, not sure if that's even possible. Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would be easier to test for you? From jhrozek at redhat.com Tue Jun 2 10:12:38 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 12:12:38 +0200 Subject: [Freeipa-users] Copy attributes to compat tree In-Reply-To: References: Message-ID: <20150602101238.GN2805@hendrix> On Tue, Jun 02, 2015 at 11:45:44AM +0200, Vangass wrote: > Hi, > > Is it possible to copy all of "memberOf" users attributes from > cn=users,cn=accounts,dc=example,dc=com > to cn=users,cn=compat,dc=example,dc=com? > > If yes, how can I do this? No, the compat tree uses a different schema. Why do you need this? From Alexander.Frolushkin at megafon.ru Tue Jun 2 10:24:35 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 2 Jun 2015 10:24:35 +0000 Subject: [Freeipa-users] AD user password change via ssh login In-Reply-To: <20150602072358.GJ2805@hendrix> References: <20150602072358.GJ2805@hendrix> Message-ID: <9ec27b853e134e21b1c7bcf17fc39253@sib-ums03.Megafon.ru> Hello Jakub! Thank you for respond, I'll comment in text -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Tuesday, June 02, 2015 1:24 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD user password change via ssh login On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote: >> Hello. >> Maybe this is a little off topic, sorry if so. > >> Faced a strange behavior of server when trying to login a newly created user from AD, which have a password must be changed on first login. >> Using this user to login via ssh to server feeds to ssh session termination without any messages regarding to password expire. If I do kinit this user on same server, it does request password change. >> >> In secure log: >> Jun 2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 >> user=sdemiden at ad.com Jun 2 12:18:15 server sshd[9830]: >> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 >> tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com Jun 2 12:18:15 >> server sshd[9830]: pam_sss(sshd:auth): received for user >> sdemiden at ad.com: 12 (Authentication token is no longer valid; new one >> required) Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:account): >> Access denied for user sdemiden at ad.com: 6 (Permission denied) >It would be interesting to see the logs, because you're being denied in the account phase, where I would expect the user being either expired, locked or denied by HBAC rules. Do you mean sssd logs in debug? >Does the login work with such user if you (temporarily!!) set access_provider=permit ? Yes, it does. With this it asks to change password as usual. >> Jun 2 12:18:15 server sshd[9830]: Failed password for sdemiden at ad.com >> from 10.10.100.1 port 41859 ssh2 Jun 2 12:18:15 server sshd[9831]: >> fatal: Access denied for user sdemiden at ad.com by PAM account >> configuration >> >> If I further change the password of user manually from Windows, login works as expected. >> >> WBR, >> Alexander Frolushkin >> Cell +79232508764 >> Work +79232507764 > ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From vangass at gazeta.pl Tue Jun 2 10:58:21 2015 From: vangass at gazeta.pl (Vangass) Date: Tue, 2 Jun 2015 12:58:21 +0200 Subject: [Freeipa-users] Copy attributes to compat tree In-Reply-To: <20150602101238.GN2805@hendrix> References: <20150602101238.GN2805@hendrix> Message-ID: Well, I needed to set IPA to authenticate HP iLO users via LDAP. But iLO asks for cn not uid. So I change in compat tree uid to cn and that's ok. But also, I have to have memberOf attributes with user groups and they are available on standard schema not the compat. I managed to modify user entry in compat tree and add memberOf attribute with proper group but I want to do it automatically. PS. I also have tacacs and other devices authenticated with IPA and they works just fine. 2015-06-02 12:12 GMT+02:00 Jakub Hrozek : > On Tue, Jun 02, 2015 at 11:45:44AM +0200, Vangass wrote: > > Hi, > > > > Is it possible to copy all of "memberOf" users attributes from > > cn=users,cn=accounts,dc=example,dc=com > > to cn=users,cn=compat,dc=example,dc=com? > > > > If yes, how can I do this? > > No, the compat tree uses a different schema. > > Why do you need this? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivars.strazdins at sets.lv Tue Jun 2 11:26:06 2015 From: ivars.strazdins at sets.lv (=?utf-8?Q?Ivars_Strazdi=C5=86=C5=A1?=) Date: Tue, 2 Jun 2015 12:26:06 +0100 Subject: [Freeipa-users] deny to change shell Message-ID: Hi, just another basic question, I am sorry to spam the list. Noticed that regular users can change their login shell in account settings. Is it possible to lock login shell property for a regular user? For a unix system, using standard PAM authentication, use of chsh command can be restricted. I could not find anything regarding this in IPA manual. With kind regards, Ivars -------------- next part -------------- An HTML attachment was scrubbed... URL: From sam at zy.io Tue Jun 2 11:37:58 2015 From: sam at zy.io (Sam) Date: Tue, 02 Jun 2015 11:37:58 +0000 Subject: [Freeipa-users] vSphere and freeIPA In-Reply-To: <20150602075505.GG15837@redhat.com> References: <20150602075505.GG15837@redhat.com> <892b1cc5e31af711e60d22844fecb9cc@webmail.zy.io> <556D5D18.50703@redhat.com> Message-ID: <47a90ebcf35988a8cb4b5956986a8834@webmail.zy.io> 2 June 2015 08:55, "Alexander Bokovoy" wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: > >> CCing Nalin and Alexander. This sounds like the slapi-nis >configuration for generating >> uniqueMember attribute does not work with >multi-valued "member" attribute: >> >> schema-compat-entry-attribute: >uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") > > No, this should work just fine. The original wiki page had just > %regsub() which is indeed a single element replacement. %mregsub() > processes multiple possible expression matching. > > I just tried myself: > # ldapmodify -x -D "cn=Directory Manager" -f vsphere.ldif -W Enter LDAP Password: modifying entry > "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" > > modifying entry "cn=users,cn=Schema Compatibility,cn=plugins,cn=config" > > # ipa permission-mod "System: Read User Compat Tree" --includedattrs sn > --------------------------------------------------- > Modified permission "System: Read User Compat Tree" > --------------------------------------------------- > Permission name: System: Read User Compat Tree > Granted rights: read, compare, search > Effective attributes: cn, createtimestamp, entryusn, gecos, gidnumber, > homedirectory, loginshell, modifytimestamp, objectclass, sn, uid, > uidnumber > Included attributes: sn > Default attributes: cn, objectclass, loginshell, uidnumber, gidnumber, > gecos, homedirectory, uid > Bind rule type: anonymous > Subtree: dc=t,dc=vda,dc=li > Target DN: cn=users,cn=compat,dc=t,dc=vda,dc=li > # ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember > ---------------------------------------------------- > Modified permission "System: Read Group Compat Tree" > ---------------------------------------------------- > Permission name: System: Read Group Compat Tree > Granted rights: read, compare, search > Effective attributes: cn, createtimestamp, entryusn, gidnumber, > memberuid, modifytimestamp, objectclass, uniquemember > Included attributes: uniquemember > Default attributes: objectclass, memberuid, gidnumber, cn > Bind rule type: anonymous > Subtree: dc=t,dc=vda,dc=li > Target DN: cn=groups,cn=compat,dc=t,dc=vda,dc=li > # ipa group-add foo-bar-zed > ------------------------- > Added group "foo-bar-zed" > ------------------------- > Group name: foo-bar-zed > GID: 895600028 > # ipa user-add bar > First name: bar > Last name: bar > ---------------- > Added user "bar" > ---------------- > User login: bar > First name: bar > Last name: bar > Full name: bar bar > Display name: bar bar > Initials: bb > Home directory: /home/bar > GECOS: bar bar > Login shell: /bin/sh > Kerberos principal: bar at T.VDA.LI > Email address: bar at t.vda.li > UID: 895600029 > GID: 895600029 > Password: False > Member of groups: ipausers > Kerberos keys available: False > # ipa user-add foo > First name: foo > Last name: foo > ---------------- > Added user "foo" > ---------------- > User login: foo > First name: foo > Last name: foo > Full name: foo foo > Display name: foo foo > Initials: ff > Home directory: /home/foo > GECOS: foo foo > Login shell: /bin/sh > Kerberos principal: foo at T.VDA.LI > Email address: foo at t.vda.li > UID: 895600030 > GID: 895600030 > Password: False > Member of groups: ipausers > Kerberos keys available: False > # ipa user-add zed > First name: zed > Last name: zed > ---------------- > Added user "zed" > ---------------- > User login: zed > First name: zed > Last name: zed > Full name: zed zed > Display name: zed zed > Initials: zz > Home directory: /home/zed > GECOS: zed zed > Login shell: /bin/sh > Kerberos principal: zed at T.VDA.LI > Email address: zed at t.vda.li > UID: 895600031 > GID: 895600031 > Password: False > Member of groups: ipausers > Kerberos keys available: False > # ipa group-add-member foo-bar-zed --users={foo,bar,zed} > Group name: foo-bar-zed > GID: 895600028 > Member users: foo, bar, zed > ------------------------- > Number of members added 3 > ------------------------- > # ldapsearch -x -b cn=groups,cn=compat,dc=t,dc=vda,dc=li '(cn=foo-bar-zed)' > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (cn=foo-bar-zed) > # requesting: ALL > # > > # foo-bar-zed, groups, compat, t.vda.li > dn: cn=foo-bar-zed,cn=groups,cn=compat,dc=t,dc=vda,dc=li > memberUid: foo > memberUid: bar > memberUid: zed > gidNumber: 895600028 > objectClass: posixGroup > objectClass: groupOfUniqueNames > objectClass: top > uniqueMember: uid=foo,cn=users,cn=compat,dc=t,dc=vda,dc=li > uniqueMember: uid=bar,cn=users,cn=compat,dc=t,dc=vda,dc=li > uniqueMember: uid=zed,cn=users,cn=compat,dc=t,dc=vda,dc=li > cn: foo-bar-zed > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > -- / Alexander Bokovoy Thanks Alexander, that looks really promising. It also explains some of the strange behavior seen previously when I was testing the regsub element of ldiff. I'll get back to testing with vSphere now, but I imagine it'll now work fine. Thanks again, Sam From jhrozek at redhat.com Tue Jun 2 11:41:43 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 13:41:43 +0200 Subject: [Freeipa-users] AD user password change via ssh login In-Reply-To: <9ec27b853e134e21b1c7bcf17fc39253@sib-ums03.Megafon.ru> References: <20150602072358.GJ2805@hendrix> <9ec27b853e134e21b1c7bcf17fc39253@sib-ums03.Megafon.ru> Message-ID: <20150602114143.GP2805@hendrix> On Tue, Jun 02, 2015 at 10:24:35AM +0000, Alexander Frolushkin wrote: > Hello Jakub! > Thank you for respond, I'll comment in text > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, June 02, 2015 1:24 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD user password change via ssh login > > On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote: > >> Hello. > >> Maybe this is a little off topic, sorry if so. > > > >> Faced a strange behavior of server when trying to login a newly created user from AD, which have a password must be changed on first login. > >> Using this user to login via ssh to server feeds to ssh session termination without any messages regarding to password expire. If I do kinit this user on same server, it does request password change. > >> > >> In secure log: > >> Jun 2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication > >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 > >> user=sdemiden at ad.com Jun 2 12:18:15 server sshd[9830]: > >> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 > >> tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com Jun 2 12:18:15 > >> server sshd[9830]: pam_sss(sshd:auth): received for user > >> sdemiden at ad.com: 12 (Authentication token is no longer valid; new one > >> required) Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:account): > >> Access denied for user sdemiden at ad.com: 6 (Permission denied) > > >It would be interesting to see the logs, because you're being denied in the account phase, where I would expect the user being either expired, locked or denied by HBAC rules. > Do you mean sssd logs in debug? Yes,in the domain section of sssd.con > > >Does the login work with such user if you (temporarily!!) set access_provider=permit ? > Yes, it does. With this it asks to change password as usual. Then it would be really interesting to see the domain logs to see which part of access provider denies access. > > >> Jun 2 12:18:15 server sshd[9830]: Failed password for sdemiden at ad.com > >> from 10.10.100.1 port 41859 ssh2 Jun 2 12:18:15 server sshd[9831]: > >> fatal: Access denied for user sdemiden at ad.com by PAM account > >> configuration > >> > >> If I further change the password of user manually from Windows, login works as expected. > >> > >> WBR, > >> Alexander Frolushkin > >> Cell +79232508764 > >> Work +79232507764 > > > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 From mkosek at redhat.com Tue Jun 2 12:00:04 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Jun 2015 14:00:04 +0200 Subject: [Freeipa-users] password expiration In-Reply-To: <556D7A96.2020400@martos.bme.hu> References: <556C9B6A.2090401@martos.bme.hu> <556D6143.2060402@redhat.com> <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> <556D6ADF.7050405@redhat.com> <556D7A96.2020400@martos.bme.hu> Message-ID: <556D9AC4.80603@redhat.com> On 06/02/2015 11:42 AM, Tamas Papp wrote: > > > On 06/02/2015 10:35 AM, Martin Kosek wrote: >> You would need to do the modifications as Directory Manager or other user in >> "admins"group. >> >> To resolve this, you would need manually fix admin entry attribute >> krbPasswordExpiration to some future date, kinit as admin and then fixing the >> global policy with some sane value (pwpolicy-mod). > > How can this work? It forces me to change the password again after kinit. You would need to use ldapmodify and bind as Directory Manager to do this, you cannot change krbPasswordExpiration with IPA user (IIRC). > For some reason another user with admin rights was able to login and we were > able to fix the policy so far. With that other admin user, you can simply call "ipa passwd" on the original admin, assign temporary password and have him change it on the first login. From yves at degauquier.net Tue Jun 2 12:30:43 2015 From: yves at degauquier.net (Yves Degauquier) Date: Tue, 2 Jun 2015 14:30:43 +0200 Subject: [Freeipa-users] FreeIPA, Netgroup and access.conf In-Reply-To: References: Message-ID: <556DA1F3.5020109@degauquier.net> Yes getent netgroup give me the list of servers. Can't understant what is going wrong... Yves On 02/06/15 13:38, freeipa-users-request at redhat.com wrote: > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: FreeIPA, Netgroup and access.conf (Jakub Hrozek) > 2. Re: login delay with sssd (Jakub Hrozek) > 3. Re: Copy attributes to compat tree (Jakub Hrozek) > 4. Re: AD user password change via ssh login (Alexander Frolushkin) > 5. Re: Copy attributes to compat tree (Vangass) > 6. deny to change shell (Ivars Strazdi??) > 7. Re: vSphere and freeIPA (Sam) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 2 Jun 2015 12:10:19 +0200 > From: Jakub Hrozek > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA, Netgroup and access.conf > Message-ID: <20150602101019.GL2805 at hendrix> > Content-Type: text/plain; charset=us-ascii > > On Tue, Jun 02, 2015 at 11:11:56AM +0200, Yves Degauquier wrote: >> Hi, >> >> I have a FreeIPA server in place with netgroup in order to limit access to >> some users only to some hosts (by environment). >> >> It works fine on AIX clients. >> >> But now I try to do the same with Linux. >> >> I register the client in the server, without any problem, all users from >> FreeIPA can login in the Linux boxes. >> >> I activate now pam_access and configure the /etc/security/access.conf to >> allow local root user and users from netgroup. >> >> But my users in the netgroup can't login... If in place of the netgroup I >> put the name of the users, the users defined can login... >> >> But this is not anymore a centally managed user... >> >> Any idea of what the problem could be? >> >> Thanks in advance for your help. > Does getent netgr report the host as a member of the netgroup? > > > > ------------------------------ > > Message: 2 > Date: Tue, 2 Jun 2015 12:11:57 +0200 > From: Jakub Hrozek > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] login delay with sssd > Message-ID: <20150602101157.GM2805 at hendrix> > Content-Type: text/plain; charset=utf-8 > > On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdi?? wrote: >> >> >> Ar laipniem sveicieniem, >> Ivars Strazdi?? >> >>> On 2. j?n. 2015, at 07:21, Lukas Slebodnik wrote: >>> >>> How many groups does problematic user have? >> I can call any user problematic, because all have login delays. >> sitaadmin user, being able to to login via ssh, probably has most groups - 4. Doesn?t seem too many, does it? >> >> siteadmin at mail:~$ id >> uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) groups=9268000XX(siteadmin),92680000Y(vpnusers),92680000Z(mailusers),92680000W(scanned) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> I have sssh-1.12.2 installed as per Centos 7.1. >> I will have to wait until 1.12.4 or 5 is coming down the pipe with Centos updates. > We plan on 7.1.z update, but with different bugzillas. > > Then we plan on putting 1.13 to 7.2 > >> Hopefully that will resolve or mitigate the issue. >> I cannot create mess by putting Fedora updates into Centos, not sure if that's even possible. > Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would > be easier to test for you? > > > > ------------------------------ > > Message: 3 > Date: Tue, 2 Jun 2015 12:12:38 +0200 > From: Jakub Hrozek > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Copy attributes to compat tree > Message-ID: <20150602101238.GN2805 at hendrix> > Content-Type: text/plain; charset=us-ascii > > On Tue, Jun 02, 2015 at 11:45:44AM +0200, Vangass wrote: >> Hi, >> >> Is it possible to copy all of "memberOf" users attributes from >> cn=users,cn=accounts,dc=example,dc=com >> to cn=users,cn=compat,dc=example,dc=com? >> >> If yes, how can I do this? > No, the compat tree uses a different schema. > > Why do you need this? > > > > ------------------------------ > > Message: 4 > Date: Tue, 2 Jun 2015 10:24:35 +0000 > From: Alexander Frolushkin > To: Jakub Hrozek , "freeipa-users at redhat.com" > > Subject: Re: [Freeipa-users] AD user password change via ssh login > Message-ID: <9ec27b853e134e21b1c7bcf17fc39253 at sib-ums03.Megafon.ru> > Content-Type: text/plain; charset="utf-8" > > Hello Jakub! > Thank you for respond, I'll comment in text > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, June 02, 2015 1:24 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD user password change via ssh login > > On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote: >>> Hello. >>> Maybe this is a little off topic, sorry if so. >>> Faced a strange behavior of server when trying to login a newly created user from AD, which have a password must be changed on first login. >>> Using this user to login via ssh to server feeds to ssh session termination without any messages regarding to password expire. If I do kinit this user on same server, it does request password change. >>> >>> In secure log: >>> Jun 2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 >>> user=sdemiden at ad.com Jun 2 12:18:15 server sshd[9830]: >>> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 >>> tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com Jun 2 12:18:15 >>> server sshd[9830]: pam_sss(sshd:auth): received for user >>> sdemiden at ad.com: 12 (Authentication token is no longer valid; new one >>> required) Jun 2 12:18:15 server sshd[9830]: pam_sss(sshd:account): >>> Access denied for user sdemiden at ad.com: 6 (Permission denied) >> It would be interesting to see the logs, because you're being denied in the account phase, where I would expect the user being either expired, locked or denied by HBAC rules. > Do you mean sssd logs in debug? > >> Does the login work with such user if you (temporarily!!) set access_provider=permit ? > Yes, it does. With this it asks to change password as usual. > >>> Jun 2 12:18:15 server sshd[9830]: Failed password for sdemiden at ad.com >>> from 10.10.100.1 port 41859 ssh2 Jun 2 12:18:15 server sshd[9831]: >>> fatal: Access denied for user sdemiden at ad.com by PAM account >>> configuration >>> >>> If I further change the password of user manually from Windows, login works as expected. >>> >>> WBR, >>> Alexander Frolushkin >>> Cell +79232508764 >>> Work +79232507764 > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------ > > Message: 5 > Date: Tue, 2 Jun 2015 12:58:21 +0200 > From: Vangass > To: Freeipa-users > Subject: Re: [Freeipa-users] Copy attributes to compat tree > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > Well, I needed to set IPA to authenticate HP iLO users via LDAP. But iLO > asks for cn not uid. So I change in compat tree uid to cn and that's ok. > But also, I have to have memberOf attributes with user groups and they are > available on standard schema not the compat. > I managed to modify user entry in compat tree and add memberOf attribute > with proper group but I want to do it automatically. > > PS. I also have tacacs and other devices authenticated with IPA and they > works just fine. > > 2015-06-02 12:12 GMT+02:00 Jakub Hrozek : > >> On Tue, Jun 02, 2015 at 11:45:44AM +0200, Vangass wrote: >>> Hi, >>> >>> Is it possible to copy all of "memberOf" users attributes from >>> cn=users,cn=accounts,dc=example,dc=com >>> to cn=users,cn=compat,dc=example,dc=com? >>> >>> If yes, how can I do this? >> No, the compat tree uses a different schema. >> >> Why do you need this? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > ------------------------------ > > Message: 6 > Date: Tue, 2 Jun 2015 12:26:06 +0100 > From: Ivars Strazdi?? > To: freeipa-users at redhat.com > Subject: [Freeipa-users] deny to change shell > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > Hi, > just another basic question, I am sorry to spam the list. > Noticed that regular users can change their login shell in account settings. > Is it possible to lock login shell property for a regular user? > For a unix system, using standard PAM authentication, use of chsh command can be restricted. > I could not find anything regarding this in IPA manual. > > With kind regards, > Ivars > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > ------------------------------ > > Message: 7 > Date: Tue, 02 Jun 2015 11:37:58 +0000 > From: "Sam" > To: "Alexander Bokovoy" , > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] vSphere and freeIPA > Message-ID: <47a90ebcf35988a8cb4b5956986a8834 at webmail.zy.io> > Content-Type: text/plain; charset="utf-8" > > 2 June 2015 08:55, "Alexander Bokovoy" wrote: >> On Tue, 02 Jun 2015, Martin Kosek wrote: >> >>> CCing Nalin and Alexander. This sounds like the slapi-nis >configuration for generating >>> uniqueMember attribute does not work with >multi-valued "member" attribute: >>> >>> schema-compat-entry-attribute: >uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") >> No, this should work just fine. The original wiki page had just >> %regsub() which is indeed a single element replacement. %mregsub() >> processes multiple possible expression matching. >> >> I just tried myself: >> # ldapmodify -x -D "cn=Directory Manager" -f vsphere.ldif -W Enter LDAP Password: modifying entry >> "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" >> >> modifying entry "cn=users,cn=Schema Compatibility,cn=plugins,cn=config" >> >> # ipa permission-mod "System: Read User Compat Tree" --includedattrs sn >> --------------------------------------------------- >> Modified permission "System: Read User Compat Tree" >> --------------------------------------------------- >> Permission name: System: Read User Compat Tree >> Granted rights: read, compare, search >> Effective attributes: cn, createtimestamp, entryusn, gecos, gidnumber, >> homedirectory, loginshell, modifytimestamp, objectclass, sn, uid, >> uidnumber >> Included attributes: sn >> Default attributes: cn, objectclass, loginshell, uidnumber, gidnumber, >> gecos, homedirectory, uid >> Bind rule type: anonymous >> Subtree: dc=t,dc=vda,dc=li >> Target DN: cn=users,cn=compat,dc=t,dc=vda,dc=li >> # ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember >> ---------------------------------------------------- >> Modified permission "System: Read Group Compat Tree" >> ---------------------------------------------------- >> Permission name: System: Read Group Compat Tree >> Granted rights: read, compare, search >> Effective attributes: cn, createtimestamp, entryusn, gidnumber, >> memberuid, modifytimestamp, objectclass, uniquemember >> Included attributes: uniquemember >> Default attributes: objectclass, memberuid, gidnumber, cn >> Bind rule type: anonymous >> Subtree: dc=t,dc=vda,dc=li >> Target DN: cn=groups,cn=compat,dc=t,dc=vda,dc=li >> # ipa group-add foo-bar-zed >> ------------------------- >> Added group "foo-bar-zed" >> ------------------------- >> Group name: foo-bar-zed >> GID: 895600028 >> # ipa user-add bar >> First name: bar >> Last name: bar >> ---------------- >> Added user "bar" >> ---------------- >> User login: bar >> First name: bar >> Last name: bar >> Full name: bar bar >> Display name: bar bar >> Initials: bb >> Home directory: /home/bar >> GECOS: bar bar >> Login shell: /bin/sh >> Kerberos principal: bar at T.VDA.LI >> Email address: bar at t.vda.li >> UID: 895600029 >> GID: 895600029 >> Password: False >> Member of groups: ipausers >> Kerberos keys available: False >> # ipa user-add foo >> First name: foo >> Last name: foo >> ---------------- >> Added user "foo" >> ---------------- >> User login: foo >> First name: foo >> Last name: foo >> Full name: foo foo >> Display name: foo foo >> Initials: ff >> Home directory: /home/foo >> GECOS: foo foo >> Login shell: /bin/sh >> Kerberos principal: foo at T.VDA.LI >> Email address: foo at t.vda.li >> UID: 895600030 >> GID: 895600030 >> Password: False >> Member of groups: ipausers >> Kerberos keys available: False >> # ipa user-add zed >> First name: zed >> Last name: zed >> ---------------- >> Added user "zed" >> ---------------- >> User login: zed >> First name: zed >> Last name: zed >> Full name: zed zed >> Display name: zed zed >> Initials: zz >> Home directory: /home/zed >> GECOS: zed zed >> Login shell: /bin/sh >> Kerberos principal: zed at T.VDA.LI >> Email address: zed at t.vda.li >> UID: 895600031 >> GID: 895600031 >> Password: False >> Member of groups: ipausers >> Kerberos keys available: False >> # ipa group-add-member foo-bar-zed --users={foo,bar,zed} >> Group name: foo-bar-zed >> GID: 895600028 >> Member users: foo, bar, zed >> ------------------------- >> Number of members added 3 >> ------------------------- >> # ldapsearch -x -b cn=groups,cn=compat,dc=t,dc=vda,dc=li '(cn=foo-bar-zed)' >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (cn=foo-bar-zed) >> # requesting: ALL >> # >> >> # foo-bar-zed, groups, compat, t.vda.li >> dn: cn=foo-bar-zed,cn=groups,cn=compat,dc=t,dc=vda,dc=li >> memberUid: foo >> memberUid: bar >> memberUid: zed >> gidNumber: 895600028 >> objectClass: posixGroup >> objectClass: groupOfUniqueNames >> objectClass: top >> uniqueMember: uid=foo,cn=users,cn=compat,dc=t,dc=vda,dc=li >> uniqueMember: uid=bar,cn=users,cn=compat,dc=t,dc=vda,dc=li >> uniqueMember: uid=zed,cn=users,cn=compat,dc=t,dc=vda,dc=li >> cn: foo-bar-zed >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> -- / Alexander Bokovoy > Thanks Alexander, that looks really promising. It also explains some of the strange behavior seen previously when I was testing the regsub element of ldiff. > > I'll get back to testing with vSphere now, but I imagine it'll now work fine. > > Thanks again, > > Sam > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 83, Issue 12 > ********************************************* From rcritten at redhat.com Tue Jun 2 12:43:59 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Jun 2015 08:43:59 -0400 Subject: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master In-Reply-To: <556D608B.9080004@redhat.com> References: <556D608B.9080004@redhat.com> Message-ID: <556DA50F.9080106@redhat.com> Martin Kosek wrote: > On 06/01/2015 02:19 AM, Sina Owolabi wrote: >> Hi! >> >> I am still stumbling along with this, I have had my IPA domain >> destroyed and currently only a CA-less replica is left running the >> network. >> The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. >> I am trying to setup a fresh CA-master and I have exported the data in >> the replica into ldif and bak folders in >> /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories. >> I have copied these files and folders to the fresh install, which is >> running RHEL7.1. >> If I can complete an install, I plan to destroy the existing replica >> and install from scratch 2 new ones just to be safe. >> >> Please can someone direct me in properly editing the ldif file or the >> bak archivedir to make it useful for the new CA master? I have already >> deleted the existing replication agreements between the CA-less >> replica and the lost CA master (the new fresh install is the same >> hostname). >> Importing data is successful, but then IPA refuses to run afterwords >> with different error messages. >> >> Thanks for any light shown my way. >> > > Let me reiterate to see if I understood your scenario correctly: > > - you had CA-powered FreeIPA infrastructure, with just one FreeIPA > server with CA service running > - the single FreeIPA+CA server was lost (I would suggest having more of > those in the future or using backup (snapshot or ipa-backup)) > - you now want to install a brand new FreeIPA server and add data from > the old FreeIPA installation. > > This is quite tricky, you can just add data from old FreeIPA server to > the new server - the new FreeIPA server will have different Kerberos > master key, different CA key. All this and derived data would be > invalid. If you backed up the FreeIPA+CA master, I assume the PKI could > be recreated, but it does not seem as the case. > > In that case, I am afraid you would need to start a new infrastructure > and migrate old data, I put short description on how to migrate one > FreeIPA to other FreeIPA on the wiki: > > https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA I guess it depends on what data you want/need to preserve from the original IPA installation and calculate which is more time consuming: crafting an LDIF to import or re-adding the data manually. If you want to import from an LDIF, in general you need to: - exclude any IPA master information (hosts, services, cn=masters,etc). - exclude the admin user - exclude any krbPrincipalKey values - exclude any userCertificate values You'll need to enable migration mode so your users can generate their Kerberos principal keys. Also consider the UID range. If you installed the new master using the same range you'll probably want to modify the DNA range to mask out the already-assigned values. If you used the same fqdn and REALM the import is easier. You'll also need to re-enroll every client machine and browsers will need to re-import the CA cert. Expect conflicts. I probably forgot some things too. It is not a super simple process though, and requires some understanding of IPA and its data. So like I said, possible, but it can be problematic and expect several iterations of: - import ldif - test - uninstall / reinstall - goto import rob From rcritten at redhat.com Tue Jun 2 13:02:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Jun 2015 09:02:01 -0400 Subject: [Freeipa-users] deny to change shell In-Reply-To: References: Message-ID: <556DA949.8050902@redhat.com> Ivars Strazdi?? wrote: > Hi, > just another basic question, I am sorry to spam the list. > Noticed that regular users can change their login shell in account settings. > Is it possible to lock login shell property for a regular user? > For a unix system, using standard PAM authentication, use of chsh > command can be restricted. > I could not find anything regarding this in IPA manual. From the command-line on my 4.1 box: $ kinit admin $ ipa selfservice-show 'User Self service' Copy the list of attributes and submit a new list without loginshell $ ipa selfservice-mod --attrs={givenname,sn,cn,displayname,title,initials,gecos,homephone,mobile,pager,facsimiletelephonenumber,telephonenumber,street,roomnumber,l,st,postalcode,manager,secretary,description,carlicense,labeleduri,inetuserhttpurl,seealso,employeetype,businesscategory,ou} 'User Self service' Probably easier in the web UI: IPA Server -> RBAC -> drop down -> Self service Permissions rob From notify.sina at gmail.com Tue Jun 2 15:53:53 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Tue, 2 Jun 2015 16:53:53 +0100 Subject: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master In-Reply-To: <556DA50F.9080106@redhat.com> References: <556D608B.9080004@redhat.com> <556DA50F.9080106@redhat.com> Message-ID: Thanks Martin, Rob, but I think I am totally lost.. I was able to migrate-ds but I think along the way I broke the replica. Errors I am seeing in the ipa clients are like so: Jun 2 16:33:11 ipaclient1 [sssd[ldap_child[27865]]]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database Jun 2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Failed to initialize credentials using keytab [default]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jun 2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database Jun 2 16:33:57 ipaclient1 certmonger: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Couldn't resolve host 'services01.mydom.com'). Jun 2 16:39:28 ipaclient1 certmonger: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). Jun 2 16:44:59 ipaclient1 certmonger: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Failed to initialize credentials using keytab [default]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Failed to initialize credentials using keytab [default]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Client 'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database I've been editing and trying to import data from the ldif I was able to export out of the CA-less replica. No luck so far. On Tue, Jun 2, 2015 at 1:43 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> >> On 06/01/2015 02:19 AM, Sina Owolabi wrote: >>> >>> Hi! >>> >>> I am still stumbling along with this, I have had my IPA domain >>> destroyed and currently only a CA-less replica is left running the >>> network. >>> The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. >>> I am trying to setup a fresh CA-master and I have exported the data in >>> the replica into ldif and bak folders in >>> /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories. >>> I have copied these files and folders to the fresh install, which is >>> running RHEL7.1. >>> If I can complete an install, I plan to destroy the existing replica >>> and install from scratch 2 new ones just to be safe. >>> >>> Please can someone direct me in properly editing the ldif file or the >>> bak archivedir to make it useful for the new CA master? I have already >>> deleted the existing replication agreements between the CA-less >>> replica and the lost CA master (the new fresh install is the same >>> hostname). >>> Importing data is successful, but then IPA refuses to run afterwords >>> with different error messages. >>> >>> Thanks for any light shown my way. >>> >> >> Let me reiterate to see if I understood your scenario correctly: >> >> - you had CA-powered FreeIPA infrastructure, with just one FreeIPA >> server with CA service running >> - the single FreeIPA+CA server was lost (I would suggest having more of >> those in the future or using backup (snapshot or ipa-backup)) >> - you now want to install a brand new FreeIPA server and add data from >> the old FreeIPA installation. >> >> This is quite tricky, you can just add data from old FreeIPA server to >> the new server - the new FreeIPA server will have different Kerberos >> master key, different CA key. All this and derived data would be >> invalid. If you backed up the FreeIPA+CA master, I assume the PKI could >> be recreated, but it does not seem as the case. >> >> In that case, I am afraid you would need to start a new infrastructure >> and migrate old data, I put short description on how to migrate one >> FreeIPA to other FreeIPA on the wiki: >> >> >> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA > > > I guess it depends on what data you want/need to preserve from the original > IPA installation and calculate which is more time consuming: crafting an > LDIF to import or re-adding the data manually. > > If you want to import from an LDIF, in general you need to: > - exclude any IPA master information (hosts, services, cn=masters,etc). > - exclude the admin user > - exclude any krbPrincipalKey values > - exclude any userCertificate values > > You'll need to enable migration mode so your users can generate their > Kerberos principal keys. > > Also consider the UID range. If you installed the new master using the same > range you'll probably want to modify the DNA range to mask out the > already-assigned values. > > If you used the same fqdn and REALM the import is easier. > > You'll also need to re-enroll every client machine and browsers will need to > re-import the CA cert. Expect conflicts. > > I probably forgot some things too. It is not a super simple process though, > and requires some understanding of IPA and its data. > > So like I said, possible, but it can be problematic and expect several > iterations of: > > - import ldif > - test > - uninstall / reinstall > - goto import > > rob From christopher.lamb at ch.ibm.com Tue Jun 2 16:15:04 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 2 Jun 2015 18:15:04 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Message-ID: Hi Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause of this problem. Let's call them HOST09 and HOST10 Both are mimimum installs of EL7.1, with NTPD installed and configured. HOST09 had ipa-client 4.1 installed via yum, and was configured to use our new FreeIPA 4.1 server, right from the start. --> My FreeIPA user authenticates successfully against this machine. HOST10 had ipa-client 4.1 installed as a dependency of one of our standard config packages, and was first set to use our old FreeIPA 3.3.3 server. --> My FreeIPA user authenticates successfully. against this machine. I then de-registered HOST10 from the FreeIPA 3.1 server, and registered against the new FreeIPA 4.1 server --> My FreeIPA users does NOT authenticate successfully. This replicates well the behaviour I saw with my production servers, namely a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 FreeIPA server authenticate properly. b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT authenticate properly Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: Jakub Hrozek Cc: freeipa-users at redhat.com Date: 02.06.2015 10:40 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by: freeipa-users-bounces at redhat.com Hi Jakub Yes root login works, that's how I've been getting into the box. Surprisingly, kinit with my user seems to work on that box. After entering my password when prompted, it returns to the commandline without error. However if I try kinit with another FreeIPA user, then instead of prompting for a password, it gives "Generic preauthentication failure while getting initial credentials" error. Having set debug_level=10, when I try and ssh in with my FreeIPA user, I find errors like "Retrieving host .... with result: .. Matching credential not found" "Received error from KDC ... Additional pre-authentication required" "Received error from KDC... Decrypt integrity check failed" "Received error code 1432158219" Cheers Chris From: Jakub Hrozek To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 02.06.2015 09:50 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: > Hi Jakub > > The same user / password works with all our FreeIPA hosts - just this one > box is the problem. So the password should be good. Of course a type is > always possible (especially for strong passwords), but I have tried many > times which should eliminate the odd password typo. The user / password > should also be good for both the old and the new FreeIPA Server. Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. > > As I can neither log in direct, or via ssh to this box with my FreeIPA > user, I assume Kinit with my user won't work- i will try later in the day. Well, login as a UNIX user (root) should work.. > > My working assumption is that the problem is related in some way to the > fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA > 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 > throwaway EL 7.1 VMs to better test this. On one I will first install > 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 > client. > > Cheers > > Chris > > > > From: Jakub Hrozek > To: freeipa-users at redhat.com > Date: 02.06.2015 09:22 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-bounces at redhat.com > > > > On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > > > Hi All > > > > Bad news. > > > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA > 4.1 > > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > > remote login with FreeIPA user and password). > > > > Today I tried a second machine, and had the same problem, ssh connections > > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity > check > > failed" > > This really just means wrong password, can you kinit as that user using > the same password? > > > > > Ahh I thought, I have a solution for that: just remove ipa-client and > > reinstall via yum, register with the new FreeIPA server .... > > > > Only with this second machine I still can't ssh in with a FreeIPA user. > > Argg..... > > > > b.t.w, as this machine is a real physical server, I was able to try > logging > > in direct with my FreeIPA user --> "Authentication Failure" > > > > I now have > > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > > FreeIPA server to the new without a hitch (i.e. they successfully > > authenticate FreeIPA users.) > > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > > with problems > > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts > to > > authenticate with a FreeIPA user > > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > > FreeIPA server, and successfully authenticates FreeIPA users. > > > > Any ideas? > > > > Chris > > > > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > > ----- > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > To: Alexander Bokovoy , > > freeipa-users at redhat.com > > Date: 30.05.2015 18:52 > > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > > EL7.1 --> Solved > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > Hi All > > > > It gives me pleasure to report the problem is solved - a minute ago I was > > able to login via ssh with my FreeIPA user to the problem server, while > > sitting on my terrace with a glass of wine! > > > > Thanks to Alexander for his helpful advice - we had some mail exchange > > outside the user list as I did not wish to broadcast content of keys, > > config files etc. > > > > Regardless of what I did with commands like klist, kvno everything seemed > > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > > > Therefore I decided to opt for brute force and (partial) ignorance. I > > completely uninstalled the FreeIPA client, and then reinstalled, > configured > > - ?t voil? I could ssh in! > > > > This leaves the enigma: what caused the problem? I suspect the following: > > > > The host is an EL 7.1, but the first FreeIPA client installed was version > > 3.3.3 (installed as set of standard packages that we bung on all our > > servers). > > > > This worked fine to authenticate against our "old" 3.x FreeIPA server, > but > > did not work against the "new" 4.1 FreeIPA Server. > > > > When I realised I could not ssh in, one of the first things I did was to > > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > > The solution was to yum remove the FreeIPA client, then yum install the > 4.1 > > client. > > > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, > so > > it will be interesting to see it the problem can be reproduced. > > > > Keep up the good work, > > > > Chris > > > > > > > > > > > > > > > > > > From: Alexander Bokovoy > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: freeipa-users at redhat.com > > Date: 29.05.2015 18:04 > > Subject: Re: [Freeipa-users] ssh problem with > migrated FreeIPA > > client on > > EL7.1 > > > > > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > > > >Hi All > > > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to > replace > > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > > >across the users. > > > > > >We have 50 odd Servers that are FreeIPA clients. Today I started > migrating > > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > > >server by doing an ipa-client-install --uninstall from the old, and > > >ipa-client-install to register with the new 4.1.0 server. > > > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > > >migration process above worked perfectly. After migrating the server, I > > >could ssh in with my FreeIPA user. > > > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > > and > > >getent passwd was successful for my FreeIPA user. However when I try and > > >ssh in, my FreeIPA user / password is not accepted. > > > > > >Before the migration I could ssh into the problem server (though > evidently > > >it was using my FreeIPA user from the old FreeIPA server). > > > > > >I can ssh in with a local (non ldap) user, so ssh is running and > working. > > > > > >>From user root I can successfully su to my FreeIPA user. > > > > > >Further investigation showed that version of ipa-client installed was > > >3.3.3, so I yum updated this to 4.1.0. > > > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. > The > > >same user continues to work for the 6.5 boxes. > > > > > >A colleague tried to ssh in with his FreeIPA user, and was also > rejected, > > >so the problem is not my user, but is probably for all FreeIPA users. > > > > > >A failed ssh login attempt causes the following error > in /var/log/messages > > > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > > It means /etc/krb5.keytab contains keys from older system and SSSD > > picks them up. > > Can you show output of 'klist -kKet'? > > -- > > / Alexander Bokovoy > > > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From bahanw042014 at gmail.com Tue Jun 2 16:27:00 2015 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 2 Jun 2015 18:27:00 +0200 Subject: [Freeipa-users] ipa-client-install remove the passwordless connection with root Message-ID: Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an rsa key in order to connect passwordlessly from a specific server to all the others #### ssh-keygen -t rsa #### I distributed the public key on all the others : #### for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub $i:/root/.ssh/authorized_keys; done #### Once it was done, I modified the rights on these files : #### for i in ${my_server_list}; do scp $i "chmod 644 /root/.ssh/authorized_keys"; done #### And I was able to connect to all these servers without entering a password. The system was working well. When I installed ipa-server on a specific server, this connection with the RSA key was not possible anymore. Each time I tried to connect to the server through SSH, it keeps asking me for a password. I tried to install the ipa-client on another server to just check if I had the same behaviour and indeed, each time I run ipa-client-install, I can't connect passwordlessly with root anymore. Here is the commannd I use for the ipa-client-install : #### ipa-client-install -U --realm=MYREALM --domain=mydomain.com --server= myipaserver.mydomain.com --principal=admin --password=XXXXX --mkhomedir -N --ca-cert=/tmp/ca.crt --hostname=myipaclient1.mydomain.com #### When I add the option --no-sshd, the ssh passwordless connection is still operationnal, but if I don't put this option, then my ssh passwordless connection does not work anymore. Here is the content of the sshd_config file before (ssh pubkey connection working) and after (ssh pubkey connection not working) : Before : #### AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv XMODIFIERS AllowGroups staff root ChallengeResponseAuthentication no ClientAliveCountMax 0 ClientAliveCountMax 99999 ClientAliveInterval 300 DSAAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes HostbasedAuthentication no IgnoreRhosts yes IgnoreUserKnownHosts yes KerberosAuthentication no LogLevel VERBOSE MaxAuthTries 4 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin yes Protocol 2 PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication yes StrictModes yes Subsystem sftp /usr/libexec/openssh/sftp-server SyslogFacility AUTHPRIV TCPKeepAlive yes UsePAM yes X11Forwarding yes #### After, when it does not work : #### AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv XMODIFIERS AllowGroups staff root AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys ChallengeResponseAuthentication no ClientAliveCountMax 0 ClientAliveCountMax 99999 ClientAliveInterval 300 DSAAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes HostbasedAuthentication no IgnoreRhosts yes IgnoreUserKnownHosts yes KerberosAuthentication no LogLevel VERBOSE MaxAuthTries 4 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin yes Protocol 2 PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication yes StrictModes yes Subsystem sftp /usr/libexec/openssh/sftp-server SyslogFacility AUTHPRIV TCPKeepAlive yes UsePAM yes X11Forwarding yes #### A quick diff -u shows me that the only difference between these configurations is the following parameter in the new file (when it does not work) : #### AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys #### Here is the log of the SSH connection when it works : #### ssh -vvv myipaclient1.mydomain.com OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 myipaclient1.mydomain.com debug1: permanently_set_uid: 0/0 debug1: permanently_drop_suid: 0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 5 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 131/256 debug2: bits set: 547/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: filename /var/lib/sss/pubconf/known_hosts debug3: key_read: type mismatch debug3: check_host_in_hostfile: match line 3 debug1: Host 'myipaclient1.mydomain.com' is known and matches the RSA host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:3 debug2: bits set: 543/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7fc58a994d60) debug2: key: /root/.ssh/id_dsa ((nil)) debug3: Wrote 64 bytes for a total of 1109 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1477 debug1: Server accepts key: pkalg ssh-rsa blen 277 debug2: input_userauth_pk_ok: SHA1 fp 8a:27:ab:1c:29:62:e8:d5:c0:f8:39:08:48:c8:5e:87:95:d9:13:8f debug3: sign_and_send_pubkey debug1: read PEM private key done: type RSA debug3: Wrote 640 bytes for a total of 2117 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug3: Wrote 128 bytes for a total of 2245 debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env HOSTNAME debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env HISTSIZE debug3: Ignored env SSH_CLIENT debug3: Ignored env SSH_TTY debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env PWD debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env KRB5CCNAME debug3: Ignored env HISTCONTROL debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LOGNAME debug3: Ignored env SSH_CONNECTION debug3: Ignored env LESSOPEN debug3: Ignored env HISTTIMEFORMAT debug3: Ignored env G_BROKEN_FILENAMES debug3: Ignored env _ debug3: Ignored env OLDPWD debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug3: Wrote 448 bytes for a total of 2693 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Tue Jun 2 18:16:48 2015 from myotherserver.mydomain.com #### And here it is when it does not work : #### ssh -vvv myipaclient1.mydomain.com OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 myipaclient1.mydomain.com debug1: permanently_set_uid: 0/0 debug1: permanently_drop_suid: 0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 5 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 131/256 debug2: bits set: 521/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: filename /var/lib/sss/pubconf/known_hosts debug3: key_read: type mismatch debug3: check_host_in_hostfile: match line 3 debug1: Host 'myipaclient1.mydomain.com' is known and matches the RSA host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:3 debug2: bits set: 510/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f1de9428d60) debug2: key: /root/.ssh/id_dsa ((nil)) debug3: Wrote 64 bytes for a total of 1109 debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,keyboard-interactive,password debug3: authmethod_is_enabled password debug1: Next authentication method: password #### I have the impression that when it does not work, it does not even try to use the authentication publickey. When it works : #### debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password #### When it does not work : #### debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password #### May you help me please ? I don't really know what to do here. Ah here are the authconfig files in both cases : Before (when passwordless works): #### CACHECREDENTIALS=yes FORCELEGACY=no FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=md5 USECRACKLIB=yes USEDB=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAPAUTH=no USELDAP=no USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USESHADOW=yes USESMARTCARD=no USESSSDAUTH=no USESSSD=no USESYSNETAUTH=no USEWINBINDAUTH=no USEWINBIND=no #### After (when passwordless does not work) #### CACHECREDENTIALS=yes FORCELEGACY=no FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=md5 USECRACKLIB=yes USEDB=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAPAUTH=no USELDAP=no USELOCAUTHORIZE=yes USEMKHOMEDIR=yes USENIS=no USEPAMACCESS=no USEPASSWDQC=no USESHADOW=yes USESMARTCARD=no USESSSDAUTH=yes USESSSD=yes USESYSNETAUTH=no USEWINBINDAUTH=no USEWINBIND=no #### Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Tue Jun 2 16:44:07 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 2 Jun 2015 18:44:07 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Message-ID: Hi To narrow down the cause even further, I reverted HOST10 via VM snapshot back to the state after installing linux and configuring ntpd. This time I installed ipa-client 4.1 directly (rather then as a dependent of our standard server packages). So this machine is a basic install of EL 7.1 + ntpd + ipa-client, with nothing else extra. Again I first registered against the old 3.3.3 FreeIPA Server, then switched to the new 4.1 Server. Once again my FreeIPA user does not authenticate. Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 18:38 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: freeipa-users at redhat.com, Jakub Hrozek Date: 02.06.2015 18:28 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by: freeipa-users-bounces at redhat.com Hi Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause of this problem. Let's call them HOST09 and HOST10 Both are mimimum installs of EL7.1, with NTPD installed and configured. HOST09 had ipa-client 4.1 installed via yum, and was configured to use our new FreeIPA 4.1 server, right from the start. --> My FreeIPA user authenticates successfully against this machine. HOST10 had ipa-client 4.1 installed as a dependency of one of our standard config packages, and was first set to use our old FreeIPA 3.3.3 server. --> My FreeIPA user authenticates successfully. against this machine. I then de-registered HOST10 from the FreeIPA 3.1 server, and registered against the new FreeIPA 4.1 server --> My FreeIPA users does NOT authenticate successfully. This replicates well the behaviour I saw with my production servers, namely a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 FreeIPA server authenticate properly. b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT authenticate properly Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: Jakub Hrozek Cc: freeipa-users at redhat.com Date: 02.06.2015 10:40 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by: freeipa-users-bounces at redhat.com Hi Jakub Yes root login works, that's how I've been getting into the box. Surprisingly, kinit with my user seems to work on that box. After entering my password when prompted, it returns to the commandline without error. However if I try kinit with another FreeIPA user, then instead of prompting for a password, it gives "Generic preauthentication failure while getting initial credentials" error. Having set debug_level=10, when I try and ssh in with my FreeIPA user, I find errors like "Retrieving host .... with result: .. Matching credential not found" "Received error from KDC ... Additional pre-authentication required" "Received error from KDC... Decrypt integrity check failed" "Received error code 1432158219" Cheers Chris From: Jakub Hrozek To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 02.06.2015 09:50 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: > Hi Jakub > > The same user / password works with all our FreeIPA hosts - just this one > box is the problem. So the password should be good. Of course a type is > always possible (especially for strong passwords), but I have tried many > times which should eliminate the odd password typo. The user / password > should also be good for both the old and the new FreeIPA Server. Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. > > As I can neither log in direct, or via ssh to this box with my FreeIPA > user, I assume Kinit with my user won't work- i will try later in the day. Well, login as a UNIX user (root) should work.. > > My working assumption is that the problem is related in some way to the > fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA > 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 > throwaway EL 7.1 VMs to better test this. On one I will first install > 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 > client. > > Cheers > > Chris > > > > From: Jakub Hrozek > To: freeipa-users at redhat.com > Date: 02.06.2015 09:22 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-bounces at redhat.com > > > > On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > > > Hi All > > > > Bad news. > > > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA > 4.1 > > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > > remote login with FreeIPA user and password). > > > > Today I tried a second machine, and had the same problem, ssh connections > > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity > check > > failed" > > This really just means wrong password, can you kinit as that user using > the same password? > > > > > Ahh I thought, I have a solution for that: just remove ipa-client and > > reinstall via yum, register with the new FreeIPA server .... > > > > Only with this second machine I still can't ssh in with a FreeIPA user. > > Argg..... > > > > b.t.w, as this machine is a real physical server, I was able to try > logging > > in direct with my FreeIPA user --> "Authentication Failure" > > > > I now have > > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > > FreeIPA server to the new without a hitch (i.e. they successfully > > authenticate FreeIPA users.) > > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > > with problems > > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts > to > > authenticate with a FreeIPA user > > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > > FreeIPA server, and successfully authenticates FreeIPA users. > > > > Any ideas? > > > > Chris > > > > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > > ----- > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > To: Alexander Bokovoy , > > freeipa-users at redhat.com > > Date: 30.05.2015 18:52 > > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > > EL7.1 --> Solved > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > Hi All > > > > It gives me pleasure to report the problem is solved - a minute ago I was > > able to login via ssh with my FreeIPA user to the problem server, while > > sitting on my terrace with a glass of wine! > > > > Thanks to Alexander for his helpful advice - we had some mail exchange > > outside the user list as I did not wish to broadcast content of keys, > > config files etc. > > > > Regardless of what I did with commands like klist, kvno everything seemed > > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > > > Therefore I decided to opt for brute force and (partial) ignorance. I > > completely uninstalled the FreeIPA client, and then reinstalled, > configured > > - ?t voil? I could ssh in! > > > > This leaves the enigma: what caused the problem? I suspect the following: > > > > The host is an EL 7.1, but the first FreeIPA client installed was version > > 3.3.3 (installed as set of standard packages that we bung on all our > > servers). > > > > This worked fine to authenticate against our "old" 3.x FreeIPA server, > but > > did not work against the "new" 4.1 FreeIPA Server. > > > > When I realised I could not ssh in, one of the first things I did was to > > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > > The solution was to yum remove the FreeIPA client, then yum install the > 4.1 > > client. > > > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, > so > > it will be interesting to see it the problem can be reproduced. > > > > Keep up the good work, > > > > Chris > > > > > > > > > > > > > > > > > > From: Alexander Bokovoy > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: freeipa-users at redhat.com > > Date: 29.05.2015 18:04 > > Subject: Re: [Freeipa-users] ssh problem with > migrated FreeIPA > > client on > > EL7.1 > > > > > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > > > >Hi All > > > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to > replace > > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > > >across the users. > > > > > >We have 50 odd Servers that are FreeIPA clients. Today I started > migrating > > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > > >server by doing an ipa-client-install --uninstall from the old, and > > >ipa-client-install to register with the new 4.1.0 server. > > > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > > >migration process above worked perfectly. After migrating the server, I > > >could ssh in with my FreeIPA user. > > > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > > and > > >getent passwd was successful for my FreeIPA user. However when I try and > > >ssh in, my FreeIPA user / password is not accepted. > > > > > >Before the migration I could ssh into the problem server (though > evidently > > >it was using my FreeIPA user from the old FreeIPA server). > > > > > >I can ssh in with a local (non ldap) user, so ssh is running and > working. > > > > > >>From user root I can successfully su to my FreeIPA user. > > > > > >Further investigation showed that version of ipa-client installed was > > >3.3.3, so I yum updated this to 4.1.0. > > > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. > The > > >same user continues to work for the 6.5 boxes. > > > > > >A colleague tried to ssh in with his FreeIPA user, and was also > rejected, > > >so the problem is not my user, but is probably for all FreeIPA users. > > > > > >A failed ssh login attempt causes the following error > in /var/log/messages > > > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > > It means /etc/krb5.keytab contains keys from older system and SSSD > > picks them up. > > Can you show output of 'klist -kKet'? > > -- > > / Alexander Bokovoy > > > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From john.obaterspok at gmail.com Tue Jun 2 17:05:21 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Tue, 2 Jun 2015 19:05:21 +0200 Subject: [Freeipa-users] login delay with sssd In-Reply-To: <20150602101157.GM2805@hendrix> References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> <20150602062158.GA26100@mail.corp.redhat.com> <20150602101157.GM2805@hendrix> Message-ID: 2015-06-02 12:11 GMT+02:00 Jakub Hrozek : > On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdi?? wrote: > > > > > > > > Ar laipniem sveicieniem, > > Ivars Strazdi?? > > > > > On 2. j?n. 2015, at 07:21, Lukas Slebodnik > wrote: > > > > > > How many groups does problematic user have? > > > > I can call any user problematic, because all have login delays. > > sitaadmin user, being able to to login via ssh, probably has most groups > - 4. Doesn?t seem too many, does it? > > > > siteadmin at mail:~$ id > > uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) > groups=9268000XX(siteadmin),92680000Y(vpnusers),92680000Z(mailusers),92680000W(scanned) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > I have sssh-1.12.2 installed as per Centos 7.1. > > I will have to wait until 1.12.4 or 5 is coming down the pipe with > Centos updates. > > We plan on 7.1.z update, but with different bugzillas. > > Then we plan on putting 1.13 to 7.2 > > > Hopefully that will resolve or mitigate the issue. > > I cannot create mess by putting Fedora updates into Centos, not sure if > that's even possible. > > Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would > be easier to test for you? Isn't there also the option to disable the selinux context in sssd.conf just to check that it does have an effect. Don't remember what that option was. --- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 2 17:25:03 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Jun 2015 13:25:03 -0400 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: References: Message-ID: <556DE6EF.2000804@redhat.com> Christopher Lamb wrote: > > Hi > > To narrow down the cause even further, I reverted HOST10 via VM snapshot > back to the state after installing linux and configuring ntpd. > > This time I installed ipa-client 4.1 directly (rather then as a dependent > of our standard server packages). So this machine is a basic install of EL > 7.1 + ntpd + ipa-client, with nothing else extra. > > Again I first registered against the old 3.3.3 FreeIPA Server, then > switched to the new 4.1 Server. > > Once again my FreeIPA user does not authenticate. I'd start by simlifying things. Does kinit -kt /etc/krb5.keytab work? Do basic nss operations work? getent passwd admin id admin groups admin etc. Seeing the entire ipaclient-install.log after the 7.1 install may be helfpul. Cranking up sssd debuglevel may be helpful. rob From christopher.lamb at ch.ibm.com Tue Jun 2 18:04:35 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 2 Jun 2015 20:04:35 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: <556DE6EF.2000804@redhat.com> References: <556DE6EF.2000804@redhat.com> Message-ID: Hi Rob Thanks All those commands work, and give expected results. I will send you the install logs direct. Cheers Chris From: Rob Crittenden To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com, Jakub Hrozek Date: 02.06.2015 19:25 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Christopher Lamb wrote: > > Hi > > To narrow down the cause even further, I reverted HOST10 via VM snapshot > back to the state after installing linux and configuring ntpd. > > This time I installed ipa-client 4.1 directly (rather then as a dependent > of our standard server packages). So this machine is a basic install of EL > 7.1 + ntpd + ipa-client, with nothing else extra. > > Again I first registered against the old 3.3.3 FreeIPA Server, then > switched to the new 4.1 Server. > > Once again my FreeIPA user does not authenticate. I'd start by simlifying things. Does kinit -kt /etc/krb5.keytab work? Do basic nss operations work? getent passwd admin id admin groups admin etc. Seeing the entire ipaclient-install.log after the 7.1 install may be helfpul. Cranking up sssd debuglevel may be helpful. rob From jhrozek at redhat.com Tue Jun 2 18:09:27 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 20:09:27 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: References: <20150602072132.GI2805@hendrix> <20150602075041.GK2805@hendrix> Message-ID: <20150602180927.GA2805@hendrix> On Tue, Jun 02, 2015 at 10:39:31AM +0200, Christopher Lamb wrote: > Hi Jakub > > Yes root login works, that's how I've been getting into the box. > > Surprisingly, kinit with my user seems to work on that box. After entering > my password when prompted, it returns to the commandline without error. > > However if I try kinit with another FreeIPA user, then instead of prompting > for a password, it gives "Generic preauthentication failure while getting > initial credentials" error. > > Having set debug_level=10, when I try and ssh in with my FreeIPA user, I > find errors like > > "Retrieving host .... with result: .. Matching credential not found" > > "Received error from KDC ... Additional pre-authentication required" > > "Received error from KDC... Decrypt integrity check failed" > > "Received error code 1432158219" Replied more in-depth off-list because the logs came in a private mail but for anyone having similar symptoms -- the Kerberos tracing info includes the IP address of the KDC we're trying to talk to. It's worth checking if it's the server that knows the user principal etc.. From jhrozek at redhat.com Tue Jun 2 18:15:24 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 20:15:24 +0200 Subject: [Freeipa-users] login delay with sssd In-Reply-To: References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> <20150602062158.GA26100@mail.corp.redhat.com> <20150602101157.GM2805@hendrix> Message-ID: <20150602181524.GC2805@hendrix> On Tue, Jun 02, 2015 at 07:05:21PM +0200, John Obaterspok wrote: > 2015-06-02 12:11 GMT+02:00 Jakub Hrozek : > > > On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdi?? wrote: > > > > > > > > > > > > Ar laipniem sveicieniem, > > > Ivars Strazdi?? > > > > > > > On 2. j?n. 2015, at 07:21, Lukas Slebodnik > > wrote: > > > > > > > > How many groups does problematic user have? > > > > > > I can call any user problematic, because all have login delays. > > > sitaadmin user, being able to to login via ssh, probably has most groups > > - 4. Doesn?t seem too many, does it? > > > > > > siteadmin at mail:~$ id > > > uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) > > groups=9268000XX(siteadmin),92680000Y(vpnusers),92680000Z(mailusers),92680000W(scanned) > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > > > I have sssh-1.12.2 installed as per Centos 7.1. > > > I will have to wait until 1.12.4 or 5 is coming down the pipe with > > Centos updates. > > > > We plan on 7.1.z update, but with different bugzillas. > > > > Then we plan on putting 1.13 to 7.2 > > > > > Hopefully that will resolve or mitigate the issue. > > > I cannot create mess by putting Fedora updates into Centos, not sure if > > that's even possible. > > > > Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would > > be easier to test for you? > > > Isn't there also the option to disable the selinux context in sssd.conf > just to check that it does have an effect. Don't remember what that option > was. > > --- john Ah, good idea. If selinux provider is the cause, then setting: selinux_provider = none should help. Unless you're using that feature, of course.. From brian.topping at gmail.com Tue Jun 2 18:35:45 2015 From: brian.topping at gmail.com (Brian Topping) Date: Wed, 3 Jun 2015 01:35:45 +0700 Subject: [Freeipa-users] Issues with SNI+Kerberos Message-ID: <3BFD5F0E-226E-4A6B-92E9-38D44BE12AC4@gmail.com> Hi all, I've been trying to work through the instructions at https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having much luck. I've followed the instructions there exactly, ending with the following command: > ipa-getcert request -r -f /etc/httpd/certs/example.crt -k /etc/httpd/certs/example.key -N CN=www.example.com -D www.example.com -K HTTP/www.example.com but I keep getting the following: > ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). What's interesting is it creates the private key file but the certificate fails. I cannot find anything in the logs on either the ipa or the client machine that would indicate what that failure is. Does anyone recognize this situation where the key file is created but the certificate is not created? Thanks! From rcritten at redhat.com Tue Jun 2 18:43:46 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Jun 2015 14:43:46 -0400 Subject: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4 In-Reply-To: References: <20150530121021.GA11243@mail.corp.redhat.com> <24b13f8e-c7a7-4fdb-a81c-e0ef33e0f4d9@email.android.com> <556C72F9.7080904@redhat.com> Message-ID: <556DF962.2010900@redhat.com> bahan w wrote: > Hello everyone. > > @Rob, I checked indeed in the logs /var/log/pki-ca and there was a > problem, so I performed the pki-remove command : > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force > > After this, I was able to reproduce my initial error with the permission > denied. > The permission denied was occuring because the /var logical volume had a > noexec option in the /etc/fstab. > > Modifying this to exec solved my problem. > By the way, I'm not sure this is normal to execute script in /var. If I > remember well, it was not designed for this, am I wrong ? > > Thank you everyone for your answers, it helped a lot. Can you be more specific on what script was being executed? It sounds a bit odd but it may be instance-specific scripts. rob f > > Best regards. > > Bahan > > On Mon, Jun 1, 2015 at 4:58 PM, Rob Crittenden > wrote: > > bahan w wrote: > > Hello everyone. > > I modified the /etc/selinux/config file : > ######################################################### > # This file controls the state of SELinux on the system. > # SELINUX=disabled > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=permissive > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > ######################################################### > > Then I rebooted. > ######################################################### > reboot > ######################################################### > > Here is the result of getenforce : > ######################################################### > Permissive > ######################################################### > > I removed the ipa-server that I had and I tried te 3.0.0-42 : > ######################################################### > yum install ipa-server-3.0.0-42.el6.x86_64 > Loaded plugins: security > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed > --> Processing Dependency: ipa-client = 3.0.0-42.el6 for package: > ipa-server-3.0.0-42.el6.x86_64 > --> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for > package: > ipa-server-3.0.0-42.el6.x86_64 > --> Processing Dependency: ipa-python = 3.0.0-42.el6 for package: > ipa-server-3.0.0-42.el6.x86_64 > --> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for > package: ipa-server-3.0.0-42.el6.x86_64 > --> Running transaction check > ---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed > ---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed > ---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed > ---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be > installed > --> Finished Dependency Resolution > > Dependencies Resolved > > ====================================================================================================================================== > Package Arch > Version Repository Size > ====================================================================================================================================== > Installing: > ipa-server x86_64 > 3.0.0-42.el6 standard 1.1 M > Installing for dependencies: > ipa-admintools x86_64 > 3.0.0-42.el6 standard 67 k > ipa-client x86_64 > 3.0.0-42.el6 standard 145 k > ipa-python x86_64 > 3.0.0-42.el6 standard 928 k > ipa-server-selinux x86_64 > 3.0.0-42.el6 standard 66 k > > Transaction Summary > ====================================================================================================================================== > Install 5 Package(s) > > Total download size: 2.3 M > Installed size: 9.2 M > Is this ok [y/N]: y > Downloading Packages: > (1/5): > ipa-admintools-3.0.0-42.el6.x86_64.rpm > | 67 kB 00:00 > (2/5): > ipa-client-3.0.0-42.el6.x86_64.rpm > | 145 kB 00:00 > (3/5): > ipa-python-3.0.0-42.el6.x86_64.rpm > | 928 kB 00:00 > (4/5): > ipa-server-3.0.0-42.el6.x86_64.rpm > | 1.1 MB 00:00 > (5/5): > ipa-server-selinux-3.0.0-42.el6.x86_64.rpm > | 66 kB 00:00 > -------------------------------------------------------------------------------------------------------------------------------------- > Total > 6.8 MB/s | 2.3 MB 00:00 > Running rpm_check_debug > Running Transaction Test > Transaction Test Succeeded > Running Transaction > Installing : > ipa-python-3.0.0-42.el6.x86_64 > 1/5 > Installing : > ipa-client-3.0.0-42.el6.x86_64 > 2/5 > Installing : > ipa-admintools-3.0.0-42.el6.x86_64 > 3/5 > Installing : > ipa-server-3.0.0-42.el6.x86_64 > 4/5 > Installing : > ipa-server-selinux-3.0.0-42.el6.x86_64 > 5/5 > libsepol.print_missing_requirements: ipa_dogtag's global > requirements > were not met: type/attribute pki_ca_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such > file or > directory). > semodule: Failed! > Verifying : > ipa-server-3.0.0-42.el6.x86_64 > 1/5 > Verifying : > ipa-server-selinux-3.0.0-42.el6.x86_64 > 2/5 > Verifying : > ipa-python-3.0.0-42.el6.x86_64 > 3/5 > Verifying : > ipa-client-3.0.0-42.el6.x86_64 > 4/5 > Verifying : > ipa-admintools-3.0.0-42.el6.x86_64 > 5/5 > > Installed: > ipa-server.x86_64 0:3.0.0-42.el6 > > Dependency Installed: > ipa-admintools.x86_64 0:3.0.0-42.el6 > ipa-client.x86_64 > 0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6 > ipa-server-selinux.x86_64 0:3.0.0-42.el6 > > Complete! > ######################################################### > > The errors linked with dogtag is still there. > Now, when I tried to run the ipa-server-install command here is > what I > have : > ######################################################### > Continue to configure the system with these values? [no]: yes > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server for the CA (pkids): Estimated time > 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > Done configuring directory server for the CA (pkids). > Configuring certificate server (pki-cad): Estimated time 3 > minutes 30 > seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST > -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd > XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA > -admin_user > admin -admin_email root at localhost -admin_password XXXXXXXX > -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password > XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM > -ca_server_cert_subject_name CN=MYHOST,O=MYREALM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM > -external > false -clone false' returned non-zero exit status 255 > Configuration of CA failed > ######################################################### > > And here is what I found in the ipasrever-install.log : > ######################################################### > 2015-06-01T07:38:43Z DEBUG stderr=Exception: Unable to Send > Request:java.net .ConnectException: Connection > refused > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net > .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > at > java.net > .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > at > java.net > .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > at > java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385) > at java.net.Socket.connect(Socket.java:546) > at java.net.Socket.connect(Socket.java:495) > at java.net.Socket.(Socket.java:392) > at java.net.Socket.(Socket.java:235) > at HTTPClient.sslConnect(HTTPClient.java:326) > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > java.lang.NullPointerException > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > > 2015-06-01T07:38:43Z CRITICAL failed to configure ca instance > Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST > -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd > XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA > -admin_user > admin -admin_email root at localhost -admin_password XXXXXXXX > -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password > XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM > -ca_server_cert_subject_name CN=MYHOST,O=MYREALM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM > -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM > -external > false -clone false' returned non-zero exit status 255 > 2015-06-01T07:38:43Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-server-install", line 942, in main > subject_base=options.subject) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line > 626, in configure_instance > self.start_creation(runtime=210) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", > line 358, in start_creation > method() > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line > 888, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > 2015-06-01T07:38:43Z INFO The ipa-server-install command failed, > exception: RuntimeError: Configuration of CA failed > ######################################################### > > I'm not really sure permissive mode with SELinux is helping in fact. > > > I'd poke around in the CA logs in /var/log/pki-ca. It may be that > the CA isn't really starting up, or the web app isn't starting. > There are a lot of red herrings in the logs, and things can cascade, > so I'd start at the top and work my way down. > > rob > > From rcritten at redhat.com Tue Jun 2 18:54:21 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Jun 2015 14:54:21 -0400 Subject: [Freeipa-users] Issues with SNI+Kerberos In-Reply-To: <3BFD5F0E-226E-4A6B-92E9-38D44BE12AC4@gmail.com> References: <3BFD5F0E-226E-4A6B-92E9-38D44BE12AC4@gmail.com> Message-ID: <556DFBDD.5050801@redhat.com> Brian Topping wrote: > Hi all, > > I've been trying to work through the instructions at https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having much luck. I've followed the instructions there exactly, ending with the following command: > >> ipa-getcert request -r -f /etc/httpd/certs/example.crt -k /etc/httpd/certs/example.key -N CN=www.example.com -D www.example.com -K HTTP/www.example.com > > but I keep getting the following: > >> ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). > > What's interesting is it creates the private key file but the certificate fails. I cannot find anything in the logs on either the ipa or the client machine that would indicate what that failure is. > > Does anyone recognize this situation where the key file is created but the certificate is not created? Key generation is done locally. The failure is pretty clear, your host isn't allowed to do this: Insufficient access: not allowed to perform this command The Apache error log should contain this error as well. What version of IPA is this? And more information on what you're doing is needed, obfuscate as needed, but what host are you running this on? I assume you want to create an SNI for www.example.com on .example.com? rob From tompos at martos.bme.hu Tue Jun 2 19:11:45 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Tue, 02 Jun 2015 21:11:45 +0200 Subject: [Freeipa-users] password expiration In-Reply-To: <556D9AC4.80603@redhat.com> References: <556C9B6A.2090401@martos.bme.hu> <556D6143.2060402@redhat.com> <1323262959.41029.1433233843917.JavaMail.zimbra@chemaxon.com> <556D6ADF.7050405@redhat.com> <556D7A96.2020400@martos.bme.hu> <556D9AC4.80603@redhat.com> Message-ID: <556DFFF1.7020406@martos.bme.hu> On 06/02/2015 02:00 PM, Martin Kosek wrote: > On 06/02/2015 11:42 AM, Tamas Papp wrote: >> >> On 06/02/2015 10:35 AM, Martin Kosek wrote: >>> You would need to do the modifications as Directory Manager or other user in >>> "admins"group. >>> >>> To resolve this, you would need manually fix admin entry attribute >>> krbPasswordExpiration to some future date, kinit as admin and then fixing the >>> global policy with some sane value (pwpolicy-mod). >> How can this work? It forces me to change the password again after kinit. > You would need to use ldapmodify and bind as Directory Manager to do this, you > cannot change krbPasswordExpiration with IPA user (IIRC). I mean I changed that entry with ldapmodify, than kinit admin and it forced me to change the password, GOTO 1:) But if I understand correctly I should have changed other attribute as well;) >> For some reason another user with admin rights was able to login and we were >> able to fix the policy so far. > With that other admin user, you can simply call "ipa passwd" on the original > admin, assign temporary password and have him change it on the first login. Yes, everything is back to normal operation now. Thanks for your prompt attention! tamas From ivars.strazdins at sets.lv Tue Jun 2 20:09:46 2015 From: ivars.strazdins at sets.lv (=?utf-8?Q?Ivars_Strazdi=C5=86=C5=A1?=) Date: Tue, 2 Jun 2015 21:09:46 +0100 Subject: [Freeipa-users] login delay with sssd In-Reply-To: <20150602181524.GC2805@hendrix> References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> <20150602062158.GA26100@mail.corp.redhat.com> <20150602101157.GM2805@hendrix> <20150602181524.GC2805@hendrix> Message-ID: <92DCD0EE-F5CF-48E5-B950-09FE23392788@sets.lv> > On 2. j?n. 2015, at 19:15, Jakub Hrozek wrote: > > selinux_provider = none I've got immediate and noticeable improvement in ssh login times and webmail responses. What exactly is missing when host runs sssd with "selinux_provider = none? ? To put it otherwise - will postfix and dovecot run properly until sssd receives update in Centos? Kind regards, Ivars From tobeychris at hotmail.com Tue Jun 2 20:10:15 2015 From: tobeychris at hotmail.com (Chris Tobey) Date: Tue, 2 Jun 2015 16:10:15 -0400 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Message-ID: Hi everyone, This is my first time posting here - please be gentle. I currently have ~40 CentOS 6.6 servers authenticating against my FreeIPA server running on another CentOS 6.6 server. (ipa-server-3.0.0-42.el6.centos.x86_64 and ipa-client-3.0.0-42.el6.centos.x86_64) The server has been running stable for the last ~4 months without issue, slowly building up from five servers to the current forty. This server is paired with a puppet/foreman server to manage the servers themselves. I am having an issue with my FreeIPA server and I cannot figure out what is going wrong. As of right now all 40 servers can still authenticate without issue, so that is good. My issue is similar to what I saw here: https://www.redhat.com/archives/freeipa-users/2011-November/msg00125.html where I receive a pop-up error "IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)". The issue described at the above link is fairly old, and I checked my .jar symlinks and they appear to all be ok. The pop-up appears when I go to Identity > Hosts > and click on a host. The host information appears to all be correct, and if I make changes the error appears again, but the changes seem to take effect (tested changing a host description). The failures prevent me from adding new hosts in Foreman. When I try to add a new host is says "Unable to save - Failed to create testvm.server.com's realm entry: ERF12-5287 [ProxyAPI::ProxyException]: Unable to create realm entry ([RestClient::BadRequest]: 400 Bad Request) for proxy https://puppetmaster.server.com:8443/realm/SERVER.COM." Does anyone have any ideas on what I can do to fix this? I can post any logs that I have, but I do not know which are relevant to this issue. Thanks, -Chris Tobey -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jun 2 20:21:01 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Jun 2015 22:21:01 +0200 Subject: [Freeipa-users] login delay with sssd In-Reply-To: <92DCD0EE-F5CF-48E5-B950-09FE23392788@sets.lv> References: <6FA71714-C375-49EA-9509-642B3B97134E@sets.lv> <20150602062158.GA26100@mail.corp.redhat.com> <20150602101157.GM2805@hendrix> <20150602181524.GC2805@hendrix> <92DCD0EE-F5CF-48E5-B950-09FE23392788@sets.lv> Message-ID: <20150602202101.GI2805@hendrix> On Tue, Jun 02, 2015 at 09:09:46PM +0100, Ivars Strazdi?? wrote: > > > On 2. j?n. 2015, at 19:15, Jakub Hrozek wrote: > > > > selinux_provider = none > > I've got immediate and noticeable improvement in ssh login times and webmail responses. Thanks, that confirms you're hitting https://bugzilla.redhat.com/show_bug.cgi?id=1210854 currently proposed for 7.2 > What exactly is missing when host runs sssd with "selinux_provider = none? ? The selinux mappings that you set with "ipa selinuxusermap" > > To put it otherwise - will postfix and dovecot run properly until sssd receives update in Centos? > > Kind regards, > Ivars > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From nathan at nathanpeters.com Tue Jun 2 22:25:40 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Tue, 2 Jun 2015 15:25:40 -0700 Subject: [Freeipa-users] sssd not caching public keys in sss_authorized_keys file Message-ID: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client is CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). I have created a user in FreeIPA and he has access to a server through HBAC rules. This user has created a public / private keypair and uploaded the public key from his personal machine to the IPA server so it shows up in his user record. The record was saved and he successfully logged into the IPA client using the keys. According to the docs here (Yes, I know it's a little old but I could not find any newer info that conflicted with this) : https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html 2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the standard authorized keys format. However, when he logs in, there is no sss_authorized_keys file created and as far as I can tell, the key is never cached in his account. How do I get the keys to actually save on login like the manual says? From netvent at gmail.com Tue Jun 2 23:07:39 2015 From: netvent at gmail.com (swartz) Date: Tue, 2 Jun 2015 17:07:39 -0600 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? Message-ID: I have a environment that spans across multiple physical locations where there is a mix of Linux and Solaris workstations/servers. So far we've been managing accounts (/etc/password) via Puppet. Problem: FreeIPA allows to store only one homedir path. Q: Is there a way to store/set a different home path based on the system that the user is logged into? As an example, I have user Bob. On a Linux box Bob has homedir at /home/b/bob On a Solaris this is likely /export/home/bob While on some other odd system it could be /mnt/nas/users/bob The contents in each of the above locations differs for Bob. There are NAS boxes that hold data for specific groups that are mounted on few machines only. We can't use NAS as central homedir storage for number of reasons. Mounting exported filesystems as subdirs under main homedir isn't an option either. Many odd-ball systems don't export their filesystems. Mounting all homedirs locations isn't necessary on all machines. Performance issues over network., etc, etc. Is there a way to handle such scenario as outline above? I would welcome any input/ideas. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Jun 3 06:14:30 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 3 Jun 2015 08:14:30 +0200 Subject: [Freeipa-users] sssd not caching public keys in sss_authorized_keys file In-Reply-To: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> References: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> Message-ID: <20150603061430.GA9862@mail.corp.redhat.com> On (02/06/15 15:25), nathan at nathanpeters.com wrote: >I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client is >CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). > >I have created a user in FreeIPA and he has access to a server through >HBAC rules. This user has created a public / private keypair and uploaded >the public key from his personal machine to the IPA server so it shows up >in his user record. The record was saved and he successfully logged into >the IPA client using the keys. > >According to the docs here (Yes, I know it's a little old but I could not >find any newer info that conflicted with this) : >https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html > Aa you already notice it isquite old documetation. >2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the >standard authorized keys format. > There's bug in documentation. >However, when he logs in, there is no sss_authorized_keys file created and >as far as I can tell, the key is never cached in his account. > The better test would be to authenticate with ssh keys online, so they can be fetched from FreeIPA then block connection to FreeIPA (simmulate offline state) and re-test one more time. >How do I get the keys to actually save on login like the manual says? Keys are already cached in different file /var/lib/sss/pubconf/known_hosts. @see rhel7 documentation [1] rhel7 documentation[1] should contain valid and recent information. If you found any issues plese report them. LS [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#openssh-sssd-hosts From lslebodn at redhat.com Wed Jun 3 06:29:20 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 3 Jun 2015 08:29:20 +0200 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? In-Reply-To: References: Message-ID: <20150603062919.GB9862@mail.corp.redhat.com> On (02/06/15 17:07), swartz wrote: >I have a environment that spans across multiple physical locations where >there is a mix of Linux and Solaris workstations/servers. So far we've been >managing accounts (/etc/password) via Puppet. > >Problem: FreeIPA allows to store only one homedir path. >Q: Is there a way to store/set a different home path based on the system >that the user is logged into? > sssd configuration is quite flexible in this way. You can override homedir with configuration option man sssd.conf -> "override_homedir" However sssd is available just on linux (or FreeBSD) I'm not sure which clients do you use on Solaris or other old system, maybe there is a way how to override homedir as well. Or you can configure home directory attribute to the non-existing attribute in FreeIPA and use some fallback (if possible) >As an example, I have user Bob. >On a Linux box Bob has homedir at /home/b/bob ^ Unfortunatelly, there's no way how to say sssd to use just first letter from name. >On a Solaris this is likely /export/home/bob >While on some other odd system it could be /mnt/nas/users/bob Different "prefix" for homedir "/export/home", "/home", "/mnt/nas/users" could be addresed with the option homedir_substring in sssd conf. https://fedorahosted.org/sssd/ticket/1853 So you could store "%H" in ldap attribute, but clients need to understand such value. (sssd >= 1.11.6). I'm not sure about other clients. LS From mkosek at redhat.com Wed Jun 3 07:34:28 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 09:34:28 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: References: Message-ID: <556EAE04.3030704@redhat.com> On 06/02/2015 06:15 PM, Christopher Lamb wrote: > > Hi > > Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause > of this problem. Let's call them HOST09 and HOST10 > > Both are mimimum installs of EL7.1, with NTPD installed and configured. > > HOST09 had ipa-client 4.1 installed via yum, and was configured to use our > new FreeIPA 4.1 server, right from the start. --> My FreeIPA user > authenticates successfully against this machine. > > HOST10 had ipa-client 4.1 installed as a dependency of one of our standard > config packages, and was first set to use our old FreeIPA 3.3.3 server. --> > My FreeIPA user authenticates successfully. against this machine. > > I then de-registered HOST10 from the FreeIPA 3.1 server, and registered > against the new FreeIPA 4.1 server --> My FreeIPA users does NOT > authenticate successfully. > > This replicates well the behaviour I saw with my production servers, namely > a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 > FreeIPA server authenticate properly. > > b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 > FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT > authenticate properly > > Chris Hello, This is really strange. What I do not fully understand is what is the "registration against a FreeIPA server". What server you install IPA client should matter if the deployment is set up properly. The host enrollment entry should simply replicate to whole infrastructure. The only thing that will probably differ is sssd.conf and krb5.conf as they will have different primary server set up, based on what your DNS setup is. It rather seems that the "reregistration" is what causes the issue. It looks like something cleanup problem during the process. I will let Jakub to help here, I would suggest including the SSSD logs from the failed login, it may help. > > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 > ----- > > From: Christopher Lamb/Switzerland/IBM at IBMCH > To: Jakub Hrozek > Cc: freeipa-users at redhat.com > Date: 02.06.2015 10:40 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-bounces at redhat.com > > > > Hi Jakub > > Yes root login works, that's how I've been getting into the box. > > Surprisingly, kinit with my user seems to work on that box. After entering > my password when prompted, it returns to the commandline without error. > > However if I try kinit with another FreeIPA user, then instead of prompting > for a password, it gives "Generic preauthentication failure while getting > initial credentials" error. > > Having set debug_level=10, when I try and ssh in with my FreeIPA user, I > find errors like > > "Retrieving host .... with result: .. Matching credential not found" > > "Received error from KDC ... Additional pre-authentication required" > > "Received error from KDC... Decrypt integrity check failed" > > "Received error code 1432158219" > > Cheers > > Chris > > > > > > From: Jakub Hrozek > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: freeipa-users at redhat.com > Date: 02.06.2015 09:50 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated > FreeIPA > client on EL7.1 -->Not Solved > > > > On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >> Hi Jakub >> >> The same user / password works with all our FreeIPA hosts - just this one >> box is the problem. So the password should be good. Of course a type is >> always possible (especially for strong passwords), but I have tried many >> times which should eliminate the odd password typo. The user / password >> should also be good for both the old and the new FreeIPA Server. > > Interesting, can you add debug_level=10 to the domain section of > sssd.conf? Then krb5_child.log should show Kerberos tracing info > including which exact KDC SSSD was talking to. > >> >> As I can neither log in direct, or via ssh to this box with my FreeIPA >> user, I assume Kinit with my user won't work- i will try later in the > day. > > Well, login as a UNIX user (root) should work.. > >> >> My working assumption is that the problem is related in some way to the >> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA >> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 >> throwaway EL 7.1 VMs to better test this. On one I will first install >> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 >> client. >> >> Cheers >> >> Chris >> >> >> >> From: Jakub Hrozek >> To: freeipa-users at redhat.com >> Date: 02.06.2015 09:22 >> Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated > FreeIPA >> client on EL7.1 -->Not Solved >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>> >>> Hi All >>> >>> Bad news. >>> >>> Over the weekend I was able to get the original problem EL7.1 / FreeIPA >> 4.1 >>> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh >>> remote login with FreeIPA user and password). >>> >>> Today I tried a second machine, and had the same problem, ssh > connections >>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >> check >>> failed" >> >> This really just means wrong password, can you kinit as that user using >> the same password? >> >>> >>> Ahh I thought, I have a solution for that: just remove ipa-client and >>> reinstall via yum, register with the new FreeIPA server .... >>> >>> Only with this second machine I still can't ssh in with a FreeIPA user. >>> Argg..... >>> >>> b.t.w, as this machine is a real physical server, I was able to try >> logging >>> in direct with my FreeIPA user --> "Authentication Failure" >>> >>> I now have >>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the > old >>> FreeIPA server to the new without a hitch (i.e. they successfully >>> authenticate FreeIPA users.) >>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but >>> with problems >>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts >> to >>> authenticate with a FreeIPA user >>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the > new >>> FreeIPA server, and successfully authenticates FreeIPA users. >>> >>> Any ideas? >>> >>> Chris >>> >>> >>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 >>> ----- >>> >>> From: Christopher > Lamb/Switzerland/IBM at IBMCH >>> To: Alexander Bokovoy > , >>> freeipa-users at redhat.com >>> Date: 30.05.2015 18:52 >>> Subject: Re: > [Freeipa-users] ssh problem with > migrated FreeIPA >> client on >>> EL7.1 --> Solved >>> Sent by: > freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi All >>> >>> It gives me pleasure to report the problem is solved - a minute ago I > was >>> able to login via ssh with my FreeIPA user to the problem server, while >>> sitting on my terrace with a glass of wine! >>> >>> Thanks to Alexander for his helpful advice - we had some mail exchange >>> outside the user list as I did not wish to broadcast content of keys, >>> config files etc. >>> >>> Regardless of what I did with commands like klist, kvno everything > seemed >>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. >>> >>> Therefore I decided to opt for brute force and (partial) ignorance. I >>> completely uninstalled the FreeIPA client, and then reinstalled, >> configured >>> - ?t voil? I could ssh in! >>> >>> This leaves the enigma: what caused the problem? I suspect the > following: >>> >>> The host is an EL 7.1, but the first FreeIPA client installed was > version >>> 3.3.3 (installed as set of standard packages that we bung on all our >>> servers). >>> >>> This worked fine to authenticate against our "old" 3.x FreeIPA server, >> but >>> did not work against the "new" 4.1 FreeIPA Server. >>> >>> When I realised I could not ssh in, one of the first things I did was > to >>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not > help. >>> The solution was to yum remove the FreeIPA client, then yum install the >> 4.1 >>> client. >>> >>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client > installed, >> so >>> it will be interesting to see it the problem can be reproduced. >>> >>> Keep up the good work, >>> >>> Chris >>> >>> >>> >>> >>> >>> >>> >>> >>> From: > Alexander Bokovoy > >>> To: > Christopher > Lamb/Switzerland/IBM at IBMCH >>> Cc: > freeipa-users at redhat.com >>> Date: > 29.05.2015 18:04 >>> Subject: > Re: > [Freeipa-users] ssh problem with >> migrated FreeIPA >>> client on >>> EL7.1 >>> >>> >>> >>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>> >>>> Hi All >>>> >>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >> replace >>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully > migrated >>>> across the users. >>>> >>>> We have 50 odd Servers that are FreeIPA clients. Today I started >> migrating >>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >>>> server by doing an ipa-client-install --uninstall from the old, and >>>> ipa-client-install to register with the new 4.1.0 server. >>>> >>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>> migration process above worked perfectly. After migrating the server, > I >>>> could ssh in with my FreeIPA user. >>>> >>>> Then I migrated an OEL 7.1 server. The migration itself seemed to > work, >>> and >>>> getent passwd was successful for my FreeIPA user. However when I try > and >>>> ssh in, my FreeIPA user / password is not accepted. >>>> >>>> Before the migration I could ssh into the problem server (though >> evidently >>>> it was using my FreeIPA user from the old FreeIPA server). >>>> >>>> I can ssh in with a local (non ldap) user, so ssh is running and >> working. >>>> >>>> >From user root I can successfully su to my FreeIPA user. >>>> >>>> Further investigation showed that version of ipa-client installed was >>>> 3.3.3, so I yum updated this to 4.1.0. >>>> >>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. >> The >>>> same user continues to work for the 6.5 boxes. >>>> >>>> A colleague tried to ssh in with his FreeIPA user, and was also >> rejected, >>>> so the problem is not my user, but is probably for all FreeIPA users. >>>> >>>> A failed ssh login attempt causes the following error >> in /var/log/messages >>>> >>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>> It means /etc/krb5.keytab contains keys from older system and SSSD >>> picks them up. >>> Can you show output of 'klist -kKet'? >>> -- >>> / Alexander Bokovoy >>> >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From mkosek at redhat.com Wed Jun 3 07:39:46 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 09:39:46 +0200 Subject: [Freeipa-users] ipa-client-install remove the passwordless connection with root In-Reply-To: References: Message-ID: <556EAF42.3000403@redhat.com> On 06/02/2015 06:27 PM, bahan w wrote: > Hello ! > > I send you this mail because I have a problem linked with SSH and FreeIPA. > > I have multiple servers : > - One with FreeIPA server 3.0.0-26 > - The others with FreeIPA client 3.0.0-26 > > They are running on RHEL 6.4. > > I configured a root user on each of them. > On one specific server, I created an rsa key in order to connect > passwordlessly from a specific server to all the others > #### > ssh-keygen -t rsa > #### > > I distributed the public key on all the others : > #### > for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub > $i:/root/.ssh/authorized_keys; done > #### > > Once it was done, I modified the rights on these files : > #### > for i in ${my_server_list}; do scp $i "chmod 644 > /root/.ssh/authorized_keys"; done > #### > > And I was able to connect to all these servers without entering a password. > The system was working well. > > When I installed ipa-server on a specific server, this connection with the > RSA key was not possible anymore. > Each time I tried to connect to the server through SSH, it keeps asking me > for a password. > I tried to install the ipa-client on another server to just check if I had > the same behaviour and indeed, each time I run ipa-client-install, I can't > connect passwordlessly with root anymore. Hello, SSH with key with root account should work, SSSD (or the SSH public key tools) should not interfere with root user account at all. What I would suggest is to try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old already. RHEL-6.6 (or even RHEL-7.1) would be a better starting point. From abokovoy at redhat.com Wed Jun 3 07:40:15 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 3 Jun 2015 10:40:15 +0300 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? In-Reply-To: References: Message-ID: <20150603074015.GT15837@redhat.com> On Tue, 02 Jun 2015, swartz wrote: >I have a environment that spans across multiple physical locations where >there is a mix of Linux and Solaris workstations/servers. So far we've been >managing accounts (/etc/password) via Puppet. > >Problem: FreeIPA allows to store only one homedir path. >Q: Is there a way to store/set a different home path based on the system >that the user is logged into? Yes, this is a feature of FreeIPA 4.1, called ID Views. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html See also my talk at SambaXP this year: https://www.samba.org/~ab/sambaxp/2015/freeipa_idviews.pdf While ID Views were designed for supporting Active Directory users (where you may not have POSIX attributes in the directory), they can be used for augmenting IPA users too -- just create a separate view and apply it to the host you need. SSSD has to be recent enough to apply the view locally at that host. For Solars and other systems, use compat tree integration. > >As an example, I have user Bob. >On a Linux box Bob has homedir at /home/b/bob >On a Solaris this is likely /export/home/bob >While on some other odd system it could be /mnt/nas/users/bob > >The contents in each of the above locations differs for Bob. > >There are NAS boxes that hold data for specific groups that are mounted on >few machines only. We can't use NAS as central homedir storage for number >of reasons. Mounting exported filesystems as subdirs under main homedir >isn't an option either. Many odd-ball systems don't export their >filesystems. Mounting all homedirs locations isn't necessary on all >machines. Performance issues over network., etc, etc. > >Is there a way to handle such scenario as outline above? I would welcome >any input/ideas. -- / Alexander Bokovoy From mkosek at redhat.com Wed Jun 3 07:43:31 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 09:43:31 +0200 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) In-Reply-To: References: Message-ID: <556EB023.2070007@redhat.com> On 06/02/2015 10:10 PM, Chris Tobey wrote: > Hi everyone, > > > > This is my first time posting here - please be gentle. Ok :-) > I currently have ~40 CentOS 6.6 servers authenticating against my FreeIPA > server running on another CentOS 6.6 server. > (ipa-server-3.0.0-42.el6.centos.x86_64 and > ipa-client-3.0.0-42.el6.centos.x86_64) The server has been running stable > for the last ~4 months without issue, slowly building up from five servers > to the current forty. This server is paired with a puppet/foreman server to > manage the servers themselves. > > > > I am having an issue with my FreeIPA server and I cannot figure out what is > going wrong. As of right now all 40 servers can still authenticate without > issue, so that is good. > > > > My issue is similar to what I saw here: > https://www.redhat.com/archives/freeipa-users/2011-November/msg00125.html > where I receive a pop-up error "IPA Error 4301: Certificate operation cannot > be completed: Unable to communicate with CMS (Not Found)". The issue > described at the above link is fairly old, and I checked my .jar symlinks > and they appear to all be ok. The pop-up appears when I go to Identity > > Hosts > and click on a host. The host information appears to all be correct, > and if I make changes the error appears again, but the changes seem to take > effect (tested changing a host description). > > > > The failures prevent me from adding new hosts in Foreman. When I try to add > a new host is says "Unable to save - Failed to create testvm.server.com's > realm entry: ERF12-5287 [ProxyAPI::ProxyException]: Unable to create realm > entry ([RestClient::BadRequest]: 400 Bad Request) for proxy > https://puppetmaster.server.com:8443/realm/SERVER.COM." > > > > Does anyone have any ideas on what I can do to fix this? I can post any logs > that I have, but I do not know which are relevant to this issue. Could this be the dreaded expiration of the FreeIPA CA subsystem certificates? I would suggest logging to FreeIPA CA servers and running # getcert list and giving us the output. https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates Thanks, Martin From sbose at redhat.com Wed Jun 3 07:46:05 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 3 Jun 2015 09:46:05 +0200 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? In-Reply-To: <20150603062919.GB9862@mail.corp.redhat.com> References: <20150603062919.GB9862@mail.corp.redhat.com> Message-ID: <20150603074605.GT3943@p.redhat.com> On Wed, Jun 03, 2015 at 08:29:20AM +0200, Lukas Slebodnik wrote: > On (02/06/15 17:07), swartz wrote: > >I have a environment that spans across multiple physical locations where > >there is a mix of Linux and Solaris workstations/servers. So far we've been > >managing accounts (/etc/password) via Puppet. > > > >Problem: FreeIPA allows to store only one homedir path. > >Q: Is there a way to store/set a different home path based on the system > >that the user is logged into? > > > sssd configuration is quite flexible in this way. > You can override homedir with configuration option > man sssd.conf -> "override_homedir" > > However sssd is available just on linux (or FreeBSD) > I'm not sure which clients do you use on Solaris or other > old system, maybe there is a way how to override homedir as well. > Or you can configure home directory attribute to the non-existing > attribute in FreeIPA and use some fallback (if possible) > > >As an example, I have user Bob. > >On a Linux box Bob has homedir at /home/b/bob > ^ > Unfortunatelly, there's no way how to say > sssd to use just first letter from name. > >On a Solaris this is likely /export/home/bob > >While on some other odd system it could be /mnt/nas/users/bob > Different "prefix" for homedir "/export/home", "/home", "/mnt/nas/users" > could be addresed with the option homedir_substring in sssd conf. > https://fedorahosted.org/sssd/ticket/1853 > > So you could store "%H" in ldap attribute, > but clients need to understand such value. > (sssd >= 1.11.6). I'm not sure about other clients. As an alternative since version 4.1 FreeIPA has a feature called idviews which can be used to override home-directories for a group of hosts. See e.g. http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust or http://blog.delouw.ch/2015/04/06/migrating-legacy-servers-to-freeipa-authentication-using-id-views/ for details and how to use it. HTH bye, Sumit > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Wed Jun 3 07:48:09 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 3 Jun 2015 09:48:09 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: <556EAE04.3030704@redhat.com> References: <556EAE04.3030704@redhat.com> Message-ID: <20150603074809.GR2805@hendrix> On Wed, Jun 03, 2015 at 09:34:28AM +0200, Martin Kosek wrote: > On 06/02/2015 06:15 PM, Christopher Lamb wrote: > > > > Hi > > > > Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause > > of this problem. Let's call them HOST09 and HOST10 > > > > Both are mimimum installs of EL7.1, with NTPD installed and configured. > > > > HOST09 had ipa-client 4.1 installed via yum, and was configured to use our > > new FreeIPA 4.1 server, right from the start. --> My FreeIPA user > > authenticates successfully against this machine. > > > > HOST10 had ipa-client 4.1 installed as a dependency of one of our standard > > config packages, and was first set to use our old FreeIPA 3.3.3 server. --> > > My FreeIPA user authenticates successfully. against this machine. > > > > I then de-registered HOST10 from the FreeIPA 3.1 server, and registered > > against the new FreeIPA 4.1 server --> My FreeIPA users does NOT > > authenticate successfully. > > > > This replicates well the behaviour I saw with my production servers, namely > > a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 > > FreeIPA server authenticate properly. > > > > b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 > > FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT > > authenticate properly > > > > Chris > > Hello, > > This is really strange. What I do not fully understand is what is the > "registration against a FreeIPA server". What server you install IPA client > should matter if the deployment is set up properly. The host enrollment entry > should simply replicate to whole infrastructure. The only thing that will > probably differ is sssd.conf and krb5.conf as they will have different primary > server set up, based on what your DNS setup is. > > It rather seems that the "reregistration" is what causes the issue. It looks > like something cleanup problem during the process. I will let Jakub to help > here, I would suggest including the SSSD logs from the failed login, it may help. In another thread (not sure if public or not, there was many emails from Christoper recently), we advised to clean the cache after reinstall/register. From christopher.lamb at ch.ibm.com Wed Jun 3 08:30:22 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 3 Jun 2015 10:30:22 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: <556EAE04.3030704@redhat.com> References: <556EAE04.3030704@redhat.com> Message-ID: Hi all This is a quick(ish) note to bring everybody up to speed on this issue. Yesterday we had some private mail exchange on this issue as I did not wish to broadcast the krb5 and ipa install logs to the user list. The basic situation is that we are in the process of migrating from an FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As discussed in a thread some weeks ago we did not do this by replicating (as perhaps we should have done). Instead we migrated the users across. We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to the old KDC. We are now in the process of migrating these hosts to the new 4.1 KDC. Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these joining to the new KDC was trouble free, taking a few minutes each. After joining the new KDC FreeIPA users authenticated properly. We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 KDC. These were also trouble free. The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 hosts that were originally joined to the 3.3.3 KDC, and must be moved to join the 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I have been able to reproduce this behaviour with a freshly setup VM joined first to the 3.3.3 KDC, then moved to the 4.1 KDC. While the errors show in the krb5 child logs indicate that the password is incorrect, the same user / password is happily accepted by all the other hosts. It seems that in the process of moving / migrating the EL 7.1 / ipa-client 4.1 from the old KDC to the new KDC, "something" is left behind that causes problems. We have seen indications in the install logs that the kinit steps called during ipa-client install are getting responses from the wrong (old) KDC, and not from the new KDC. Frustratingly. over the weekend i managed to get one of the problem EL 7.1 boxes to work. However I can't work out exactly what I was that I did that did the trick. However it seems that some kind of major de-install / cleanup + reinstall of the ipa-client may be needed. Rob has suggested that as part of such a cleanup I should do "rm -f /var/lib/sssd/db/*". I will test this later today and report back. Thanks to Rob, Jakub, Martin, Alexander et al for their help and suggestions so far. Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com, Jakub Hrozek Date: 03.06.2015 09:34 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On 06/02/2015 06:15 PM, Christopher Lamb wrote: > > Hi > > Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause > of this problem. Let's call them HOST09 and HOST10 > > Both are mimimum installs of EL7.1, with NTPD installed and configured. > > HOST09 had ipa-client 4.1 installed via yum, and was configured to use our > new FreeIPA 4.1 server, right from the start. --> My FreeIPA user > authenticates successfully against this machine. > > HOST10 had ipa-client 4.1 installed as a dependency of one of our standard > config packages, and was first set to use our old FreeIPA 3.3.3 server. --> > My FreeIPA user authenticates successfully. against this machine. > > I then de-registered HOST10 from the FreeIPA 3.1 server, and registered > against the new FreeIPA 4.1 server --> My FreeIPA users does NOT > authenticate successfully. > > This replicates well the behaviour I saw with my production servers, namely > a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 > FreeIPA server authenticate properly. > > b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 > FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT > authenticate properly > > Chris Hello, This is really strange. What I do not fully understand is what is the "registration against a FreeIPA server". What server you install IPA client should matter if the deployment is set up properly. The host enrollment entry should simply replicate to whole infrastructure. The only thing that will probably differ is sssd.conf and krb5.conf as they will have different primary server set up, based on what your DNS setup is. It rather seems that the "reregistration" is what causes the issue. It looks like something cleanup problem during the process. I will let Jakub to help here, I would suggest including the SSSD logs from the failed login, it may help. > > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 > ----- > > From: Christopher Lamb/Switzerland/IBM at IBMCH > To: Jakub Hrozek > Cc: freeipa-users at redhat.com > Date: 02.06.2015 10:40 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-bounces at redhat.com > > > > Hi Jakub > > Yes root login works, that's how I've been getting into the box. > > Surprisingly, kinit with my user seems to work on that box. After entering > my password when prompted, it returns to the commandline without error. > > However if I try kinit with another FreeIPA user, then instead of prompting > for a password, it gives "Generic preauthentication failure while getting > initial credentials" error. > > Having set debug_level=10, when I try and ssh in with my FreeIPA user, I > find errors like > > "Retrieving host .... with result: .. Matching credential not found" > > "Received error from KDC ... Additional pre-authentication required" > > "Received error from KDC... Decrypt integrity check failed" > > "Received error code 1432158219" > > Cheers > > Chris > > > > > > From: Jakub Hrozek > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: freeipa-users at redhat.com > Date: 02.06.2015 09:50 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated > FreeIPA > client on EL7.1 -->Not Solved > > > > On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >> Hi Jakub >> >> The same user / password works with all our FreeIPA hosts - just this one >> box is the problem. So the password should be good. Of course a type is >> always possible (especially for strong passwords), but I have tried many >> times which should eliminate the odd password typo. The user / password >> should also be good for both the old and the new FreeIPA Server. > > Interesting, can you add debug_level=10 to the domain section of > sssd.conf? Then krb5_child.log should show Kerberos tracing info > including which exact KDC SSSD was talking to. > >> >> As I can neither log in direct, or via ssh to this box with my FreeIPA >> user, I assume Kinit with my user won't work- i will try later in the > day. > > Well, login as a UNIX user (root) should work.. > >> >> My working assumption is that the problem is related in some way to the >> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA >> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 >> throwaway EL 7.1 VMs to better test this. On one I will first install >> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 >> client. >> >> Cheers >> >> Chris >> >> >> >> From: Jakub Hrozek >> To: freeipa-users at redhat.com >> Date: 02.06.2015 09:22 >> Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated > FreeIPA >> client on EL7.1 -->Not Solved >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>> >>> Hi All >>> >>> Bad news. >>> >>> Over the weekend I was able to get the original problem EL7.1 / FreeIPA >> 4.1 >>> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh >>> remote login with FreeIPA user and password). >>> >>> Today I tried a second machine, and had the same problem, ssh > connections >>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >> check >>> failed" >> >> This really just means wrong password, can you kinit as that user using >> the same password? >> >>> >>> Ahh I thought, I have a solution for that: just remove ipa-client and >>> reinstall via yum, register with the new FreeIPA server .... >>> >>> Only with this second machine I still can't ssh in with a FreeIPA user. >>> Argg..... >>> >>> b.t.w, as this machine is a real physical server, I was able to try >> logging >>> in direct with my FreeIPA user --> "Authentication Failure" >>> >>> I now have >>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the > old >>> FreeIPA server to the new without a hitch (i.e. they successfully >>> authenticate FreeIPA users.) >>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but >>> with problems >>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts >> to >>> authenticate with a FreeIPA user >>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the > new >>> FreeIPA server, and successfully authenticates FreeIPA users. >>> >>> Any ideas? >>> >>> Chris >>> >>> >>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 >>> ----- >>> >>> From: Christopher > Lamb/Switzerland/IBM at IBMCH >>> To: Alexander Bokovoy > , >>> freeipa-users at redhat.com >>> Date: 30.05.2015 18:52 >>> Subject: Re: > [Freeipa-users] ssh problem with > migrated FreeIPA >> client on >>> EL7.1 --> Solved >>> Sent by: > freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi All >>> >>> It gives me pleasure to report the problem is solved - a minute ago I > was >>> able to login via ssh with my FreeIPA user to the problem server, while >>> sitting on my terrace with a glass of wine! >>> >>> Thanks to Alexander for his helpful advice - we had some mail exchange >>> outside the user list as I did not wish to broadcast content of keys, >>> config files etc. >>> >>> Regardless of what I did with commands like klist, kvno everything > seemed >>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. >>> >>> Therefore I decided to opt for brute force and (partial) ignorance. I >>> completely uninstalled the FreeIPA client, and then reinstalled, >> configured >>> - ?t voil? I could ssh in! >>> >>> This leaves the enigma: what caused the problem? I suspect the > following: >>> >>> The host is an EL 7.1, but the first FreeIPA client installed was > version >>> 3.3.3 (installed as set of standard packages that we bung on all our >>> servers). >>> >>> This worked fine to authenticate against our "old" 3.x FreeIPA server, >> but >>> did not work against the "new" 4.1 FreeIPA Server. >>> >>> When I realised I could not ssh in, one of the first things I did was > to >>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not > help. >>> The solution was to yum remove the FreeIPA client, then yum install the >> 4.1 >>> client. >>> >>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client > installed, >> so >>> it will be interesting to see it the problem can be reproduced. >>> >>> Keep up the good work, >>> >>> Chris >>> >>> >>> >>> >>> >>> >>> >>> >>> From: > Alexander Bokovoy > >>> To: > Christopher > Lamb/Switzerland/IBM at IBMCH >>> Cc: > freeipa-users at redhat.com >>> Date: > 29.05.2015 18:04 >>> Subject: > Re: > [Freeipa-users] ssh problem with >> migrated FreeIPA >>> client on >>> EL7.1 >>> >>> >>> >>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>> >>>> Hi All >>>> >>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >> replace >>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully > migrated >>>> across the users. >>>> >>>> We have 50 odd Servers that are FreeIPA clients. Today I started >> migrating >>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >>>> server by doing an ipa-client-install --uninstall from the old, and >>>> ipa-client-install to register with the new 4.1.0 server. >>>> >>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>> migration process above worked perfectly. After migrating the server, > I >>>> could ssh in with my FreeIPA user. >>>> >>>> Then I migrated an OEL 7.1 server. The migration itself seemed to > work, >>> and >>>> getent passwd was successful for my FreeIPA user. However when I try > and >>>> ssh in, my FreeIPA user / password is not accepted. >>>> >>>> Before the migration I could ssh into the problem server (though >> evidently >>>> it was using my FreeIPA user from the old FreeIPA server). >>>> >>>> I can ssh in with a local (non ldap) user, so ssh is running and >> working. >>>> >>>> >From user root I can successfully su to my FreeIPA user. >>>> >>>> Further investigation showed that version of ipa-client installed was >>>> 3.3.3, so I yum updated this to 4.1.0. >>>> >>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. >> The >>>> same user continues to work for the 6.5 boxes. >>>> >>>> A colleague tried to ssh in with his FreeIPA user, and was also >> rejected, >>>> so the problem is not my user, but is probably for all FreeIPA users. >>>> >>>> A failed ssh login attempt causes the following error >> in /var/log/messages >>>> >>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>> It means /etc/krb5.keytab contains keys from older system and SSSD >>> picks them up. >>> Can you show output of 'klist -kKet'? >>> -- >>> / Alexander Bokovoy >>> >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From mkosek at redhat.com Wed Jun 3 08:39:35 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 10:39:35 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved In-Reply-To: References: <556EAE04.3030704@redhat.com> Message-ID: <556EBD47.6090909@redhat.com> On 06/03/2015 10:30 AM, Christopher Lamb wrote: > Hi all > > This is a quick(ish) note to bring everybody up to speed on this issue. > Yesterday we had some private mail exchange on this issue as I did not wish > to broadcast the krb5 and ipa install logs to the user list. > > The basic situation is that we are in the process of migrating from an > FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As discussed > in a thread some weeks ago we did not do this by replicating (as perhaps we > should have done). Instead we migrated the users across. > > We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to > the old KDC. We are now in the process of migrating these hosts to the new > 4.1 KDC. > > Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these joining > to the new KDC was trouble free, taking a few minutes each. After joining > the new KDC FreeIPA users authenticated properly. > > We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were > joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 > KDC. These were also trouble free. > > The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 hosts > that were originally joined to the 3.3.3 KDC, and must be moved to join the > 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I have > been able to reproduce this behaviour with a freshly setup VM joined first > to the 3.3.3 KDC, then moved to the 4.1 KDC. > > While the errors show in the krb5 child logs indicate that the password is > incorrect, the same user / password is happily accepted by all the other > hosts. > > It seems that in the process of moving / migrating the EL 7.1 / ipa-client > 4.1 from the old KDC to the new KDC, "something" is left behind that causes > problems. We have seen indications in the install logs that the kinit steps > called during ipa-client install are getting responses from the wrong (old) > KDC, and not from the new KDC. > > Frustratingly. over the weekend i managed to get one of the problem EL 7.1 > boxes to work. However I can't work out exactly what I was that I did that > did the trick. However it seems that some kind of major de-install / > cleanup + reinstall of the ipa-client may be needed. > > Rob has suggested that as part of such a cleanup I should do "rm > -f /var/lib/sssd/db/*". I will test this later today and report back. > > Thanks to Rob, Jakub, Martin, Alexander et al for their help and > suggestions so far. > > Chris Thanks for the background. The pain you are getting is exactly the reason why migration via replication to RHEL-7.1 is a better choice :-) Please let us know the result, I am curious how this works out. > > > > > From: Martin Kosek > To: Christopher Lamb/Switzerland/IBM at IBMCH, > freeipa-users at redhat.com, Jakub Hrozek > Date: 03.06.2015 09:34 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > > > > On 06/02/2015 06:15 PM, Christopher Lamb wrote: >> >> Hi >> >> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause >> of this problem. Let's call them HOST09 and HOST10 >> >> Both are mimimum installs of EL7.1, with NTPD installed and configured. >> >> HOST09 had ipa-client 4.1 installed via yum, and was configured to use > our >> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user >> authenticates successfully against this machine. >> >> HOST10 had ipa-client 4.1 installed as a dependency of one of our > standard >> config packages, and was first set to use our old FreeIPA 3.3.3 server. > --> >> My FreeIPA user authenticates successfully. against this machine. >> >> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered >> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT >> authenticate successfully. >> >> This replicates well the behaviour I saw with my production servers, > namely >> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new > 4.1 >> FreeIPA server authenticate properly. >> >> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old > 3.3.3 >> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT >> authenticate properly >> >> Chris > > Hello, > > This is really strange. What I do not fully understand is what is the > "registration against a FreeIPA server". What server you install IPA client > should matter if the deployment is set up properly. The host enrollment > entry > should simply replicate to whole infrastructure. The only thing that will > probably differ is sssd.conf and krb5.conf as they will have different > primary > server set up, based on what your DNS setup is. > > It rather seems that the "reregistration" is what causes the issue. It > looks > like something cleanup problem during the process. I will let Jakub to help > here, I would suggest including the SSSD logs from the failed login, it may > help. > >> >> >> >> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 >> ----- >> >> From: Christopher Lamb/Switzerland/IBM at IBMCH >> To: Jakub Hrozek >> Cc: freeipa-users at redhat.com >> Date: 02.06.2015 10:40 >> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated > FreeIPA >> client on EL7.1 -->Not Solved >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi Jakub >> >> Yes root login works, that's how I've been getting into the box. >> >> Surprisingly, kinit with my user seems to work on that box. After > entering >> my password when prompted, it returns to the commandline without error. >> >> However if I try kinit with another FreeIPA user, then instead of > prompting >> for a password, it gives "Generic preauthentication failure while getting >> initial credentials" error. >> >> Having set debug_level=10, when I try and ssh in with my FreeIPA user, I >> find errors like >> >> "Retrieving host .... with result: .. Matching credential not found" >> >> "Received error from KDC ... Additional pre-authentication required" >> >> "Received error from KDC... Decrypt integrity check failed" >> >> "Received error code 1432158219" >> >> Cheers >> >> Chris >> >> >> >> >> >> From: Jakub Hrozek >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: freeipa-users at redhat.com >> Date: 02.06.2015 09:50 >> Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated >> FreeIPA >> client on EL7.1 -->Not Solved >> >> >> >> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >>> Hi Jakub >>> >>> The same user / password works with all our FreeIPA hosts - just this > one >>> box is the problem. So the password should be good. Of course a type is >>> always possible (especially for strong passwords), but I have tried many >>> times which should eliminate the odd password typo. The user / password >>> should also be good for both the old and the new FreeIPA Server. >> >> Interesting, can you add debug_level=10 to the domain section of >> sssd.conf? Then krb5_child.log should show Kerberos tracing info >> including which exact KDC SSSD was talking to. >> >>> >>> As I can neither log in direct, or via ssh to this box with my FreeIPA >>> user, I assume Kinit with my user won't work- i will try later in the >> day. >> >> Well, login as a UNIX user (root) should work.. >> >>> >>> My working assumption is that the problem is related in some way to the >>> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA >>> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 >>> throwaway EL 7.1 VMs to better test this. On one I will first install >>> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 >>> client. >>> >>> Cheers >>> >>> Chris >>> >>> >>> >>> From: Jakub Hrozek > >>> To: > freeipa-users at redhat.com >>> Date: 02.06.2015 09:22 >>> Subject: Re: > [Freeipa-users] Fw: ssh problem with >> migrated >> FreeIPA >>> client on EL7.1 -->Not Solved >>> Sent by: > freeipa-users-bounces at redhat.com >>> >>> >>> >>> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>>> >>>> Hi All >>>> >>>> Bad news. >>>> >>>> Over the weekend I was able to get the original problem EL7.1 / FreeIPA >>> 4.1 >>>> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh >>>> remote login with FreeIPA user and password). >>>> >>>> Today I tried a second machine, and had the same problem, ssh >> connections >>>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >>> check >>>> failed" >>> >>> This really just means wrong password, can you kinit as that user using >>> the same password? >>> >>>> >>>> Ahh I thought, I have a solution for that: just remove ipa-client and >>>> reinstall via yum, register with the new FreeIPA server .... >>>> >>>> Only with this second machine I still can't ssh in with a FreeIPA user. >>>> Argg..... >>>> >>>> b.t.w, as this machine is a real physical server, I was able to try >>> logging >>>> in direct with my FreeIPA user --> "Authentication Failure" >>>> >>>> I now have >>>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the >> old >>>> FreeIPA server to the new without a hitch (i.e. they successfully >>>> authenticate FreeIPA users.) >>>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but >>>> with problems >>>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts >>> to >>>> authenticate with a FreeIPA user >>>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the >> new >>>> FreeIPA server, and successfully authenticates FreeIPA users. >>>> >>>> Any ideas? >>>> >>>> Chris >>>> >>>> >>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 >>>> ----- >>>> >>>> From: > Christopher >> Lamb/Switzerland/IBM at IBMCH >>>> To: > Alexander Bokovoy >> , >>>> freeipa-users at redhat.com >>>> Date: > 30.05.2015 18:52 >>>> Subject: > Re: >> [Freeipa-users] ssh problem with >> migrated FreeIPA >>> client on >>>> EL7.1 --> Solved >>>> Sent by: >> freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> Hi All >>>> >>>> It gives me pleasure to report the problem is solved - a minute ago I >> was >>>> able to login via ssh with my FreeIPA user to the problem server, while >>>> sitting on my terrace with a glass of wine! >>>> >>>> Thanks to Alexander for his helpful advice - we had some mail exchange >>>> outside the user list as I did not wish to broadcast content of keys, >>>> config files etc. >>>> >>>> Regardless of what I did with commands like klist, kvno everything >> seemed >>>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. >>>> >>>> Therefore I decided to opt for brute force and (partial) ignorance. I >>>> completely uninstalled the FreeIPA client, and then reinstalled, >>> configured >>>> - ?t voil? I could ssh in! >>>> >>>> This leaves the enigma: what caused the problem? I suspect the >> following: >>>> >>>> The host is an EL 7.1, but the first FreeIPA client installed was >> version >>>> 3.3.3 (installed as set of standard packages that we bung on all our >>>> servers). >>>> >>>> This worked fine to authenticate against our "old" 3.x FreeIPA server, >>> but >>>> did not work against the "new" 4.1 FreeIPA Server. >>>> >>>> When I realised I could not ssh in, one of the first things I did was >> to >>>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not >> help. >>>> The solution was to yum remove the FreeIPA client, then yum install the >>> 4.1 >>>> client. >>>> >>>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client >> installed, >>> so >>>> it will be interesting to see it the problem can be reproduced. >>>> >>>> Keep up the good work, >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> From: >> Alexander Bokovoy >> >>>> To: >> Christopher >> Lamb/Switzerland/IBM at IBMCH >>>> Cc: >> freeipa-users at redhat.com >>>> Date: >> 29.05.2015 18:04 >>>> Subject: >> Re: >> [Freeipa-users] ssh problem with >>> migrated FreeIPA >>>> client on >>>> EL7.1 >>>> >>>> >>>> >>>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>>> >>>>> Hi All >>>>> >>>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >>> replace >>>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully >> migrated >>>>> across the users. >>>>> >>>>> We have 50 odd Servers that are FreeIPA clients. Today I started >>> migrating >>>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >>>>> server by doing an ipa-client-install --uninstall from the old, and >>>>> ipa-client-install to register with the new 4.1.0 server. >>>>> >>>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>>> migration process above worked perfectly. After migrating the server, >> I >>>>> could ssh in with my FreeIPA user. >>>>> >>>>> Then I migrated an OEL 7.1 server. The migration itself seemed to >> work, >>>> and >>>>> getent passwd was successful for my FreeIPA user. However when I try >> and >>>>> ssh in, my FreeIPA user / password is not accepted. >>>>> >>>>> Before the migration I could ssh into the problem server (though >>> evidently >>>>> it was using my FreeIPA user from the old FreeIPA server). >>>>> >>>>> I can ssh in with a local (non ldap) user, so ssh is running and >>> working. >>>>> >>>>> >From user root I can successfully su to my FreeIPA user. >>>>> >>>>> Further investigation showed that version of ipa-client installed was >>>>> 3.3.3, so I yum updated this to 4.1.0. >>>>> >>>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. >>> The >>>>> same user continues to work for the 6.5 boxes. >>>>> >>>>> A colleague tried to ssh in with his FreeIPA user, and was also >>> rejected, >>>>> so the problem is not my user, but is probably for all FreeIPA users. >>>>> >>>>> A failed ssh login attempt causes the following error >>> in /var/log/messages >>>>> >>>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>>> It means /etc/krb5.keytab contains keys from older system and SSSD >>>> picks them up. >>>> Can you show output of 'klist -kKet'? >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> > > > > From mkosek at redhat.com Wed Jun 3 08:52:15 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Jun 2015 10:52:15 +0200 Subject: [Freeipa-users] ipa-client-install remove the passwordless connection with root In-Reply-To: References: <556EAF42.3000403@redhat.com> Message-ID: <556EC03F.408@redhat.com> Thanks for update. Adding mailing list back, to be aware of the results. Given this description, I wonder if this is hitting https://bugzilla.redhat.com/show_bug.cgi?id=1201454 that is planned to be fixed in next RHEL-6 minor version. On 06/03/2015 10:46 AM, bahan w wrote: > Hello again. > > The problem was coming from the sshd_config file. > The parameter PubkeyAuthentication=yes was placed after the parameter > PasswordAuthentication=yes. > I uncomment the PubkeyAuthentication=yes before the PasswprdAuthentication > and now it works. > > The problem is solved. > > Best regards. > > Bahan > > > On Wed, Jun 3, 2015 at 10:05 AM, bahan w wrote: > >> Hello Martin. >> >> Unfortunately for me, I cannot migrate OS so I need to make it work with >> RHEL 6.4. :-( >> >> Best regards. >> Le 3 juin 2015 09:39, "Martin Kosek" a ?crit : >> >>> On 06/02/2015 06:27 PM, bahan w wrote: >>>> Hello ! >>>> >>>> I send you this mail because I have a problem linked with SSH and >>> FreeIPA. >>>> >>>> I have multiple servers : >>>> - One with FreeIPA server 3.0.0-26 >>>> - The others with FreeIPA client 3.0.0-26 >>>> >>>> They are running on RHEL 6.4. >>>> >>>> I configured a root user on each of them. >>>> On one specific server, I created an rsa key in order to connect >>>> passwordlessly from a specific server to all the others >>>> #### >>>> ssh-keygen -t rsa >>>> #### >>>> >>>> I distributed the public key on all the others : >>>> #### >>>> for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub >>>> $i:/root/.ssh/authorized_keys; done >>>> #### >>>> >>>> Once it was done, I modified the rights on these files : >>>> #### >>>> for i in ${my_server_list}; do scp $i "chmod 644 >>>> /root/.ssh/authorized_keys"; done >>>> #### >>>> >>>> And I was able to connect to all these servers without entering a >>> password. >>>> The system was working well. >>>> >>>> When I installed ipa-server on a specific server, this connection with >>> the >>>> RSA key was not possible anymore. >>>> Each time I tried to connect to the server through SSH, it keeps asking >>> me >>>> for a password. >>>> I tried to install the ipa-client on another server to just check if I >>> had >>>> the same behaviour and indeed, each time I run ipa-client-install, I >>> can't >>>> connect passwordlessly with root anymore. >>> >>> Hello, >>> >>> SSH with key with root account should work, SSSD (or the SSH public key >>> tools) >>> should not interfere with root user account at all. What I would suggest >>> is to >>> try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old >>> already. >>> RHEL-6.6 (or even RHEL-7.1) would be a better starting point. >>> >> > From coy.hile at coyhile.com Wed Jun 3 12:54:16 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Wed, 03 Jun 2015 12:54:16 +0000 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? Message-ID: <20150603125416.Horde.dy71prfsSoKbErA1-dpjYQ4@webmail01.coyhile.com> For solaris, just use the standard automounter config in auto_home: * ?/export/home/& Sent via the Samsung GALAXY S? 5, an AT&T 4G LTE smartphone -------- Original message -------- From: Lukas Slebodnik Date: 06/03/2015 02:29 (GMT-05:00) To: netvent at gmail.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How to handle users with multiple homedirs on different machines? > On (02/06/15 17:07), swartz wrote: >> I have a environment that spans across multiple physical locations where >> there is a mix of Linux and Solaris workstations/servers. So far we've been >> managing accounts (/etc/password) via Puppet. >> >> Problem: FreeIPA allows to store only one homedir path. >> Q: Is there a way to store/set a different home path based on the system >> that the user is logged into? >> > sssd configuration is quite flexible in this way. > You can override homedir with configuration option > man sssd.conf -> "override_homedir" > > However sssd is available just on linux (or FreeBSD) > I'm not sure which clients do you use on Solaris or other > old system, maybe there is a way how to override homedir as well. > Or you can configure home directory attribute to the non-existing > attribute in FreeIPA and use some fallback (if possible) > >> As an example, I have user Bob. >> On a Linux box Bob has homedir at /home/b/bob > ^ > Unfortunatelly, there's no way how to say > sssd to use just first letter from name. >> On a Solaris this is likely /export/home/bob >> While on some other odd system it could be /mnt/nas/users/bob > Different "prefix" for homedir "/export/home", "/home", "/mnt/nas/users" > could be addresed with the option homedir_substring in sssd conf. > https://fedorahosted.org/sssd/ticket/1853 > > So you could store "%H" in ldap attribute, > but clients need to understand such value. > (sssd >= 1.11.6). I'm not sure about other clients. > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From tobeychris at hotmail.com Wed Jun 3 14:12:31 2015 From: tobeychris at hotmail.com (Chris Tobey) Date: Wed, 3 Jun 2015 10:12:31 -0400 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) In-Reply-To: <556EB023.2070007@redhat.com> References: <556EB023.2070007@redhat.com> Message-ID: Hi Martin, Thank you for the response. Here is what I can see on my FreeIPA server (I replaced my server name with server.com): [Wed Jun 03 10:05:36:..//var/lib/pki-ca]$ ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [Wed Jun 03 10:05:47:..//var/lib/pki-ca]$ getcert list Number of certificates and requests being tracked: 8. Request ID '20150407214802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=CA Audit,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214803': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=OCSP Subsystem,O=SERVER.COM expires: 2017-03-27 21:47:13 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214804': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=CA Subsystem,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214805': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=IPA RA,O=SERVER.COM expires: 2017-03-27 21:48:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214806': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='303912620731' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-03-27 21:47:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV',nickname='Serve r-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BURLINGTON-EVERTZ-TV',nickname='Serve r-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:48:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407214856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token ='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token ='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:48:55 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150407215219': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=chimera.server.com,O=SERVER.COM expires: 2017-04-07 21:52:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Here is what I can see on my Puppet Master (single server that hosts foreman, puppet, and everything related to them). [Wed Jun 03 10:08:07:~]$ getcert list Number of certificates and requests being tracked: 1. Request ID '20150407223624': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - puppetmaster.server.com',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - puppetmaster.server.com',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SERVER.COM subject: CN=puppetmaster.server.com,O=SERVER.COM expires: 2017-04-07 22:36:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes >From here the status shows as MONITORING, which is what I think it is supposed to show, and they do not expire until 2017. Thanks, -Chris Tobey -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: June-03-15 3:44 AM To: Chris Tobey; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) On 06/02/2015 10:10 PM, Chris Tobey wrote: > Hi everyone, > > > > This is my first time posting here - please be gentle. Ok :-) > I currently have ~40 CentOS 6.6 servers authenticating against my > FreeIPA server running on another CentOS 6.6 server. > (ipa-server-3.0.0-42.el6.centos.x86_64 and > ipa-client-3.0.0-42.el6.centos.x86_64) The server has been running > stable for the last ~4 months without issue, slowly building up from > five servers to the current forty. This server is paired with a > puppet/foreman server to manage the servers themselves. > > > > I am having an issue with my FreeIPA server and I cannot figure out > what is going wrong. As of right now all 40 servers can still > authenticate without issue, so that is good. > > > > My issue is similar to what I saw here: > https://www.redhat.com/archives/freeipa-users/2011-November/msg00125.h > tml where I receive a pop-up error "IPA Error 4301: Certificate > operation cannot be completed: Unable to communicate with CMS (Not > Found)". The issue described at the above link is fairly old, and I > checked my .jar symlinks and they appear to all be ok. The pop-up > appears when I go to Identity > Hosts > and click on a host. The host > information appears to all be correct, and if I make changes the error > appears again, but the changes seem to take effect (tested changing a > host description). > > > > The failures prevent me from adding new hosts in Foreman. When I try > to add a new host is says "Unable to save - Failed to create > testvm.server.com's realm entry: ERF12-5287 > [ProxyAPI::ProxyException]: Unable to create realm entry > ([RestClient::BadRequest]: 400 Bad Request) for proxy https://puppetmaster.server.com:8443/realm/SERVER.COM." > > > > Does anyone have any ideas on what I can do to fix this? I can post > any logs that I have, but I do not know which are relevant to this issue. Could this be the dreaded expiration of the FreeIPA CA subsystem certificates? I would suggest logging to FreeIPA CA servers and running # getcert list and giving us the output. https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_ce rtificates Thanks, Martin From lslebodn at redhat.com Wed Jun 3 15:32:24 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 3 Jun 2015 17:32:24 +0200 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? In-Reply-To: <20150603125416.Horde.dy71prfsSoKbErA1-dpjYQ4@webmail01.coyhile.com> References: <20150603062919.GB9862@mail.corp.redhat.com> <20150603125416.Horde.dy71prfsSoKbErA1-dpjYQ4@webmail01.coyhile.com> Message-ID: <20150603153223.GA25346@mail.corp.redhat.com> On (03/06/15 12:54), Coy Hile wrote: > > >For solaris, just use the standard automounter config in auto_home: >* ?/export/home/& I thought that automount and "getent passwd user" are two different thigs on Solaris (the same as on Linux) LS From coy.hile at coyhile.com Wed Jun 3 15:54:42 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Wed, 03 Jun 2015 15:54:42 +0000 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? Message-ID: <20150603155442.Horde.fgkrr2jAT1lyad6c3pS-7Q8@webmail01.coyhile.com> They are, but a correct automounter config will allow you to keep the attribute as /home/jdoe notwithstanding the OS. Sent via the Samsung GALAXY S? 5, an AT&T 4G LTE smartphone -------- Original message -------- From: Lukas Slebodnik Date: 06/03/2015 11:32 (GMT-05:00) To: coy.hile at coyhile.com Cc: freeipa-users at redhat.com, netvent at gmail.com Subject: Re: [Freeipa-users] How to handle users with multiple homedirs on different machines? > On (03/06/15 12:54), Coy Hile wrote: >> >> >> For solaris, just use the standard automounter config in auto_home: >> * ?/export/home/& > I thought that automount and "getent passwd user" > are two different thigs on Solaris (the same as on Linux) > > LS > From t.sailer at alumni.ethz.ch Wed Jun 3 16:33:22 2015 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 03 Jun 2015 18:33:22 +0200 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <556C8D76.1040307@alumni.ethz.ch> References: <55689A7D.30707@alumni.ethz.ch> <556C0F38.3010909@redhat.com> <556C8D76.1040307@alumni.ethz.ch> Message-ID: <556F2C52.6090606@alumni.ethz.ch> I have now managed to upgrade the replica as well. I stumbled over a few additional problems: 1) whenever a user becomes member of a group with +nsuniqueid= in its name, the user can no longer login. The reason is that ldb_dn_validate doesn't like the + character, thus returns false, which causes get_ipa_groupname to return EINVAL, which causes the loop in hbac_eval_user_element to abort and return an error. This seems to be quite draconian. Does it have to be like this? If so it would be nice if a clearer error message would be left somewhere more obvious than sssd -d 0xffff... 2) I cannot change ssh keys, neither in the web gui nor on the cli. # ipa -vv user-mod myuserid --sshpubkey= --all ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "admin at XXXXX.COM", "result": { "messages": [ { "code": 13001, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.114", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.1.4. API version 2.114" }, "version": "4.1.4" } ipa: INFO: Forwarding 'user_mod' to json server 'https://xxxxxserver.xxxxx.com/ipa/json' ipa: INFO: Request: { "id": 0, "method": "user_mod", "params": [ [ "t.sailer" ], { "all": true, "ipasshpubkey": null, "no_members": false, "random": false, "raw": false, "rights": false, "version": "2.114" } ] } ipa: INFO: Response: { "error": { "code": 4203, "message": "Type or value exists: ", "name": "DatabaseError" }, "id": 0, "principal": "admin at XXXXX.COM", "result": null, "version": "4.1.4" } ipa: ERROR: Type or value exists: I cannot find any more information in /var/log/httpd/error_log. But I can change the SSH keys directly talking to slapd... 3) Is [global] debug=True in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output? I cannot see any change... Thomas From nathan at nathanpeters.com Wed Jun 3 16:40:10 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Wed, 3 Jun 2015 09:40:10 -0700 Subject: [Freeipa-users] Could not update DNSSSHFP records when joining domain Message-ID: <737a0e7798e8ab51d4eef4eb5359a976.squirrel@webmail.nathanpeters.com> I am running FreeIPA 4.1.3 on CentOS7. I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. The client hostname is ipaclient.login.mydomain.net. The FreeIPA domain is mydomain.net. This post here : https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html states that making all dns entries into a single zone rather than having a separate zone for login.mydomain.net is a perfectly acceptable design choice. However, an issue occurs when joining the client. It joins to the domain fine and creates the initial DNS A entry, but then according to the logs, when it goes to update the DNSSSHFP records, it fails because it tries to update the nonexistent zone login.mydomain.net instead of just updating mydomain.net. To be clear, the SSH host keys are in the client record so the only issue is with adding them to DNS Here are the relevant log entries generated with ipa-client-install: 2015-06-03T16:11:12Z DEBUG stderr= 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. update delete ipaclient.login.mydomain.net. IN SSHFP send update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 11D3F076F616F02AD74BFF4D48E8BBA239063E8F send 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2015-06-03T16:11:13Z DEBUG stdout= 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH update failed: NOTAUTH 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. From nathan at nathanpeters.com Wed Jun 3 16:57:29 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Wed, 3 Jun 2015 09:57:29 -0700 Subject: [Freeipa-users] sssd not caching public keys in sss_authorized_keys file In-Reply-To: <20150603061430.GA9862@mail.corp.redhat.com> References: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> <20150603061430.GA9862@mail.corp.redhat.com> Message-ID: Comments inline > On (02/06/15 15:25), nathan at nathanpeters.com wrote: >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client >> is >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). >> >>I have created a user in FreeIPA and he has access to a server through >>HBAC rules. This user has created a public / private keypair and >> uploaded >>the public key from his personal machine to the IPA server so it shows up >>in his user record. The record was saved and he successfully logged into >>the IPA client using the keys. >> >>According to the docs here (Yes, I know it's a little old but I could not >>find any newer info that conflicted with this) : >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html >> > Aa you already notice it isquite old documetation. > >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the >>standard authorized keys format. >> > There's bug in documentation. > >>However, when he logs in, there is no sss_authorized_keys file created >> and >>as far as I can tell, the key is never cached in his account. >> > The better test would be to authenticate with ssh keys online, > so they can be fetched from FreeIPA > then block connection to FreeIPA (simmulate offline state) > and re-test one more time. Ok, so I looked at the newer documentation you linked below (RH7 version) and it makes the exact same statement "Stores the user key in a custom file, .ssh/sss_authorized_keys, in the standard authorized keys format. " Are you saying the newer documentation is also bugged? Unfortunately, that type of test will not be conclusive for the people I am trying to convince. They want me to actually show them the file on disk where that thing is cached to prove that if the machine was rebooted, and the ipa connection is lost, that key was not only in memory somewhere but actually saved to storage. > >>How do I get the keys to actually save on login like the manual says? > Keys are already cached in different file > /var/lib/sss/pubconf/known_hosts. > @see rhel7 documentation [1] The known_hosts file does not sound like the right place, It has a completely different function of caching host keys for when I make an outgoing connection from the server for the purpose of verifying someone is not spoofing a host, not for caching individual user keys for passwordless login for when I'm trying to make an ingoing connection to the server. In addition, you can see from my search below that there is no sss_authorized_keys file anywhere on the server and that the known_hosts file you referenced has no data in it because it is zero size. [root at ipaclient sss]# find / -name sss_authorized_keys [root at ipaclient sss]# cd pubconf [root at ipaclient pubconf]# ls -al total 16 drwxr-xr-x 3 root root 4096 Jun 3 16:42 . drwxr-xr-x 6 root root 4096 May 27 22:49 .. -rw-r--r-- 1 root root 11 Jun 3 16:42 kdcinfo.MYDOMAIN.NET -rw-r--r-- 1 root root 0 Jun 2 16:05 known_hosts drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d [root at ipaclient pubconf]# So... I am still looking for the actual location on disk that this is apparently being cached and cannot find it. > > rhel7 documentation[1] should contain valid and recent information. > If you found any issues plese report them. > > LS > > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#openssh-sssd-hosts > From simo at redhat.com Wed Jun 3 17:58:40 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2015 13:58:40 -0400 Subject: [Freeipa-users] sssd not caching public keys in sss_authorized_keys file In-Reply-To: References: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> <20150603061430.GA9862@mail.corp.redhat.com> Message-ID: <1433354320.3020.47.camel@willson.usersys.redhat.com> On Wed, 2015-06-03 at 09:57 -0700, nathan at nathanpeters.com wrote: > Comments inline > > > On (02/06/15 15:25), nathan at nathanpeters.com wrote: > >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client > >> is > >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). > >> > >>I have created a user in FreeIPA and he has access to a server through > >>HBAC rules. This user has created a public / private keypair and > >> uploaded > >>the public key from his personal machine to the IPA server so it shows up > >>in his user record. The record was saved and he successfully logged into > >>the IPA client using the keys. > >> > >>According to the docs here (Yes, I know it's a little old but I could not > >>find any newer info that conflicted with this) : > >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html > >> > > Aa you already notice it isquite old documetation. > > > >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the > >>standard authorized keys format. > >> > > There's bug in documentation. > > > >>However, when he logs in, there is no sss_authorized_keys file created > >> and > >>as far as I can tell, the key is never cached in his account. > >> > > The better test would be to authenticate with ssh keys online, > > so they can be fetched from FreeIPA > > then block connection to FreeIPA (simmulate offline state) > > and re-test one more time. > > Ok, so I looked at the newer documentation you linked below (RH7 version) > and it makes the exact same statement "Stores the user key in a custom > file, .ssh/sss_authorized_keys, in the standard authorized keys format. " > > Are you saying the newer documentation is also bugged? > > Unfortunately, that type of test will not be conclusive for the people I > am trying to convince. They want me to actually show them the file on > disk where that thing is cached to prove that if the machine was rebooted, > and the ipa connection is lost, that key was not only in memory somewhere > but actually saved to storage. > > > > >>How do I get the keys to actually save on login like the manual says? > > Keys are already cached in different file > > /var/lib/sss/pubconf/known_hosts. > > @see rhel7 documentation [1] > > The known_hosts file does not sound like the right place, It has a > completely different function of caching host keys for when I make an > outgoing connection from the server for the purpose of verifying someone > is not spoofing a host, not for caching individual user keys for > passwordless login for when I'm trying to make an ingoing connection to > the server. > > In addition, you can see from my search below that there is no > sss_authorized_keys file anywhere on the server and that the known_hosts > file you referenced has no data in it because it is zero size. > > [root at ipaclient sss]# find / -name sss_authorized_keys > [root at ipaclient sss]# cd pubconf > [root at ipaclient pubconf]# ls -al > total 16 > drwxr-xr-x 3 root root 4096 Jun 3 16:42 . > drwxr-xr-x 6 root root 4096 May 27 22:49 .. > -rw-r--r-- 1 root root 11 Jun 3 16:42 kdcinfo.MYDOMAIN.NET > -rw-r--r-- 1 root root 0 Jun 2 16:05 known_hosts > drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d > [root at ipaclient pubconf]# > > So... I am still looking for the actual location on disk that this is > apparently being cached and cannot find it. You won't find a "file" because user's public keys are not stored in a file. They are stored in the ldb cache with all other user information, and then extracted from the cache (or queried from the server if online and the cache is expired) on request. You can use the ldbsearch tool against the sssd ldb cache file and look for entries with the sshPublicKey attribute. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From nathan at nathanpeters.com Wed Jun 3 18:48:43 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Wed, 3 Jun 2015 11:48:43 -0700 Subject: [Freeipa-users] sssd not caching public keys in sss_authorized_keys file In-Reply-To: <1433354320.3020.47.camel@willson.usersys.redhat.com> References: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> <20150603061430.GA9862@mail.corp.redhat.com> <1433354320.3020.47.camel@willson.usersys.redhat.com> Message-ID: <2d120080e6862cd6694777e14dc6705b.squirrel@webmail.nathanpeters.com> > On Wed, 2015-06-03 at 09:57 -0700, nathan at nathanpeters.com wrote: >> Comments inline >> >> > On (02/06/15 15:25), nathan at nathanpeters.com wrote: >> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the >> client >> >> is >> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). >> >> >> >>I have created a user in FreeIPA and he has access to a server through >> >>HBAC rules. This user has created a public / private keypair and >> >> uploaded >> >>the public key from his personal machine to the IPA server so it shows >> up >> >>in his user record. The record was saved and he successfully logged >> into >> >>the IPA client using the keys. >> >> >> >>According to the docs here (Yes, I know it's a little old but I could >> not >> >>find any newer info that conflicted with this) : >> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html >> >> >> > Aa you already notice it isquite old documetation. >> > >> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in >> the >> >>standard authorized keys format. >> >> >> > There's bug in documentation. >> > >> >>However, when he logs in, there is no sss_authorized_keys file created >> >> and >> >>as far as I can tell, the key is never cached in his account. >> >> >> > The better test would be to authenticate with ssh keys online, >> > so they can be fetched from FreeIPA >> > then block connection to FreeIPA (simmulate offline state) >> > and re-test one more time. >> >> Ok, so I looked at the newer documentation you linked below (RH7 >> version) >> and it makes the exact same statement "Stores the user key in a custom >> file, .ssh/sss_authorized_keys, in the standard authorized keys format. >> " >> >> Are you saying the newer documentation is also bugged? >> >> Unfortunately, that type of test will not be conclusive for the people I >> am trying to convince. They want me to actually show them the file on >> disk where that thing is cached to prove that if the machine was >> rebooted, >> and the ipa connection is lost, that key was not only in memory >> somewhere >> but actually saved to storage. >> >> > >> >>How do I get the keys to actually save on login like the manual says? >> > Keys are already cached in different file >> > /var/lib/sss/pubconf/known_hosts. >> > @see rhel7 documentation [1] >> >> The known_hosts file does not sound like the right place, It has a >> completely different function of caching host keys for when I make an >> outgoing connection from the server for the purpose of verifying someone >> is not spoofing a host, not for caching individual user keys for >> passwordless login for when I'm trying to make an ingoing connection to >> the server. >> >> In addition, you can see from my search below that there is no >> sss_authorized_keys file anywhere on the server and that the known_hosts >> file you referenced has no data in it because it is zero size. >> >> [root at ipaclient sss]# find / -name sss_authorized_keys >> [root at ipaclient sss]# cd pubconf >> [root at ipaclient pubconf]# ls -al >> total 16 >> drwxr-xr-x 3 root root 4096 Jun 3 16:42 . >> drwxr-xr-x 6 root root 4096 May 27 22:49 .. >> -rw-r--r-- 1 root root 11 Jun 3 16:42 kdcinfo.MYDOMAIN.NET >> -rw-r--r-- 1 root root 0 Jun 2 16:05 known_hosts >> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d >> [root at ipaclient pubconf]# >> >> So... I am still looking for the actual location on disk that this is >> apparently being cached and cannot find it. > > You won't find a "file" because user's public keys are not stored in a > file. > They are stored in the ldb cache with all other user information, and > then extracted from the cache (or queried from the server if online and > the cache is expired) on request. > > You can use the ldbsearch tool against the sssd ldb cache file and look > for entries with the sshPublicKey attribute. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Oh this is great information. Thank you. It appears that the documentation should state that the user keys are cached not in .ssh/sss_authorized_keys but actually in /var/lib/sss/db/cache_yourdomain.ldb as I was able to search and successfully find the user key by running 'ldbsearch -H cache_mydomain.net.ldb sshPublicKey' From nathan at nathanpeters.com Wed Jun 3 20:59:43 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Wed, 3 Jun 2015 13:59:43 -0700 Subject: [Freeipa-users] Could not update DNSSSHFP records when joining domain In-Reply-To: <737a0e7798e8ab51d4eef4eb5359a976.squirrel@webmail.nathanpeters.com> References: <737a0e7798e8ab51d4eef4eb5359a976.squirrel@webmail.nathanpeters.com> Message-ID: <1fdaaee7c22e638d2a2c825409981bea.squirrel@webmail.nathanpeters.com> > I am running FreeIPA 4.1.3 on CentOS7. > > I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. > > The client hostname is ipaclient.login.mydomain.net. > > The FreeIPA domain is mydomain.net. > > This post here : > https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html > states that making all dns entries into a single zone rather than having a > separate zone for login.mydomain.net is a perfectly acceptable design > choice. > > However, an issue occurs when joining the client. It joins to the domain > fine and creates the initial DNS A entry, but then according to the logs, > when it goes to update the DNSSSHFP records, it fails because it tries to > update the nonexistent zone login.mydomain.net instead of just updating > mydomain.net. To be clear, the SSH host keys are in the client record so > the only issue is with adding them to DNS > > Here are the relevant log entries generated with ipa-client-install: > > 2015-06-03T16:11:12Z DEBUG stderr= > 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. > update delete ipaclient.login.mydomain.net. IN SSHFP > send > update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 > 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 > update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 > 11D3F076F616F02AD74BFF4D48E8BBA239063E8F > send > > 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2015-06-03T16:11:13Z DEBUG stdout= > 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH > update failed: NOTAUTH > > 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt' returned non-zero exit status 2 > 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > Here are some more entries from /var/named/data/named.run. You'll notice in the first set of entries, I added the hosts with the incorrect subdomain set and it worked fine. In the second set, I gave the correct hostnames and even though it claims it's still trying to update the mydomain.net file it says it's not authorized. I am thoroughly confused by this behavior. successful ---------- 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP unsuccessful ------------ 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) From reesb at hushmail.com Thu Jun 4 04:15:36 2015 From: reesb at hushmail.com (Rees) Date: Thu, 04 Jun 2015 14:15:36 +1000 Subject: [Freeipa-users] vSphere and freeIPA In-Reply-To: <20150602075505.GG15837@redhat.com> References: <892b1cc5e31af711e60d22844fecb9cc@webmail.zy.io> <556D5D18.50703@redhat.com> <20150602075505.GG15837@redhat.com> Message-ID: <610193686711224c0be656434369cb49@smtp.hushmail.com> If I applied the original vsphere_groupmod.ldif (with the %regsub()) is there anything special I have to do to reapply the modification? When I attempt to apply this ldif i just get an error message telling me "type or value exists" and then when I run the steps you have, (creating users, groups, assigning them to the group and then doing the search) i don't get the uniqueMember attribute. Only after I remove all but one users from the group does the ldapsearch returns a uniqueMember attribute. Cheers, Rees On 2/06/2015 5:55 pm, Alexander Bokovoy wrote: > On Tue, 02 Jun 2015, Martin Kosek wrote: >> CCing Nalin and Alexander. This sounds like the slapi-nis >> configuration for generating uniqueMember attribute does not work >> with multi-valued "member" attribute: >> >> schema-compat-entry-attribute: >> uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") > No, this should work just fine. The original wiki page had just > %regsub() which is indeed a single element replacement. %mregsub() > processes multiple possible expression matching. > From lslebodn at redhat.com Thu Jun 4 07:24:20 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 4 Jun 2015 09:24:20 +0200 Subject: [Freeipa-users] sssd not caching public keys in sss_authorized_keys file In-Reply-To: <2d120080e6862cd6694777e14dc6705b.squirrel@webmail.nathanpeters.com> References: <5e7fa79f4ffe1249c0761ce3b9966038.squirrel@webmail.nathanpeters.com> <20150603061430.GA9862@mail.corp.redhat.com> <1433354320.3020.47.camel@willson.usersys.redhat.com> <2d120080e6862cd6694777e14dc6705b.squirrel@webmail.nathanpeters.com> Message-ID: <20150604072420.GA2793@mail.corp.redhat.com> On (03/06/15 11:48), nathan at nathanpeters.com wrote: >> On Wed, 2015-06-03 at 09:57 -0700, nathan at nathanpeters.com wrote: >>> Comments inline >>> >>> > On (02/06/15 15:25), nathan at nathanpeters.com wrote: >>> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the >>> client >>> >> is >>> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). >>> >> >>> >>I have created a user in FreeIPA and he has access to a server through >>> >>HBAC rules. This user has created a public / private keypair and >>> >> uploaded >>> >>the public key from his personal machine to the IPA server so it shows >>> up >>> >>in his user record. The record was saved and he successfully logged >>> into >>> >>the IPA client using the keys. >>> >> >>> >>According to the docs here (Yes, I know it's a little old but I could >>> not >>> >>find any newer info that conflicted with this) : >>> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html >>> >> >>> > Aa you already notice it isquite old documetation. >>> > >>> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in >>> the >>> >>standard authorized keys format. >>> >> >>> > There's bug in documentation. >>> > >>> >>However, when he logs in, there is no sss_authorized_keys file created >>> >> and >>> >>as far as I can tell, the key is never cached in his account. >>> >> >>> > The better test would be to authenticate with ssh keys online, >>> > so they can be fetched from FreeIPA >>> > then block connection to FreeIPA (simmulate offline state) >>> > and re-test one more time. >>> >>> Ok, so I looked at the newer documentation you linked below (RH7 >>> version) >>> and it makes the exact same statement "Stores the user key in a custom >>> file, .ssh/sss_authorized_keys, in the standard authorized keys format. >>> " >>> >>> Are you saying the newer documentation is also bugged? >>> >>> Unfortunately, that type of test will not be conclusive for the people I >>> am trying to convince. They want me to actually show them the file on >>> disk where that thing is cached to prove that if the machine was >>> rebooted, >>> and the ipa connection is lost, that key was not only in memory >>> somewhere >>> but actually saved to storage. >>> >>> > >>> >>How do I get the keys to actually save on login like the manual says? >>> > Keys are already cached in different file >>> > /var/lib/sss/pubconf/known_hosts. >>> > @see rhel7 documentation [1] >>> >>> The known_hosts file does not sound like the right place, It has a >>> completely different function of caching host keys for when I make an >>> outgoing connection from the server for the purpose of verifying someone >>> is not spoofing a host, not for caching individual user keys for >>> passwordless login for when I'm trying to make an ingoing connection to >>> the server. >>> >>> In addition, you can see from my search below that there is no >>> sss_authorized_keys file anywhere on the server and that the known_hosts >>> file you referenced has no data in it because it is zero size. >>> >>> [root at ipaclient sss]# find / -name sss_authorized_keys >>> [root at ipaclient sss]# cd pubconf >>> [root at ipaclient pubconf]# ls -al >>> total 16 >>> drwxr-xr-x 3 root root 4096 Jun 3 16:42 . >>> drwxr-xr-x 6 root root 4096 May 27 22:49 .. >>> -rw-r--r-- 1 root root 11 Jun 3 16:42 kdcinfo.MYDOMAIN.NET >>> -rw-r--r-- 1 root root 0 Jun 2 16:05 known_hosts >>> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d >>> [root at ipaclient pubconf]# >>> >>> So... I am still looking for the actual location on disk that this is >>> apparently being cached and cannot find it. >> >> You won't find a "file" because user's public keys are not stored in a >> file. >> They are stored in the ldb cache with all other user information, and >> then extracted from the cache (or queried from the server if online and >> the cache is expired) on request. >> >> You can use the ldbsearch tool against the sssd ldb cache file and look >> for entries with the sshPublicKey attribute. >> >> HTH, >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> > >Oh this is great information. Thank you. > >It appears that the documentation should state that the user keys are >cached not in .ssh/sss_authorized_keys I didn't notice it in documentation. We fixed info about known_hosts. Thank you for a report. >but actually in >/var/lib/sss/db/cache_yourdomain.ldb as I was able to search and >successfully find the user key by running 'ldbsearch -H >cache_mydomain.net.ldb sshPublicKey' Simpler way for checking cached public ssh key is to use the same utility as sssd/sshd # go offline and run next command. sh$ sss_ssh_authorizedkeys usersssd LS From walter.van.lille at gmail.com Thu Jun 4 08:03:46 2015 From: walter.van.lille at gmail.com (Walter van Lille) Date: Thu, 4 Jun 2015 10:03:46 +0200 Subject: [Freeipa-users] FreeIPA clean removal and re-install on replacement VM. Message-ID: Hi everyone, I've taken over a FreeIPA 3.0.0.---- server (only one, no mirrors) running on Centos 6 that is incredibly broken. I've already tried a lot of troubleshooting etc and setting up a mirror, but I just can't seem to get rid of the issue. As such I have basically decided to de-commision the server and start fresh on a new VM with a clean Centos and FreeIPA install. I'm not 100% sure what would be the best way to proceed though, as we have many clients that are already configured to use the existing server. The config files etc are intact on the existing server, so I can reference them when doing the configuration. I just need some guidance on how to proceed so that I can achieve this with the least amount of clashes/downtime. Here is a short sample of what has been happening: sudo ipactl status Directory Service: RUNNING ----------------- Unresponsive for almost 10 minutes - then carries on ----------------- KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING [mbu.example at freeipa ~]$ kinit mbu.example kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials sudo ipactl restart Restarting Directory Service Shutting down dirsrv: EXAMPLE-EXAM... [FAILED] PKI-IPA... [ OK ] *** Error: 1 instance(s) unsuccessfully stopped [FAILED] Starting dirsrv: EXAMPLE-EXAM ... already running [ OK ] PKI-IPA... [ OK ] Failed to restart Directory Service: Regards, Walter -------------- next part -------------- An HTML attachment was scrubbed... URL: From jian at traffics.de Thu Jun 4 13:08:29 2015 From: jian at traffics.de (Junhe Jian) Date: Thu, 4 Jun 2015 15:08:29 +0200 Subject: [Freeipa-users] IPA v3 Certificate not renewed Message-ID: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> Hello everyone, I'm new here and have problem with IPA Server our single IPA Server all Certificate was expired. Autorenewal not worked, so I read the docu http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually my server is centos 6.4 [root at be-ipasrv ~]# rpm -qa | grep ipa ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-26.el6_4.4.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 I change the Domain name to EXAMPLE The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status MONITORING. Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE, /etc/httpd/alias) not renew, hab Status CA_UNREACHABLE Number of certificates and requests being tracked: 8. Request ID '20130528090810': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='379816045864' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=CA Audit,O= EXAMPLE.DE expires: 2017-04-29 08:14:24 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130528090811': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='379816045864' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=OCSP Subsystem,O= EXAMPLE.DE expires: 2017-04-29 08:13:24 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130528090812': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='379816045864' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=CA Subsystem,O= EXAMPLE.DE expires: 2017-04-29 08:13:24 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130528090813': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=IPA RA,O= EXAMPLE.DE expires: 2017-04-29 08:13:24 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130528090814': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='379816045864' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN= EXAMPLE.de,O= EXAMPLE.DE expires: 2017-04-29 08:13:24 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090822': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=example.de,O= EXAMPLE.DE expires: 2015-05-29 09:08:22 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE -DE track: yes auto-renew: yes Request ID '20130528090849': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=example.de,O= EXAMPLE.DE expires: 2015-05-29 09:08:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20130528090923': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= EXAMPLE.DE subject: CN=example.de,O= EXAMPLE.DE expires: 2015-05-29 09:09:23 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes later I update the os to centos 6.6 [root at be-ipasrv]# rpm -qa | grep ipa sssd-ipa-1.11.6-30.el6_6.4.x86_64 ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 libipa_hbac-1.11.6-30.el6_6.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch i get same status of the last 3. Request ID '20130528090822': status: CA_UNREACHABLE ca-error: Server at https://example.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=example.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090849': status: CA_UNREACHABLE ca-error: Server at https://example.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=example.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090923': status: CA_UNREACHABLE ca-error: Server at https://example.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=example.de,O=EXAMPLE.DE expires: 2015-05-29 09:09:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes i read all the post on redhat archive and goolge. I cannot find a solution. Anybody know the issue? Best Regards Jian -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 4 14:33:08 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 10:33:08 -0400 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <556F2C52.6090606@alumni.ethz.ch> References: <55689A7D.30707@alumni.ethz.ch> <556C0F38.3010909@redhat.com> <556C8D76.1040307@alumni.ethz.ch> <556F2C52.6090606@alumni.ethz.ch> Message-ID: <557061A4.7030501@redhat.com> Thomas Sailer wrote: > I have now managed to upgrade the replica as well. > > I stumbled over a few additional problems: > > 1) whenever a user becomes member of a group with +nsuniqueid= in its > name, the user can no longer login. The reason is that ldb_dn_validate > doesn't like the + character, thus returns false, which causes > get_ipa_groupname to return EINVAL, which causes the loop in > hbac_eval_user_element to abort and return an error. > > This seems to be quite draconian. Does it have to be like this? If so it > would be nice if a clearer error message would be left somewhere more > obvious than sssd -d 0xffff... An entry with nsuniqueid is a replication conflict entry. You want to resolve this. See https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > 2) I cannot change ssh keys, neither in the web gui nor on the cli. > > # ipa -vv user-mod myuserid --sshpubkey= --all > ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json > ipa: INFO: Request: { > "id": 0, > "method": "ping", > "params": [ > [], > {} > ] > } > ipa: INFO: Response: { > "error": null, > "id": 0, > "principal": "admin at XXXXX.COM", > "result": { > "messages": [ > { > "code": 13001, > "message": "API Version number was not sent, forward > compatibility not guaranteed. Assuming server's API version, 2.114", > "name": "VersionMissing", > "type": "warning" > } > ], > "summary": "IPA server version 4.1.4. API version 2.114" > }, > "version": "4.1.4" > } > ipa: INFO: Forwarding 'user_mod' to json server > 'https://xxxxxserver.xxxxx.com/ipa/json' > ipa: INFO: Request: { > "id": 0, > "method": "user_mod", > "params": [ > [ > "t.sailer" > ], > { > "all": true, > "ipasshpubkey": null, > "no_members": false, > "random": false, > "raw": false, > "rights": false, > "version": "2.114" > } > ] > } > ipa: INFO: Response: { > "error": { > "code": 4203, > "message": "Type or value exists: ", > "name": "DatabaseError" > }, > "id": 0, > "principal": "admin at XXXXX.COM", > "result": null, > "version": "4.1.4" > } > ipa: ERROR: Type or value exists: > > I cannot find any more information in /var/log/httpd/error_log. But I > can change the SSH keys directly talking to slapd... Hmm, curious. What is the current state of the entry? The 389-ds access log might have more details (though I'm stretching here). > 3) Is > [global] > debug=True > in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output? > I cannot see any change... No, there is no /etc/ipa/ipa.conf. You can create /etc/ipa/server.conf to only change configuration for the server, or /etc/ipa/client.conf to only change configuration for the client. default.conf is loaded first, then server/client.conf is loaded and changes override the default. rob From rcritten at redhat.com Thu Jun 4 14:35:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 10:35:01 -0400 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) In-Reply-To: References: <556EB023.2070007@redhat.com> Message-ID: <55706215.9070100@redhat.com> Chris Tobey wrote: > Hi Martin, > > Thank you for the response. Here is what I can see on my FreeIPA server (I > replaced my server name with server.com): > > [Wed Jun 03 10:05:36:..//var/lib/pki-ca]$ ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to communicate > with CMS (Not Found) > [Wed Jun 03 10:05:47:..//var/lib/pki-ca]$ getcert list > Number of certificates and requests being tracked: 8. > Request ID '20150407214802': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='303912620731' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=SERVER.COM > subject: CN=CA Audit,O=SERVER.COM > expires: 2017-03-27 21:47:14 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: > post-save command: > track: yes > auto-renew: yes Apache proxies to dogtag, so a Not Found means that dogtag either isn't running or its webapp wasn't loaded. I'd start by restarting pki-tomcatd at pki-tomcat.service and see if that helps. Otherwise you'll need to poke around in the debug long in /var/lib/pki-ca/ rob From rcritten at redhat.com Thu Jun 4 14:36:11 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 10:36:11 -0400 Subject: [Freeipa-users] vSphere and freeIPA In-Reply-To: <610193686711224c0be656434369cb49@smtp.hushmail.com> References: <892b1cc5e31af711e60d22844fecb9cc@webmail.zy.io> <556D5D18.50703@redhat.com> <20150602075505.GG15837@redhat.com> <610193686711224c0be656434369cb49@smtp.hushmail.com> Message-ID: <5570625B.9060800@redhat.com> Rees wrote: > If I applied the original vsphere_groupmod.ldif (with the %regsub()) is > there anything special I have to do to reapply the modification? > > When I attempt to apply this ldif i just get an error message telling me > "type or value exists" and then when I run the steps you have, (creating > users, groups, assigning them to the group and then doing the search) i > don't get the uniqueMember attribute. > Only after I remove all but one users from the group does the ldapsearch > returns a uniqueMember attribute. The ldif is for _adding_ values. You need to modify one, so you'll need to tweak the ldif. rob > > Cheers, > > Rees > On 2/06/2015 5:55 pm, Alexander Bokovoy wrote: >> On Tue, 02 Jun 2015, Martin Kosek wrote: >>> CCing Nalin and Alexander. This sounds like the slapi-nis >>> configuration for generating uniqueMember attribute does not work >>> with multi-valued "member" attribute: >>> >>> schema-compat-entry-attribute: >>> uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") >> No, this should work just fine. The original wiki page had just >> %regsub() which is indeed a single element replacement. %mregsub() >> processes multiple possible expression matching. >> > > From rcritten at redhat.com Thu Jun 4 14:37:44 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 10:37:44 -0400 Subject: [Freeipa-users] IPA v3 Certificate not renewed In-Reply-To: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> References: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> Message-ID: <557062B8.2000100@redhat.com> Junhe Jian wrote: > Hello everyone, > > I?m new here and have problem with IPA Server > > our single IPA Server all Certificate was expired. > > Autorenewal not worked, so I read the docu > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually > > my server is centos 6.4 > > [root at be-ipasrv ~]# rpm -qa | grep ipa > > ipa-client-3.0.0-26.el6_4.4.x86_64 > > ipa-server-3.0.0-26.el6_4.4.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > ipa-python-3.0.0-26.el6_4.4.x86_64 > > libipa_hbac-1.9.2-82.7.el6_4.x86_64 > > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-admintools-3.0.0-26.el6_4.4.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 > > I change the Domain name to EXAMPLE > > The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status > MONITORING. > > Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE, > /etc/httpd/alias) not renew, hab Status CA_UNREACHABLE > > Number of certificates and requests being tracked: 8. > > Request ID '20130528090810': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=CA Audit,O= EXAMPLE.DE > > expires: 2017-04-29 08:14:24 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090811': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=OCSP Subsystem,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090812': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=CA Subsystem,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090813': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=IPA RA,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130528090814': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN= EXAMPLE.de,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090822': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd- > EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE > -DE',nickname='Server-Cert',token='NSS Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:08:22 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > EXAMPLE -DE > > track: yes > > auto-renew: yes > > Request ID '20130528090849': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:08:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA > > track: yes > > auto-renew: yes > > Request ID '20130528090923': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:09:23 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > later I update the os to centos 6.6 > > [root at be-ipasrv]# rpm -qa | grep ipa > > sssd-ipa-1.11.6-30.el6_6.4.x86_64 > > ipa-admintools-3.0.0-42.el6.centos.x86_64 > > ipa-python-3.0.0-42.el6.centos.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-server-3.0.0-42.el6.centos.x86_64 > > ipa-client-3.0.0-42.el6.centos.x86_64 > > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > > libipa_hbac-1.11.6-30.el6_6.4.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > i get same status of the last 3. > > Request ID '20130528090822': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:08:22 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090849': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:08:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090923': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:09:23 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > i read all the post on redhat archive and goolge. I cannot find a solution. > > Anybody know the issue? I'd suggest starting with the apache error log, /var/log/httpd/errors. That should tell you what the Internal Error is. rob From notify.sina at gmail.com Thu Jun 4 14:54:35 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 4 Jun 2015 15:54:35 +0100 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain Message-ID: Hi I recently had to remove and reinstall a fresh IPA server. I am currently re-enrolling all the ipa clients to the recently refreshed domain (same name as the previous realm and domain). The new IPA master is RHEL7.1 with IPA 4.1.3. All client servers are running RHEL6.6. I also have sudorule that allows a group to have access to run all commands on all servers: Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: superusers Sudo Option: !authenticate ---------------------------- I noticed that trying to run sudo on a few of the servers makes the command hang indefinitely. I am not sure what is the cause and where to look. Please what can I do to troubleshoot and fix this? From jian at traffics.de Thu Jun 4 14:57:48 2015 From: jian at traffics.de (Junhe Jian) Date: Thu, 4 Jun 2015 16:57:48 +0200 Subject: [Freeipa-users] IPA v3 Certificate not renewed In-Reply-To: <557062B8.2000100@redhat.com> References: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> <557062B8.2000100@redhat.com> Message-ID: <061FC241309C8543AAC51450EE0CA595012BB94D3611@EX01.office.traffics-switch.de> Hi Rob, i set the date in past "26 MAY 2015" and add "NSSEnforceValidCerts off" to nss.conf and resubmit the 3 ID [root at be-ipasrv httpd]# getcert resubmit -i 20130528090822 Resubmitting "20130528090822" to "IPA". [root at be-ipasrv httpd]# getcert resubmit -i 20130528090849 Resubmitting "20130528090849" to "IPA". [root at be-ipasrv httpd]# getcert resubmit -i 20130528090923 Resubmitting "20130528090923" to "IPA". Restart ipa and certmonger now I get error in http_error [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue May 26 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ... [Tue May 26 10:00:31 2015] [notice] Digest: done [Tue May 26 10:00:32 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue May 26 10:01:23 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) [Tue May 26 10:01:23 2015] [error] ipa: INFO: host/example.de at EXAMPLE.DE: cert_request(u'MIIDvjCCAqYCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BKIYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESYFZsPiuSXjjs9VmbgEmuM9Dz/4jIfVQXDAecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b89F/Z2vUIXagEJnJMuXEdqz3XpaXr6ahcYXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKaF20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd5cG9yBwIDAQABoIIBJzAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEHBgkqhkiG9w0BCQ4xgfkwgfYwDgYDVR0PAQEABAQDAgTwMIHBBgNVHREBAQAEgbYwgbOgUAYKKwYBBAGCNxQCA6BCDEBsZGFwL2JlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGVAVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoF8GBisGAQUCAqBVMFOgGhsYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoTUwM6ADAgEBoSwwKhsEbGRhcBsiYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZTAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIX+XKk/Mxa0KN+rYikYjoaX6/VVj2eOI+O+nUe2CoFNz2r+r2HUb/lkl6+zOZpO3Stq+Qx/Bk8M230OFCigycz19Uxkmz5n5r8nxxtifWZUcC7wO+ZdEURUcDIfeg8lraBOsBWjiId+0TCVtuFJxbuNQkmy3lpt6uQoiDB4XB3/DbEYi9jWrXrtT4XpKrzaj6wsoxVJi1M2JsywFrzio7yhDLtUsXVmycwm5Kw1kQPELBQgCpkzpba85u2uvD2z9DZ/AykXcd0DLRmbNaFAKdg5E+8dN6IySp30Dqyfkoldhi4zKtMCurn2WBDO3A19BP52iwOXOgKKReiGJd2X0eM=', principal=u'ldap/example.de at EXAMPLE.DE', add=True): CertificateOperationError [Tue May 26 10:01:29 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue May 26 10:01:29 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) [Tue May 26 10:01:29 2015] [error] ipa: INFO: host/example.de at EXAMPLE.DE: cert_request(u'MIIDzDCCArQCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwb1hNjym7KUoL5Sdv5xsx1tn8W65DghiDdY9RKmqQik1QanWXVvhVCmvNgUeOmXkQBBRwZHRqKvV5JiZfnm1qvk/eHbujzzocmJITktP8uxDgugCe4XzBdNYckrFKvwRVkZVfv0vUuYtCoVTUOo9yH17pwvzywUTwCO0PXRcy+9Ch1NViLbuFrhynNXrNBf9s62nyRBgrexcHPU6QXZoFSmu75QKqh7pqddG9ngPdi+PTW+1RwOnGFSVStrb0KGfLBPY9yX8OaRbqCt0PmLlGW3jnzBm+UT4yiHeudGa2bt/LXRmGsaIz6uIJL4Gxdcx4eQJMUwSU3hApuEuObdplwIDAQABoIIBNTAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEVBgkqhkiG9w0BCQ4xggEGMIIBAjAOBgNVHQ8BAQAEBAMCBPAwgc0GA1UdEQEBAASBwjCBv6BWBgorBgEEAYI3FAIDoEgMRmRvZ3RhZ2xkYXAvYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZUBUSUJFVC5UUkFGRklDUy1TV0lUQ0guREWgZQYGKwYBBQICoFswWaAaGxhUSUJFVC5UUkFGRklDUy1TV0lUQ0guREWhOzA5oAMCAQGhMjAwGwpkb2d0YWdsZGFwGyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMCAGA1UdJQEBAAQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAUl4xz38rDD1ocOtoRvv+y+SNkLONmgLtPgy3U7KFmsySEWkfwNrGIpgJg/RGgsRnNFxatOvTrhBISzIuvlpxtA2v4er4LtbLx1EAieta1Tu+x7vAkZfdFN3gY18Z3UrmKEDJ4xUyVB2za3p9Bz8zGHlpYJ7NCLNOXqB3bFH3KgmtPpw2zKvIrqU5GqJnPk47eZgTJcvFcPQtsjdir1o3uemd1kTfYwnPN+wX6umH8/Y8iBMrtTbT36K5PqcBK1BZug8Qypu/e+S/NQ1dRK+o5jL8ruOVaNQuai7svoFlhaqSx8oB+BoVNXnYT4B2+ynVWFcY3IBe+t2eJgvkJNjkxw==', principal=u'dogtagldap/example.de at EXAMPLE.DE', add=True): CertificateOperationError [Tue May 26 10:01:34 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue May 26 10:01:34 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) [Tue May 26 10:01:34 2015] [error] ipa: INFO: host/example.de at EXAMPLE.DE: cert_request(u'MIIDvjCCAqYCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00K4xFX20ER7sKdSD13xHK+qboUSQGoshw3Fhb55ZiPAj5e0N6iDtLPAoo2MI8J/HtXIlW32yVEHrWGezkzcbh4uXQsig5EjicC75vZ0MQDVrNMj3u2P/HeqkAzZvoEpX7CyemK2lp3NdgwmnWbE6xzM7/owJm3cLZxXl9yAM0f2813Zk94BOfxNPDubfcLNo2ZIOcH5eDZ4JTy2AiNLrQvoqt3ceXJ5dKPV58JSEyZO4xhF7dftw2ZKleh7OId3zePhOgM7twV/22HxuBxAVKapLldh0iofeBUOdGpALzSG+LaxFIHL5aeJ0brTH213PtRttaJ87ZZ4j3PaSx5OJQIDAQABoIIBJzAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEHBgkqhkiG9w0BCQ4xgfkwgfYwDgYDVR0PAQEABAQDAgTwMIHBBgNVHREBAQAEgbYwgbOgUAYKKwYBBAGCNxQCA6BCDEBIVFRQL2JlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGVAVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoF8GBisGAQUCAqBVMFOgGhsYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoTUwM6ADAgEBoSwwKhsESFRUUBsiYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZTAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKj57WgJGQRR4SCFmstbB/c0rdqIW8csAf1yqU4PW9B2x145QEdWlgjxfBlB6i5dr9Mx1NjJVhNicR3EAqofNsEC+ppk8M2LPn5MVuRtfJ6SaqfUEgrQs1+XK2yyf2StamGW5QSPhX5ub9tq0MzYxBKhZ9XOemga2QpEnzAHNOXtMObeFzGRR0Eh5+LwL383F38GCr54VhHoLXd8/hC8RA+CSMCKCPCK4G9fjExvaDkVWhErCtY6NP7soxHWYRKB3ipErEXI7Wkpjq26MxulK9z3y9jHL/fBffZ7Kh7TM9LSu48CD99hm3c3eBQjukr/dgT+XxQQqHP5yaIGPJCdC4Y=', principal=u'HTTP/example.de at EXAMPLE.DE', add=True): CertificateOperationError _____________________________________________ Best regards Junhe Jian -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Donnerstag, 4. Juni 2015 16:38 An: Junhe Jian; freeipa-users at redhat.com Betreff: Re: [Freeipa-users] IPA v3 Certificate not renewed Junhe Jian wrote: > Hello everyone, > > I'm new here and have problem with IPA Server > > our single IPA Server all Certificate was expired. > > Autorenewal not worked, so I read the docu > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually > > my server is centos 6.4 > > [root at be-ipasrv ~]# rpm -qa | grep ipa > > ipa-client-3.0.0-26.el6_4.4.x86_64 > > ipa-server-3.0.0-26.el6_4.4.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > ipa-python-3.0.0-26.el6_4.4.x86_64 > > libipa_hbac-1.9.2-82.7.el6_4.x86_64 > > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-admintools-3.0.0-26.el6_4.4.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 > > I change the Domain name to EXAMPLE > > The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status > MONITORING. > > Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE, > /etc/httpd/alias) not renew, hab Status CA_UNREACHABLE > > Number of certificates and requests being tracked: 8. > > Request ID '20130528090810': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=CA Audit,O= EXAMPLE.DE > > expires: 2017-04-29 08:14:24 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090811': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=OCSP Subsystem,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090812': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=CA Subsystem,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090813': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=IPA RA,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130528090814': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN= EXAMPLE.de,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090822': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd- > EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE > -DE',nickname='Server-Cert',token='NSS Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:08:22 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > EXAMPLE -DE > > track: yes > > auto-renew: yes > > Request ID '20130528090849': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:08:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > PKI-IPA > > track: yes > > auto-renew: yes > > Request ID '20130528090923': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:09:23 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > later I update the os to centos 6.6 > > [root at be-ipasrv]# rpm -qa | grep ipa > > sssd-ipa-1.11.6-30.el6_6.4.x86_64 > > ipa-admintools-3.0.0-42.el6.centos.x86_64 > > ipa-python-3.0.0-42.el6.centos.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-server-3.0.0-42.el6.centos.x86_64 > > ipa-client-3.0.0-42.el6.centos.x86_64 > > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > > libipa_hbac-1.11.6-30.el6_6.4.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > i get same status of the last 3. > > Request ID '20130528090822': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot > be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Ce > rt',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Ce > rt',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:08:22 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090849': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot > be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:08:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090923': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot > be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:09:23 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > i read all the post on redhat archive and goolge. I cannot find a solution. > > Anybody know the issue? I'd suggest starting with the apache error log, /var/log/httpd/errors. That should tell you what the Internal Error is. rob From rcritten at redhat.com Thu Jun 4 15:03:55 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 11:03:55 -0400 Subject: [Freeipa-users] IPA v3 Certificate not renewed In-Reply-To: <061FC241309C8543AAC51450EE0CA595012BB94D3611@EX01.office.traffics-switch.de> References: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> <557062B8.2000100@redhat.com> <061FC241309C8543AAC51450EE0CA595012BB94D3611@EX01.office.traffics-switch.de> Message-ID: <557068DB.2020204@redhat.com> Junhe Jian wrote: > Hi Rob, > > i set the date in past "26 MAY 2015" > and add "NSSEnforceValidCerts off" to nss.conf > > and resubmit the 3 ID > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090822 > Resubmitting "20130528090822" to "IPA". > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090849 > Resubmitting "20130528090849" to "IPA". > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090923 > Resubmitting "20130528090923" to "IPA". > > Restart ipa and certmonger > > now I get error in http_error > > [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 > [Tue May 26 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. > [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" > [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ... > [Tue May 26 10:00:31 2015] [notice] Digest: done > [Tue May 26 10:00:32 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations > [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** > [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** > [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. > [Tue May 26 10:01:23 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) Have you changed your apache configuration? It looks that way. You need the proxy modules loaded. rob From cory at pithoslabs.com Thu Jun 4 15:06:50 2015 From: cory at pithoslabs.com (Cory Carlton) Date: Thu, 4 Jun 2015 10:06:50 -0500 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: References: Message-ID: I would check for DNS resolution from the machine executing the sudo, to the IPA server. On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi wrote: > Hi > > I recently had to remove and reinstall a fresh IPA server. I am > currently re-enrolling all the ipa clients to the recently refreshed > domain (same name as the previous realm and domain). The new IPA > master is RHEL7.1 with IPA 4.1.3. > > All client servers are running RHEL6.6. > > I also have sudorule that allows a group to have access to run all > commands on all servers: > > Rule name: All > Enabled: TRUE > Host category: all > Command category: all > User Groups: superusers > Sudo Option: !authenticate > ---------------------------- > > I noticed that trying to run sudo on a few of the servers makes the > command hang indefinitely. > I am not sure what is the cause and where to look. Please what can I > do to troubleshoot and fix this? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Thu Jun 4 15:10:14 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 4 Jun 2015 16:10:14 +0100 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: References: Message-ID: Hi Cory, DNS is fine. The IPA server is the internal domains DNS server, and the affected servers use it as easily as the other ipa clients. On Thu, Jun 4, 2015 at 4:06 PM, Cory Carlton wrote: > I would check for DNS resolution from the machine executing the sudo, to the > IPA server. > > On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi wrote: >> >> Hi >> >> I recently had to remove and reinstall a fresh IPA server. I am >> currently re-enrolling all the ipa clients to the recently refreshed >> domain (same name as the previous realm and domain). The new IPA >> master is RHEL7.1 with IPA 4.1.3. >> >> All client servers are running RHEL6.6. >> >> I also have sudorule that allows a group to have access to run all >> commands on all servers: >> >> Rule name: All >> Enabled: TRUE >> Host category: all >> Command category: all >> User Groups: superusers >> Sudo Option: !authenticate >> ---------------------------- >> >> I noticed that trying to run sudo on a few of the servers makes the >> command hang indefinitely. >> I am not sure what is the cause and where to look. Please what can I >> do to troubleshoot and fix this? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > From mkosek at redhat.com Thu Jun 4 15:10:34 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 04 Jun 2015 17:10:34 +0200 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: References: Message-ID: <55706A6A.6020709@redhat.com> On 06/04/2015 05:06 PM, Cory Carlton wrote: > I would check for DNS resolution from the machine executing the sudo, to > the IPA server. I would also suggest cleaning SSSD caches, since you reinstalled against the same domain, but actually different server (/var/lib/sss/db/) > On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi wrote: > >> Hi >> >> I recently had to remove and reinstall a fresh IPA server. I am >> currently re-enrolling all the ipa clients to the recently refreshed >> domain (same name as the previous realm and domain). The new IPA >> master is RHEL7.1 with IPA 4.1.3. >> >> All client servers are running RHEL6.6. >> >> I also have sudorule that allows a group to have access to run all >> commands on all servers: >> >> Rule name: All >> Enabled: TRUE >> Host category: all >> Command category: all >> User Groups: superusers >> Sudo Option: !authenticate >> ---------------------------- >> >> I noticed that trying to run sudo on a few of the servers makes the >> command hang indefinitely. >> I am not sure what is the cause and where to look. Please what can I >> do to troubleshoot and fix this? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > From notify.sina at gmail.com Thu Jun 4 15:13:11 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Thu, 4 Jun 2015 16:13:11 +0100 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: <55706A6A.6020709@redhat.com> References: <55706A6A.6020709@redhat.com> Message-ID: Hi Martin I have deleted everything in /var/lib/sss/db/ and restarted sssd, no luck. On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek wrote: > On 06/04/2015 05:06 PM, Cory Carlton wrote: >> I would check for DNS resolution from the machine executing the sudo, to >> the IPA server. > > I would also suggest cleaning SSSD caches, since you reinstalled against the > same domain, but actually different server (/var/lib/sss/db/) > >> On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi wrote: >> >>> Hi >>> >>> I recently had to remove and reinstall a fresh IPA server. I am >>> currently re-enrolling all the ipa clients to the recently refreshed >>> domain (same name as the previous realm and domain). The new IPA >>> master is RHEL7.1 with IPA 4.1.3. >>> >>> All client servers are running RHEL6.6. >>> >>> I also have sudorule that allows a group to have access to run all >>> commands on all servers: >>> >>> Rule name: All >>> Enabled: TRUE >>> Host category: all >>> Command category: all >>> User Groups: superusers >>> Sudo Option: !authenticate >>> ---------------------------- >>> >>> I noticed that trying to run sudo on a few of the servers makes the >>> command hang indefinitely. >>> I am not sure what is the cause and where to look. Please what can I >>> do to troubleshoot and fix this? >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> > From mkosek at redhat.com Thu Jun 4 15:15:04 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 04 Jun 2015 17:15:04 +0200 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: References: <55706A6A.6020709@redhat.com> Message-ID: <55706B78.7070209@redhat.com> On 06/04/2015 05:13 PM, Sina Owolabi wrote: > Hi Martin > > I have deleted everything in /var/lib/sss/db/ and restarted sssd, > no luck. In that case, I am afraid you might need to enable sudo and SSSD debug (https://fedorahosted.org/sssd/wiki/Troubleshooting) and see where it hans. Also CCing sudo/sssd SMEs to be aware. > > On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek wrote: >> On 06/04/2015 05:06 PM, Cory Carlton wrote: >>> I would check for DNS resolution from the machine executing the sudo, to >>> the IPA server. >> >> I would also suggest cleaning SSSD caches, since you reinstalled against the >> same domain, but actually different server (/var/lib/sss/db/) >> >>> On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi wrote: >>> >>>> Hi >>>> >>>> I recently had to remove and reinstall a fresh IPA server. I am >>>> currently re-enrolling all the ipa clients to the recently refreshed >>>> domain (same name as the previous realm and domain). The new IPA >>>> master is RHEL7.1 with IPA 4.1.3. >>>> >>>> All client servers are running RHEL6.6. >>>> >>>> I also have sudorule that allows a group to have access to run all >>>> commands on all servers: >>>> >>>> Rule name: All >>>> Enabled: TRUE >>>> Host category: all >>>> Command category: all >>>> User Groups: superusers >>>> Sudo Option: !authenticate >>>> ---------------------------- >>>> >>>> I noticed that trying to run sudo on a few of the servers makes the >>>> command hang indefinitely. >>>> I am not sure what is the cause and where to look. Please what can I >>>> do to troubleshoot and fix this? >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> >> From jian at traffics.de Thu Jun 4 15:24:42 2015 From: jian at traffics.de (Junhe Jian) Date: Thu, 4 Jun 2015 17:24:42 +0200 Subject: [Freeipa-users] IPA v3 Certificate not renewed In-Reply-To: <557068DB.2020204@redhat.com> References: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> <557062B8.2000100@redhat.com> <061FC241309C8543AAC51450EE0CA595012BB94D3611@EX01.office.traffics-switch.de> <557068DB.2020204@redhat.com> Message-ID: <061FC241309C8543AAC51450EE0CA595012BB94D3616@EX01.office.traffics-switch.de> Hi Rob, i have only add NSSEnforceValidCerts off" to nss.conf. ipa run last 2 years without problem since the certificate expired. I loaded all the proxy modules in apache and restart httpd and certmonger. Yeah, the certificates are renew root at be-ipasrv httpd]# getcert list | grep status status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING [root at be-ipasrv httpd]# getcert list | grep expir expires: 2017-04-29 08:14:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-05-26 08:21:01 UTC expires: 2017-05-26 08:20:43 UTC expires: 2017-05-26 08:21:08 UTC the other server with centos 6.6 and ipa-server-3.0.0-42.el6.centos.x86_64 I get error Request ID '20130528090822': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://EXAMPLE.de:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLEDE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090849': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090923': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:09:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes and http error log if i resubmit the id [Tue May 26 10:01:31 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_ r:httpd_t:s0 [Tue May 26 10:01:31 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:01:32 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured . [Tue May 26 10:01:32 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" [Tue May 26 10:01:32 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-0 9-05" [Tue May 26 10:01:32 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Tue May 26 10:01:32 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" [Tue May 26 10:01:32 2015] [notice] Digest: generating secret for digest authentication ... [Tue May 26 10:01:32 2015] [notice] Digest: done [Tue May 26 10:01:33 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.16.1 Basi c ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:02:36 2015] [error] Bad remote server certificate: -8181 [Tue May 26 10:02:36 2015] [error] SSL Library Error: -8181 Certificate has expired [Tue May 26 10:02:36 2015] [error] Re-negotiation handshake failed: Not accepted by client!? [Tue May 26 10:02:36 2015] [error] ipa: INFO: host/EXAMPLE.de at TIBET.TRAFFICS-SWIT CH.DE: cert_request(u'MIID+zCCAuMCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1 pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BK IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESYFZsPiuSXjjs9VmbgEmuM9Dz/4jIfVQXDA ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b89F/Z2vUIXagEJnJMuXEdqz3XpaXr6ahc YXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKaF20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd 5cG9yBwIDAQABoIIBZDAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCATkGCSqGSIb3DQEJDjGCASowggEmMA4G A1UdDwEBAAQEAwIE8DCBwQYDVR0RAQEABIG2MIGzoFAGCisGAQQBgjcUAgOgQgxAbGRhcC9iZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc 3dpdGNoLmRlQFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaBfBgYrBgEFAgKgVTBToBobGFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaE1MD OgAwIBAaEsMCobBGxkYXAbImJlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGUwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCs GAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFCvM2eOn/UvY2d4fFKR23C+YMyfrMA0GCSqGSIb3DQEBCwUAA4IBAQCDXHV+ c7ygZRTJrXFbDrhR/Mgz/CpX2HxtDTL9q2qUNjL73oDdHUAEF1i9MP/URw6ZUltA4FD5rXAT5K8t/MRnEHR7YLRCNMyM0SIb6HXC7Bo5Q vA/kTPbJdwshjc52rMgOMf+Pa/ztUUBD+zH+8xsJKPRktQb/Ku3fbWZ/b2g5VpQj6jcjCKSKI/IF4C1r0Vl1Dz6P4v4zN3D0sjt/g57Zi AzxwGmLUt4e3/KFKvi4o7UTgZam24pZqwqilAwYw4DRuYCg0wdhty8qBLVKyzxUG1IYkuXQUGOhWTlQwzyWEaCv6BR1N78egX5xpkP9hH zxGJxVhsgrexerEL5sxTk', principal=u'ldap/EXAMPLE.de at EXAMPLE.DE', ad d=True): NetworkError [Tue May 26 10:02:38 2015] [error] Bad remote server certificate: -8181 [Tue May 26 10:02:38 2015] [error] SSL Library Error: -8181 Certificate has expired Do you have a idea? Thank you! _____________________________________________ Best regards Junhe Jian -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Donnerstag, 4. Juni 2015 17:04 An: Junhe Jian; freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] IPA v3 Certificate not renewed Junhe Jian wrote: > Hi Rob, > > i set the date in past "26 MAY 2015" > and add "NSSEnforceValidCerts off" to nss.conf > > and resubmit the 3 ID > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090822 > Resubmitting "20130528090822" to "IPA". > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090849 > Resubmitting "20130528090849" to "IPA". > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090923 > Resubmitting "20130528090923" to "IPA". > > Restart ipa and certmonger > > now I get error in http_error > > [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd > running as context unconfined_u:system_r:httpd_t:s0 [Tue May 26 > 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. > [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" > [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ... > [Tue May 26 10:00:31 2015] [notice] Digest: done [Tue May 26 10:00:32 > 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 > NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured > -- resuming normal operations [Tue May 26 10:00:33 2015] [error] ipa: > INFO: *** PROCESS START *** [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. > [Tue May 26 10:01:23 2015] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate > with CMS (Internal Server Error) Have you changed your apache configuration? It looks that way. You need the proxy modules loaded. rob From t.sailer at alumni.ethz.ch Thu Jun 4 15:48:10 2015 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Thu, 04 Jun 2015 17:48:10 +0200 Subject: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches In-Reply-To: <557061A4.7030501@redhat.com> References: <55689A7D.30707@alumni.ethz.ch> <556C0F38.3010909@redhat.com> <556C8D76.1040307@alumni.ethz.ch> <556F2C52.6090606@alumni.ethz.ch> <557061A4.7030501@redhat.com> Message-ID: <5570733A.6060304@alumni.ethz.ch> On 06/04/2015 04:33 PM, Rob Crittenden wrote: > Thomas Sailer wrote: >> I have now managed to upgrade the replica as well. >> >> I stumbled over a few additional problems: >> >> 1) whenever a user becomes member of a group with +nsuniqueid= in its >> name, the user can no longer login. The reason is that ldb_dn_validate >> doesn't like the + character, thus returns false, which causes >> get_ipa_groupname to return EINVAL, which causes the loop in >> hbac_eval_user_element to abort and return an error. >> >> This seems to be quite draconian. Does it have to be like this? If so it >> would be nice if a clearer error message would be left somewhere more >> obvious than sssd -d 0xffff... > > An entry with nsuniqueid is a replication conflict entry. You want to > resolve this. > > See > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html Yes I know, and I have already fixed that. The question is is it justified if the presence of such a group breaks login. If yes, shouldn't there be a more obvious error message than ssh telling you that login failed for UNKNOWN reasons... If login would still work, it would buy you time for fixing the problem. The way it is now, you have people filling your office complaining login doesn't work anymore while you frantically try to figure out why. My biggest wish for IPA is for it to become more robust. It consists of many software components with complex interdependencies, so some fragility is to be expected. But still, it would be nice if it was as robust as possible and if it fails that it fails in more obvious ways... > >> 2) I cannot change ssh keys, neither in the web gui nor on the cli. >> >> # ipa -vv user-mod myuserid --sshpubkey= --all >> ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json >> ipa: INFO: Request: { >> "id": 0, >> "method": "ping", >> "params": [ >> [], >> {} >> ] >> } >> ipa: INFO: Response: { >> "error": null, >> "id": 0, >> "principal": "admin at XXXXX.COM", >> "result": { >> "messages": [ >> { >> "code": 13001, >> "message": "API Version number was not sent, forward >> compatibility not guaranteed. Assuming server's API version, 2.114", >> "name": "VersionMissing", >> "type": "warning" >> } >> ], >> "summary": "IPA server version 4.1.4. API version 2.114" >> }, >> "version": "4.1.4" >> } >> ipa: INFO: Forwarding 'user_mod' to json server >> 'https://xxxxxserver.xxxxx.com/ipa/json' >> ipa: INFO: Request: { >> "id": 0, >> "method": "user_mod", >> "params": [ >> [ >> "t.sailer" >> ], >> { >> "all": true, >> "ipasshpubkey": null, >> "no_members": false, >> "random": false, >> "raw": false, >> "rights": false, >> "version": "2.114" >> } >> ] >> } >> ipa: INFO: Response: { >> "error": { >> "code": 4203, >> "message": "Type or value exists: ", >> "name": "DatabaseError" >> }, >> "id": 0, >> "principal": "admin at XXXXX.COM", >> "result": null, >> "version": "4.1.4" >> } >> ipa: ERROR: Type or value exists: >> >> I cannot find any more information in /var/log/httpd/error_log. But I >> can change the SSH keys directly talking to slapd... > > Hmm, curious. What is the current state of the entry? The 389-ds > access log might have more details (though I'm stretching here). [04/Jun/2015:17:43:21 +0200] conn=3391 fd=70 slot=70 connection from a.b.c.d to a.b.c.d [04/Jun/2015:17:43:21 +0200] conn=3391 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [04/Jun/2015:17:43:21 +0200] conn=3391 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [04/Jun/2015:17:43:21 +0200] conn=3391 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [04/Jun/2015:17:43:21 +0200] conn=3391 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [04/Jun/2015:17:43:21 +0200] conn=3391 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [04/Jun/2015:17:43:21 +0200] conn=3391 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com" [04/Jun/2015:17:43:21 +0200] conn=3391 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=xxxxx,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [04/Jun/2015:17:43:21 +0200] conn=3391 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [04/Jun/2015:17:43:21 +0200] conn=3391 op=4 SRCH base="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass" [04/Jun/2015:17:43:21 +0200] conn=3391 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [04/Jun/2015:17:43:21 +0200] conn=3391 op=5 SRCH base="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass ipaSshPubKey" [04/Jun/2015:17:43:21 +0200] conn=3391 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [04/Jun/2015:17:43:21 +0200] conn=3391 op=6 MOD dn="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com" [04/Jun/2015:17:43:22 +0200] conn=3391 op=6 RESULT err=20 tag=103 nentries=0 etime=1 csn=557072af000100040000 [04/Jun/2015:17:43:22 +0200] conn=3391 op=7 UNBIND [04/Jun/2015:17:43:22 +0200] conn=3391 op=7 fd=70 closed - U1 Thanks! Thomas From christopher.lamb at ch.ibm.com Thu Jun 4 17:34:05 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 4 Jun 2015 19:34:05 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: <556EBD47.6090909@redhat.com> References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> Message-ID: Hi All I can now report back success (at least on my throwaway EL7.1 test VM). To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC to a new FreeIPA 4.1 KDC 3 steps are required: 1) ipa-client-install --uninstall 2) rm -f /var/lib/sss/db/* 3) ipa-client-install --server ldap.my.example.com --domain my.example.com -N Having done this, my free-ipa user successfully authenticates (e.g. ssh remote login with free-ipa user / password To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. Kudos and thanks go to Rob C for suggesting step 2. (Note that the directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as suggested earlier in this thread. Cheers Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Cc: Jakub Hrozek , Rob Crittenden Date: 03.06.2015 10:39 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On 06/03/2015 10:30 AM, Christopher Lamb wrote: > Hi all > > This is a quick(ish) note to bring everybody up to speed on this issue. > Yesterday we had some private mail exchange on this issue as I did not wish > to broadcast the krb5 and ipa install logs to the user list. > > The basic situation is that we are in the process of migrating from an > FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As discussed > in a thread some weeks ago we did not do this by replicating (as perhaps we > should have done). Instead we migrated the users across. > > We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to > the old KDC. We are now in the process of migrating these hosts to the new > 4.1 KDC. > > Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these joining > to the new KDC was trouble free, taking a few minutes each. After joining > the new KDC FreeIPA users authenticated properly. > > We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were > joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 > KDC. These were also trouble free. > > The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 hosts > that were originally joined to the 3.3.3 KDC, and must be moved to join the > 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I have > been able to reproduce this behaviour with a freshly setup VM joined first > to the 3.3.3 KDC, then moved to the 4.1 KDC. > > While the errors show in the krb5 child logs indicate that the password is > incorrect, the same user / password is happily accepted by all the other > hosts. > > It seems that in the process of moving / migrating the EL 7.1 / ipa-client > 4.1 from the old KDC to the new KDC, "something" is left behind that causes > problems. We have seen indications in the install logs that the kinit steps > called during ipa-client install are getting responses from the wrong (old) > KDC, and not from the new KDC. > > Frustratingly. over the weekend i managed to get one of the problem EL 7.1 > boxes to work. However I can't work out exactly what I was that I did that > did the trick. However it seems that some kind of major de-install / > cleanup + reinstall of the ipa-client may be needed. > > Rob has suggested that as part of such a cleanup I should do "rm > -f /var/lib/sssd/db/*". I will test this later today and report back. > > Thanks to Rob, Jakub, Martin, Alexander et al for their help and > suggestions so far. > > Chris Thanks for the background. The pain you are getting is exactly the reason why migration via replication to RHEL-7.1 is a better choice :-) Please let us know the result, I am curious how this works out. > > > > > From: Martin Kosek > To: Christopher Lamb/Switzerland/IBM at IBMCH, > freeipa-users at redhat.com, Jakub Hrozek > Date: 03.06.2015 09:34 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > > > > On 06/02/2015 06:15 PM, Christopher Lamb wrote: >> >> Hi >> >> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause >> of this problem. Let's call them HOST09 and HOST10 >> >> Both are mimimum installs of EL7.1, with NTPD installed and configured. >> >> HOST09 had ipa-client 4.1 installed via yum, and was configured to use > our >> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user >> authenticates successfully against this machine. >> >> HOST10 had ipa-client 4.1 installed as a dependency of one of our > standard >> config packages, and was first set to use our old FreeIPA 3.3.3 server. > --> >> My FreeIPA user authenticates successfully. against this machine. >> >> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered >> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT >> authenticate successfully. >> >> This replicates well the behaviour I saw with my production servers, > namely >> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new > 4.1 >> FreeIPA server authenticate properly. >> >> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old > 3.3.3 >> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT >> authenticate properly >> >> Chris > > Hello, > > This is really strange. What I do not fully understand is what is the > "registration against a FreeIPA server". What server you install IPA client > should matter if the deployment is set up properly. The host enrollment > entry > should simply replicate to whole infrastructure. The only thing that will > probably differ is sssd.conf and krb5.conf as they will have different > primary > server set up, based on what your DNS setup is. > > It rather seems that the "reregistration" is what causes the issue. It > looks > like something cleanup problem during the process. I will let Jakub to help > here, I would suggest including the SSSD logs from the failed login, it may > help. > >> >> >> >> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 >> ----- >> >> From: Christopher Lamb/Switzerland/IBM at IBMCH >> To: Jakub Hrozek >> Cc: freeipa-users at redhat.com >> Date: 02.06.2015 10:40 >> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated > FreeIPA >> client on EL7.1 -->Not Solved >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi Jakub >> >> Yes root login works, that's how I've been getting into the box. >> >> Surprisingly, kinit with my user seems to work on that box. After > entering >> my password when prompted, it returns to the commandline without error. >> >> However if I try kinit with another FreeIPA user, then instead of > prompting >> for a password, it gives "Generic preauthentication failure while getting >> initial credentials" error. >> >> Having set debug_level=10, when I try and ssh in with my FreeIPA user, I >> find errors like >> >> "Retrieving host .... with result: .. Matching credential not found" >> >> "Received error from KDC ... Additional pre-authentication required" >> >> "Received error from KDC... Decrypt integrity check failed" >> >> "Received error code 1432158219" >> >> Cheers >> >> Chris >> >> >> >> >> >> From: Jakub Hrozek >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: freeipa-users at redhat.com >> Date: 02.06.2015 09:50 >> Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated >> FreeIPA >> client on EL7.1 -->Not Solved >> >> >> >> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >>> Hi Jakub >>> >>> The same user / password works with all our FreeIPA hosts - just this > one >>> box is the problem. So the password should be good. Of course a type is >>> always possible (especially for strong passwords), but I have tried many >>> times which should eliminate the odd password typo. The user / password >>> should also be good for both the old and the new FreeIPA Server. >> >> Interesting, can you add debug_level=10 to the domain section of >> sssd.conf? Then krb5_child.log should show Kerberos tracing info >> including which exact KDC SSSD was talking to. >> >>> >>> As I can neither log in direct, or via ssh to this box with my FreeIPA >>> user, I assume Kinit with my user won't work- i will try later in the >> day. >> >> Well, login as a UNIX user (root) should work.. >> >>> >>> My working assumption is that the problem is related in some way to the >>> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA >>> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 >>> throwaway EL 7.1 VMs to better test this. On one I will first install >>> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 >>> client. >>> >>> Cheers >>> >>> Chris >>> >>> >>> >>> From: Jakub Hrozek > >>> To: > freeipa-users at redhat.com >>> Date: 02.06.2015 09:22 >>> Subject: Re: > [Freeipa-users] Fw: ssh problem with >> migrated >> FreeIPA >>> client on EL7.1 -->Not Solved >>> Sent by: > freeipa-users-bounces at redhat.com >>> >>> >>> >>> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>>> >>>> Hi All >>>> >>>> Bad news. >>>> >>>> Over the weekend I was able to get the original problem EL7.1 / FreeIPA >>> 4.1 >>>> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh >>>> remote login with FreeIPA user and password). >>>> >>>> Today I tried a second machine, and had the same problem, ssh >> connections >>>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >>> check >>>> failed" >>> >>> This really just means wrong password, can you kinit as that user using >>> the same password? >>> >>>> >>>> Ahh I thought, I have a solution for that: just remove ipa-client and >>>> reinstall via yum, register with the new FreeIPA server .... >>>> >>>> Only with this second machine I still can't ssh in with a FreeIPA user. >>>> Argg..... >>>> >>>> b.t.w, as this machine is a real physical server, I was able to try >>> logging >>>> in direct with my FreeIPA user --> "Authentication Failure" >>>> >>>> I now have >>>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the >> old >>>> FreeIPA server to the new without a hitch (i.e. they successfully >>>> authenticate FreeIPA users.) >>>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but >>>> with problems >>>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts >>> to >>>> authenticate with a FreeIPA user >>>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the >> new >>>> FreeIPA server, and successfully authenticates FreeIPA users. >>>> >>>> Any ideas? >>>> >>>> Chris >>>> >>>> >>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 >>>> ----- >>>> >>>> From: > Christopher >> Lamb/Switzerland/IBM at IBMCH >>>> To: > Alexander Bokovoy >> , >>>> freeipa-users at redhat.com >>>> Date: > 30.05.2015 18:52 >>>> Subject: > Re: >> [Freeipa-users] ssh problem with >> migrated FreeIPA >>> client on >>>> EL7.1 --> Solved >>>> Sent by: >> freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> Hi All >>>> >>>> It gives me pleasure to report the problem is solved - a minute ago I >> was >>>> able to login via ssh with my FreeIPA user to the problem server, while >>>> sitting on my terrace with a glass of wine! >>>> >>>> Thanks to Alexander for his helpful advice - we had some mail exchange >>>> outside the user list as I did not wish to broadcast content of keys, >>>> config files etc. >>>> >>>> Regardless of what I did with commands like klist, kvno everything >> seemed >>>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. >>>> >>>> Therefore I decided to opt for brute force and (partial) ignorance. I >>>> completely uninstalled the FreeIPA client, and then reinstalled, >>> configured >>>> - ?t voil? I could ssh in! >>>> >>>> This leaves the enigma: what caused the problem? I suspect the >> following: >>>> >>>> The host is an EL 7.1, but the first FreeIPA client installed was >> version >>>> 3.3.3 (installed as set of standard packages that we bung on all our >>>> servers). >>>> >>>> This worked fine to authenticate against our "old" 3.x FreeIPA server, >>> but >>>> did not work against the "new" 4.1 FreeIPA Server. >>>> >>>> When I realised I could not ssh in, one of the first things I did was >> to >>>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not >> help. >>>> The solution was to yum remove the FreeIPA client, then yum install the >>> 4.1 >>>> client. >>>> >>>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client >> installed, >>> so >>>> it will be interesting to see it the problem can be reproduced. >>>> >>>> Keep up the good work, >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> From: >> Alexander Bokovoy >> >>>> To: >> Christopher >> Lamb/Switzerland/IBM at IBMCH >>>> Cc: >> freeipa-users at redhat.com >>>> Date: >> 29.05.2015 18:04 >>>> Subject: >> Re: >> [Freeipa-users] ssh problem with >>> migrated FreeIPA >>>> client on >>>> EL7.1 >>>> >>>> >>>> >>>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>>> >>>>> Hi All >>>>> >>>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >>> replace >>>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully >> migrated >>>>> across the users. >>>>> >>>>> We have 50 odd Servers that are FreeIPA clients. Today I started >>> migrating >>>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >>>>> server by doing an ipa-client-install --uninstall from the old, and >>>>> ipa-client-install to register with the new 4.1.0 server. >>>>> >>>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>>> migration process above worked perfectly. After migrating the server, >> I >>>>> could ssh in with my FreeIPA user. >>>>> >>>>> Then I migrated an OEL 7.1 server. The migration itself seemed to >> work, >>>> and >>>>> getent passwd was successful for my FreeIPA user. However when I try >> and >>>>> ssh in, my FreeIPA user / password is not accepted. >>>>> >>>>> Before the migration I could ssh into the problem server (though >>> evidently >>>>> it was using my FreeIPA user from the old FreeIPA server). >>>>> >>>>> I can ssh in with a local (non ldap) user, so ssh is running and >>> working. >>>>> >>>>> >From user root I can successfully su to my FreeIPA user. >>>>> >>>>> Further investigation showed that version of ipa-client installed was >>>>> 3.3.3, so I yum updated this to 4.1.0. >>>>> >>>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. >>> The >>>>> same user continues to work for the 6.5 boxes. >>>>> >>>>> A colleague tried to ssh in with his FreeIPA user, and was also >>> rejected, >>>>> so the problem is not my user, but is probably for all FreeIPA users. >>>>> >>>>> A failed ssh login attempt causes the following error >>> in /var/log/messages >>>>> >>>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>>> It means /etc/krb5.keytab contains keys from older system and SSSD >>>> picks them up. >>>> Can you show output of 'klist -kKet'? >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> > > > > From pbrezina at redhat.com Thu Jun 4 18:36:44 2015 From: pbrezina at redhat.com (Pavel Brezina) Date: Thu, 4 Jun 2015 14:36:44 -0400 (EDT) Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: <55706B78.7070209@redhat.com> References: <55706A6A.6020709@redhat.com> <55706B78.7070209@redhat.com> Message-ID: <1160734455.11049778.1433443003999.JavaMail.zimbra@redhat.com> Hi, please put the following line to /etc/sudo.conf to obtain sudo logs and send us the file: Debug sudo /var/log/sudo_debug all at trace ----- Original Message ----- > From: "Martin Kosek" > To: "Sina Owolabi" > Cc: "Cory Carlton" , freeipa-users at redhat.com, "Pavel Brezina" , "Jakub > Hrozek" > Sent: Thursday, June 4, 2015 5:15:04 PM > Subject: Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain > > On 06/04/2015 05:13 PM, Sina Owolabi wrote: > > Hi Martin > > > > I have deleted everything in /var/lib/sss/db/ and restarted sssd, > > no luck. > > In that case, I am afraid you might need to enable sudo and SSSD debug > (https://fedorahosted.org/sssd/wiki/Troubleshooting) and see where it hans. > Also CCing sudo/sssd SMEs to be aware. > > > > > On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek wrote: > >> On 06/04/2015 05:06 PM, Cory Carlton wrote: > >>> I would check for DNS resolution from the machine executing the sudo, to > >>> the IPA server. > >> > >> I would also suggest cleaning SSSD caches, since you reinstalled against > >> the > >> same domain, but actually different server (/var/lib/sss/db/) > >> > >>> On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi > >>> wrote: > >>> > >>>> Hi > >>>> > >>>> I recently had to remove and reinstall a fresh IPA server. I am > >>>> currently re-enrolling all the ipa clients to the recently refreshed > >>>> domain (same name as the previous realm and domain). The new IPA > >>>> master is RHEL7.1 with IPA 4.1.3. > >>>> > >>>> All client servers are running RHEL6.6. > >>>> > >>>> I also have sudorule that allows a group to have access to run all > >>>> commands on all servers: > >>>> > >>>> Rule name: All > >>>> Enabled: TRUE > >>>> Host category: all > >>>> Command category: all > >>>> User Groups: superusers > >>>> Sudo Option: !authenticate > >>>> ---------------------------- > >>>> > >>>> I noticed that trying to run sudo on a few of the servers makes the > >>>> command hang indefinitely. > >>>> I am not sure what is the cause and where to look. Please what can I > >>>> do to troubleshoot and fix this? > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >>>> > >>> > >>> > >>> > >> > > From tobeychris at hotmail.com Thu Jun 4 19:00:11 2015 From: tobeychris at hotmail.com (Chris Tobey) Date: Thu, 4 Jun 2015 15:00:11 -0400 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) In-Reply-To: <55706215.9070100@redhat.com> References: <556EB023.2070007@redhat.com> <55706215.9070100@redhat.com> Message-ID: Hi Rob, Thanks for taking the time to look at this. I have services in /etc/init.d/ named tomcat6 and pki-cad. I tried the following: - [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status tomcat6 is stopped [ OK ] [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start Starting tomcat6: [ OK ] [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status tomcat6 (pid 10853) is running... [ OK ] [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status pki-ca (pid 1793) is running... [ OK ] Unsecure Port = http://chimera.server.com:9180/ca/ee/ca Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca Secure EE Port = https://chimera.server.com:9444/ca/ee/ca Secure Admin Port = https://chimera.server.com:9445/ca/services EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca PKI Console Port = pkiconsole https://chimera.server.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: IPA URL: https://chimera.server.com:443 ========================================================================== - After this I am able to create new hosts on my Foreman server! There are now a few questions: 1. I am not sure why the tomcat6 service was stopped, if it is required to be running. 2. I am not sure why a reboot of the server did not auto-start tomcat6. 3. When navigating the web GUI for FreeIPA and clicking on a host, I still see the popup message in the subject of this thread. I have not yet tried rebooting the FreeIPA (chimera) and Puppet/Foreman (puppetmaster) servers yet. When I have some downtime I will try that and see what happens in regards to questions 2 and 3. Thanks, -Chris Tobey -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: June-04-15 10:35 AM To: Chris Tobey; 'Martin Kosek'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Apache proxies to dogtag, so a Not Found means that dogtag either isn't running or its webapp wasn't loaded. I'd start by restarting pki-tomcatd at pki-tomcat.service and see if that helps. Otherwise you'll need to poke around in the debug long in /var/lib/pki-ca/ rob From rcritten at redhat.com Thu Jun 4 19:20:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Jun 2015 15:20:25 -0400 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) In-Reply-To: References: <556EB023.2070007@redhat.com> <55706215.9070100@redhat.com> Message-ID: <5570A4F9.3020407@redhat.com> Chris Tobey wrote: > Hi Rob, > > Thanks for taking the time to look at this. > > I have services in /etc/init.d/ named tomcat6 and pki-cad. > > I tried the following: > - > [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status > tomcat6 is stopped [ OK ] > [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start > Starting tomcat6: [ OK ] > [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status > tomcat6 (pid 10853) is running... [ OK ] > [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status > pki-ca (pid 1793) is running... [ OK ] > Unsecure Port = http://chimera.server.com:9180/ca/ee/ca > Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca > Secure EE Port = https://chimera.server.com:9444/ca/ee/ca > Secure Admin Port = https://chimera.server.com:9445/ca/services > EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca > PKI Console Port = pkiconsole https://chimera.server.com:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > > ========================================================================== > Name: IPA > URL: https://chimera.server.com:443 > > ========================================================================== Ok, you didn't specify a version so I took a stab in the dark on the service name. So I gather you're running 3.0.0? You'll need to dive into the catalina.log and debug logs in /var/log/pki-ca. This means that tomcat started but the webapp didn't. This is usually the audit subsystem kicking in but recently someone else had this issue and a simple ipactl restart fixed it for him. rob > - > > After this I am able to create new hosts on my Foreman server! > > There are now a few questions: > 1. I am not sure why the tomcat6 service was stopped, if it is required to > be running. > 2. I am not sure why a reboot of the server did not auto-start tomcat6. > 3. When navigating the web GUI for FreeIPA and clicking on a host, I still > see the popup message in the subject of this thread. > > I have not yet tried rebooting the FreeIPA (chimera) and Puppet/Foreman > (puppetmaster) servers yet. When I have some downtime I will try that and > see what happens in regards to questions 2 and 3. > > Thanks, > -Chris Tobey > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: June-04-15 10:35 AM > To: Chris Tobey; 'Martin Kosek'; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be > completed: Unable to communicate with CMS (Not Found) > > Apache proxies to dogtag, so a Not Found means that dogtag either isn't > running or its webapp wasn't loaded. > > I'd start by restarting pki-tomcatd at pki-tomcat.service and see if that > helps. > > Otherwise you'll need to poke around in the debug long in > /var/lib/pki-ca/ > > rob > From tobeychris at hotmail.com Thu Jun 4 19:29:00 2015 From: tobeychris at hotmail.com (Chris Tobey) Date: Thu, 4 Jun 2015 15:29:00 -0400 Subject: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) In-Reply-To: <5570A4F9.3020407@redhat.com> References: <556EB023.2070007@redhat.com> <55706215.9070100@redhat.com> <5570A4F9.3020407@redhat.com> Message-ID: Hi Rob, Sorry, my original message had the information: FreeIPA server running on CentOS 6.6 server. (ipa-server-3.0.0-42.el6.centos.x86_64 and ipa-client-3.0.0-42.el6.centos.x86_64) Once again your advice is perfect. I did the "ipactl restart" and now everything in the web page appears to be working without error. I will let you know if I see anything else, but it looks like this is solved. Thank you for all your help. -Chris Tobey -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: June-04-15 3:20 PM To: Chris Tobey; 'Martin Kosek'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Chris Tobey wrote: > Hi Rob, > > Thanks for taking the time to look at this. > > I have services in /etc/init.d/ named tomcat6 and pki-cad. > > I tried the following: > - > [Thu Jun 04 14:38:16:/etc/init.d]$ service tomcat6 status > tomcat6 is stopped [ OK ] > [Thu Jun 04 14:38:23:/etc/init.d]$ service tomcat6 start > Starting tomcat6: [ OK ] > [Thu Jun 04 14:38:29:/etc/init.d]$ service tomcat6 status > tomcat6 (pid 10853) is running... [ OK ] > [Thu Jun 04 14:38:40:/etc/init.d]$ service pki-cad status > pki-ca (pid 1793) is running... [ OK ] > Unsecure Port = http://chimera.server.com:9180/ca/ee/ca > Secure Agent Port = https://chimera.server.com:9443/ca/agent/ca > Secure EE Port = https://chimera.server.com:9444/ca/ee/ca > Secure Admin Port = https://chimera.server.com:9445/ca/services > EE Client Auth Port = https://chimera.server.com:9446/ca/eeca/ca > PKI Console Port = pkiconsole https://chimera.server.com:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > > ========================================================================== > Name: IPA > URL: https://chimera.server.com:443 > > ====================================================================== > ==== Ok, you didn't specify a version so I took a stab in the dark on the service name. So I gather you're running 3.0.0? You'll need to dive into the catalina.log and debug logs in /var/log/pki-ca. This means that tomcat started but the webapp didn't. This is usually the audit subsystem kicking in but recently someone else had this issue and a simple ipactl restart fixed it for him. rob > - > > After this I am able to create new hosts on my Foreman server! > > There are now a few questions: > 1. I am not sure why the tomcat6 service was stopped, if it is > required to be running. > 2. I am not sure why a reboot of the server did not auto-start tomcat6. > 3. When navigating the web GUI for FreeIPA and clicking on a host, I > still see the popup message in the subject of this thread. > > I have not yet tried rebooting the FreeIPA (chimera) and > Puppet/Foreman > (puppetmaster) servers yet. When I have some downtime I will try that > and see what happens in regards to questions 2 and 3. > > Thanks, > -Chris Tobey > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: June-04-15 10:35 AM > To: Chris Tobey; 'Martin Kosek'; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA Error 4301: Certificate operation > cannot be > completed: Unable to communicate with CMS (Not Found) > > Apache proxies to dogtag, so a Not Found means that dogtag either > isn't running or its webapp wasn't loaded. > > I'd start by restarting pki-tomcatd at pki-tomcat.service and see if that > helps. > > Otherwise you'll need to poke around in the debug long in > /var/lib/pki-ca/ > > rob > From bahmer at lanl.gov Thu Jun 4 21:48:49 2015 From: bahmer at lanl.gov (Bahmer, Eric Vaughn) Date: Thu, 4 Jun 2015 21:48:49 +0000 Subject: [Freeipa-users] ipa spamming radius with otp token? In-Reply-To: Message-ID: Someone higher up decided that there was no time for me to resolve this and I?ve been forced to implement a different method for now. I can still continue to work on this, I'll just need to find different hardware to troubleshoot with. I have set up a kerberos.xml in /etc/firewalld/services restricting to tcp 88. I have restricted the service to the specific interface via zone and rich rule. ??.. ?. ?.. Same for kpasswd on port 464. I?m also made sure that the krb5.conf has a line for udp_preference_limit = 1 I?ve also made sure to turn caching off in sssd.conf and restarted that. I set a 30 second timeout and 0 retries. Attempting to SSH from the firewall/gateway as a user to the idm server itself. I?ve managed to get things down to just 2 copies with maybe 1 second difference: Fri May 15 15:23:05 Packet-Type = Access-Request NAS-Identifier = ?idm2.manage.monitor.net? Service-Type = Authenticate-Only User-Name = ?bahmer? User-Password = ?123-4567" On the Idm server /var/log/secure: May 15 15:23:03 idm2 unix_chkpwd[15103]: check pass; user unknown May 15 15:23:03 idm2 unix_chkpwd[15103]: password check failed for user (bahmer) May 15 15:23:03 idm2 sshd[15101]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gate1.manage.monitor.net user=bahmer May 15 15:23:07 idm2 sshd[15101]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gate1.manage.monitor.net user=bahmer May 15 15:23:07 idm2 sshd[15101]: pam_sss(sshd:auth): received for user bahmer: 17 (Failure setting user credentials) May 15 15:23:09 idm2 sshd[15101]: Failed password for bahmer from 10.6.0.41 port 44347 ssh2 I?ve collected some tcpdump information, most of the kerberos traffic is on the loopback interface and nothing stands out. I can see the two requests in the tcpdump on the interface the idm server should be using to talk to radius. I probably need permission in order to send the captures after sanitizing them for security policy reasons. Is it possible that sssd is the culprit trying to do a pre-auth before the real auth? > >On 5/13/15, 12:00 PM, "Nathaniel McCallum" wrote: > >>On Wed, 2015-05-13 at 14:44 +0000, Bahmer, Eric Vaughn wrote: >>> Institutionally we have a hardware token set up, you use a pin to >>> unlock the device and it spits out a passcode. >>> The passcode allows access through kerberos, radius, or ldap binds >>> to linux servers, or with a custom apache module to websites. >>> >>> I have an out-of-band private network set up that attaches to our >>> intranet using a firewall/gateway server which does some port >>> forwarding for various things like SSH, RDP. >>> I?m attempting to set up RADIUS on this firewall/gateway to be used >>> as a proxy for freeipa to our token system which I?d like to be able >>> to use behind the firewall. >>> However I seem to be getting nearly a dozen requests into the radius >>> server, about half are dropped as duplicate, but usually 3-6 get >>> through and since it?s a single use token the first attempt >>> succeeds, but the rest fail and cause the hardware token to be >>> blacklisted. >>> Is there a way to specify that the user radius login is a one-time >>> token or is this something that sssd or pam is causing? >>> Or does the OTP support just not work in the way I need it to? >>> I have this issue with both the inbox 4.1.0 in RHEL7.1 or the >>> upstream 4.1.4 rpms. >>> >>> My only alternative is probably to set up a KDC on the firewall to >>> trust the institutional realm and have the IdM kerberos realm trust >>> that. >>> This is also a mixed linux/windows environment behind the firewall, >>> I?ve enabled unix attributes in my AD and I?m using a script to sync >>> uid/gid with the external ldap. >> >>I do think a cross realm trust is the right way to set this up. >> >>However, let's look more closely at the RADIUS issue. >> >>First, I want to ensure that you are using TCP for your kerberos >>connections. If you are using UDP for kerberos, then the kerberos >>client will send a new packet which will cause the KDC to fire off a >>new set of RADIUS messages. The use of TCP should be enforced with >>kerberos when using OTP. >> >> >>How long does it take for the hardware token RADIUS server to respond? >>Have you tried adjusting the number of retries and timeout for the >>RADIUS server in FreeIPA? A longer timeout or fewer retries will >>reduce the number of packets transmitted. >> >>If you are able to setup a test user with fake credentials and could >>perform a packet capture of kerberos and RADIUS traffic it would help >>me understand what is going on here. >> >>Nathaniel >> >>PS - If I had to take a guess based on what I know now, I would >>suspect that the real culprit is kinit sending too many requests. This >>is based on your statement that the RADIUS server is dropping *some* >>duplicates. This means that the other RADIUS packets are *not* >>duplicates and probably represent a subsequent AS-REQ on the KDC from >>kinit. > From nathan at nathanpeters.com Thu Jun 4 22:27:48 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Thu, 4 Jun 2015 15:27:48 -0700 Subject: [Freeipa-users] Could not update DNSSSHFP records when joining domain In-Reply-To: <1fdaaee7c22e638d2a2c825409981bea.squirrel@webmail.nathanpeters.com> References: <737a0e7798e8ab51d4eef4eb5359a976.squirrel@webmail.nathanpeters.com> <1fdaaee7c22e638d2a2c825409981bea.squirrel@webmail.nathanpeters.com> Message-ID: <0db5a917a346dddb52f1101676199b69.squirrel@webmail.nathanpeters.com> >> I am running FreeIPA 4.1.3 on CentOS7. >> >> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. >> >> The client hostname is ipaclient.login.mydomain.net. >> >> The FreeIPA domain is mydomain.net. >> >> This post here : >> https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html >> states that making all dns entries into a single zone rather than having >> a >> separate zone for login.mydomain.net is a perfectly acceptable design >> choice. >> >> However, an issue occurs when joining the client. It joins to the >> domain >> fine and creates the initial DNS A entry, but then according to the >> logs, >> when it goes to update the DNSSSHFP records, it fails because it tries >> to >> update the nonexistent zone login.mydomain.net instead of just updating >> mydomain.net. To be clear, the SSH host keys are in the client record so >> the only issue is with adding them to DNS >> >> Here are the relevant log entries generated with ipa-client-install: >> >> 2015-06-03T16:11:12Z DEBUG stderr= >> 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to >> /etc/ipa/.dns_update.txt: >> 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. >> update delete ipaclient.login.mydomain.net. IN SSHFP >> send >> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 >> 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 >> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 >> 11D3F076F616F02AD74BFF4D48E8BBA239063E8F >> send >> >> 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g >> /etc/ipa/.dns_update.txt >> 2015-06-03T16:11:13Z DEBUG stdout= >> 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH >> update failed: NOTAUTH >> >> 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate >> -g >> /etc/ipa/.dns_update.txt' returned non-zero exit status 2 >> 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > Here are some more entries from /var/named/data/named.run. > > You'll notice in the first set of entries, I added the hosts with the > incorrect subdomain set and it worked fine. > > In the second set, I gave the correct hostnames and even though it claims > it's still trying to update the mydomain.net file it says it's not > authorized. I am thoroughly confused by this behavior. > > successful > ---------- > 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key > host/ipaclient.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A > 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key > host/ipaclient.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A > 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key > host/ipaclient.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP > 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key > host/ipaclient.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP > 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key > host/ipaclient.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP > > unsuccessful > ------------ > 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key > host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': update failed: not authoritative for update zone > (NOTAUTH) > 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key > host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': update failed: not authoritative for update zone > (NOTAUTH) > 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key > host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': update failed: not authoritative for update zone > (NOTAUTH) > 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key > host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone > 'mydomain.net/IN': update failed: not authoritative for update zone > (NOTAUTH) > > > So can anyone at least tell me whether it is intended that you have to create a separate DNS subdomain rather than one big domain file in order to get DNSSSHFP records to save or is that a bug and you should be able to just have one large domain and not break out the subdomains? From netvent at gmail.com Thu Jun 4 23:06:03 2015 From: netvent at gmail.com (swartz) Date: Thu, 4 Jun 2015 17:06:03 -0600 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? In-Reply-To: <20150603062919.GB9862@mail.corp.redhat.com> References: <20150603062919.GB9862@mail.corp.redhat.com> Message-ID: On Wed, Jun 3, 2015 at 12:29 AM, Lukas Slebodnik wrote: > However sssd is available just on linux (or FreeBSD) > I'm not sure which clients do you use on Solaris or other Solaris would be configured via LDAP. RedHat appears to have a pretty good guide for doing this. Same goes for any other systems lacking sssd client or so I hope. > > >As an example, I have user Bob. > >On a Linux box Bob has homedir at /home/b/bob > ^ > Unfortunatelly, there's no way how to say > sssd to use just first letter from name. > Hmmm. Is time for a feature request? Should this be directed to SSSD or FreeIPA group? override_homedir appears to have plenty of substitution options. This wouldn't be a major change request. For more flexibility, I think it would be nice to refer to an output of a script for determining homedir overrides. > >On a Solaris this is likely /export/home/bob > >While on some other odd system it could be /mnt/nas/users/bob > Different "prefix" for homedir "/export/home", "/home", "/mnt/nas/users" > could be addresed with the option homedir_substring in sssd conf. > https://fedorahosted.org/sssd/ticket/1853 > So you could store "%H" in ldap attribute, > but clients need to understand such value. > (sssd >= 1.11.6). I'm not sure about other clients. > As there is no sssd client for Solaris, I think I may have found a workaround via automounter as suggested by Coy Hile. But that only solves the Solaris specific homdir paths. In any case, I'm further today than I was yesterday. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jun 5 06:06:09 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 05 Jun 2015 08:06:09 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> Message-ID: <55713C51.6050809@redhat.com> On 06/04/2015 07:34 PM, Christopher Lamb wrote: > Hi All > > I can now report back success (at least on my throwaway EL7.1 test VM). > > To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC to > a new FreeIPA 4.1 KDC 3 steps are required: > > 1) ipa-client-install --uninstall > > 2) rm -f /var/lib/sss/db/* > > 3) ipa-client-install --server ldap.my.example.com --domain my.example.com > -N > > Having done this, my free-ipa user successfully authenticates (e.g. ssh > remote login with free-ipa user / password > > > To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. > > Kudos and thanks go to Rob C for suggesting step 2. (Note that the > directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as > suggested earlier in this thread. Cool! Thanks for reaching back. I added this advice to the FreeIPA Troubleshooting guide too: http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client > > Cheers > > Chris > > > > > From: Martin Kosek > To: Christopher Lamb/Switzerland/IBM at IBMCH, > freeipa-users at redhat.com > Cc: Jakub Hrozek , Rob Crittenden > > Date: 03.06.2015 10:39 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > > > > On 06/03/2015 10:30 AM, Christopher Lamb wrote: >> Hi all >> >> This is a quick(ish) note to bring everybody up to speed on this issue. >> Yesterday we had some private mail exchange on this issue as I did not > wish >> to broadcast the krb5 and ipa install logs to the user list. >> >> The basic situation is that we are in the process of migrating from an >> FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As > discussed >> in a thread some weeks ago we did not do this by replicating (as perhaps > we >> should have done). Instead we migrated the users across. >> >> We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to >> the old KDC. We are now in the process of migrating these hosts to the > new >> 4.1 KDC. >> >> Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these > joining >> to the new KDC was trouble free, taking a few minutes each. After joining >> the new KDC FreeIPA users authenticated properly. >> >> We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were >> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 >> KDC. These were also trouble free. >> >> The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 > hosts >> that were originally joined to the 3.3.3 KDC, and must be moved to join > the >> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I > have >> been able to reproduce this behaviour with a freshly setup VM joined > first >> to the 3.3.3 KDC, then moved to the 4.1 KDC. >> >> While the errors show in the krb5 child logs indicate that the password > is >> incorrect, the same user / password is happily accepted by all the other >> hosts. >> >> It seems that in the process of moving / migrating the EL 7.1 / > ipa-client >> 4.1 from the old KDC to the new KDC, "something" is left behind that > causes >> problems. We have seen indications in the install logs that the kinit > steps >> called during ipa-client install are getting responses from the wrong > (old) >> KDC, and not from the new KDC. >> >> Frustratingly. over the weekend i managed to get one of the problem EL > 7.1 >> boxes to work. However I can't work out exactly what I was that I did > that >> did the trick. However it seems that some kind of major de-install / >> cleanup + reinstall of the ipa-client may be needed. >> >> Rob has suggested that as part of such a cleanup I should do "rm >> -f /var/lib/sssd/db/*". I will test this later today and report back. >> >> Thanks to Rob, Jakub, Martin, Alexander et al for their help and >> suggestions so far. >> >> Chris > > Thanks for the background. The pain you are getting is exactly the reason > why > migration via replication to RHEL-7.1 is a better choice :-) Please let us > know > the result, I am curious how this works out. > >> >> >> >> >> From: Martin Kosek >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> freeipa-users at redhat.com, Jakub Hrozek >> Date: 03.06.2015 09:34 >> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated > FreeIPA >> client on EL7.1 -->Not Solved >> >> >> >> On 06/02/2015 06:15 PM, Christopher Lamb wrote: >>> >>> Hi >>> >>> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the > cause >>> of this problem. Let's call them HOST09 and HOST10 >>> >>> Both are mimimum installs of EL7.1, with NTPD installed and configured. >>> >>> HOST09 had ipa-client 4.1 installed via yum, and was configured to use >> our >>> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user >>> authenticates successfully against this machine. >>> >>> HOST10 had ipa-client 4.1 installed as a dependency of one of our >> standard >>> config packages, and was first set to use our old FreeIPA 3.3.3 server. >> --> >>> My FreeIPA user authenticates successfully. against this machine. >>> >>> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered >>> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT >>> authenticate successfully. >>> >>> This replicates well the behaviour I saw with my production servers, >> namely >>> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new >> 4.1 >>> FreeIPA server authenticate properly. >>> >>> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old >> 3.3.3 >>> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT >>> authenticate properly >>> >>> Chris >> >> Hello, >> >> This is really strange. What I do not fully understand is what is the >> "registration against a FreeIPA server". What server you install IPA > client >> should matter if the deployment is set up properly. The host enrollment >> entry >> should simply replicate to whole infrastructure. The only thing that will >> probably differ is sssd.conf and krb5.conf as they will have different >> primary >> server set up, based on what your DNS setup is. >> >> It rather seems that the "reregistration" is what causes the issue. It >> looks >> like something cleanup problem during the process. I will let Jakub to > help >> here, I would suggest including the SSSD logs from the failed login, it > may >> help. >> >>> >>> >>> >>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 >>> ----- >>> >>> From: Christopher Lamb/Switzerland/IBM at IBMCH >>> To: Jakub Hrozek >>> Cc: freeipa-users at redhat.com >>> Date: 02.06.2015 10:40 >>> Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated >> FreeIPA >>> client on EL7.1 -->Not Solved >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi Jakub >>> >>> Yes root login works, that's how I've been getting into the box. >>> >>> Surprisingly, kinit with my user seems to work on that box. After >> entering >>> my password when prompted, it returns to the commandline without error. >>> >>> However if I try kinit with another FreeIPA user, then instead of >> prompting >>> for a password, it gives "Generic preauthentication failure while > getting >>> initial credentials" error. >>> >>> Having set debug_level=10, when I try and ssh in with my FreeIPA user, I >>> find errors like >>> >>> "Retrieving host .... with result: .. Matching credential not found" >>> >>> "Received error from KDC ... Additional pre-authentication required" >>> >>> "Received error from KDC... Decrypt integrity check failed" >>> >>> "Received error code 1432158219" >>> >>> Cheers >>> >>> Chris >>> >>> >>> >>> >>> >>> From: Jakub Hrozek > >>> To: Christopher > Lamb/Switzerland/IBM at IBMCH >>> Cc: > freeipa-users at redhat.com >>> Date: 02.06.2015 09:50 >>> Subject: Re: > [Freeipa-users] Fw: ssh problem with >> migrated >>> FreeIPA >>> client on EL7.1 -->Not Solved >>> >>> >>> >>> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >>>> Hi Jakub >>>> >>>> The same user / password works with all our FreeIPA hosts - just this >> one >>>> box is the problem. So the password should be good. Of course a type is >>>> always possible (especially for strong passwords), but I have tried > many >>>> times which should eliminate the odd password typo. The user / password >>>> should also be good for both the old and the new FreeIPA Server. >>> >>> Interesting, can you add debug_level=10 to the domain section of >>> sssd.conf? Then krb5_child.log should show Kerberos tracing info >>> including which exact KDC SSSD was talking to. >>> >>>> >>>> As I can neither log in direct, or via ssh to this box with my FreeIPA >>>> user, I assume Kinit with my user won't work- i will try later in the >>> day. >>> >>> Well, login as a UNIX user (root) should work.. >>> >>>> >>>> My working assumption is that the problem is related in some way to the >>>> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA >>>> 4.1, and switched between 2 FreeIPA servers. I am currently setting up > 2 >>>> throwaway EL 7.1 VMs to better test this. On one I will first install >>>> 3.3.3, then upgrade to 4.1. The second will have a direct install of > 4.1 >>>> client. >>>> >>>> Cheers >>>> >>>> Chris >>>> >>>> >>>> >>>> From: > Jakub Hrozek >> >>>> To: >> freeipa-users at redhat.com >>>> Date: > 02.06.2015 09:22 >>>> Subject: > Re: >> [Freeipa-users] Fw: ssh problem with >>> migrated >>> FreeIPA >>>> client on EL7.1 -->Not Solved >>>> Sent by: >> freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>>>> >>>>> Hi All >>>>> >>>>> Bad news. >>>>> >>>>> Over the weekend I was able to get the original problem EL7.1 / > FreeIPA >>>> 4.1 >>>>> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh >>>>> remote login with FreeIPA user and password). >>>>> >>>>> Today I tried a second machine, and had the same problem, ssh >>> connections >>>>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >>>> check >>>>> failed" >>>> >>>> This really just means wrong password, can you kinit as that user using >>>> the same password? >>>> >>>>> >>>>> Ahh I thought, I have a solution for that: just remove ipa-client and >>>>> reinstall via yum, register with the new FreeIPA server .... >>>>> >>>>> Only with this second machine I still can't ssh in with a FreeIPA > user. >>>>> Argg..... >>>>> >>>>> b.t.w, as this machine is a real physical server, I was able to try >>>> logging >>>>> in direct with my FreeIPA user --> "Authentication Failure" >>>>> >>>>> I now have >>>>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the >>> old >>>>> FreeIPA server to the new without a hitch (i.e. they successfully >>>>> authenticate FreeIPA users.) >>>>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, > but >>>>> with problems >>>>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all > attempts >>>> to >>>>> authenticate with a FreeIPA user >>>>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the >>> new >>>>> FreeIPA server, and successfully authenticates FreeIPA users. >>>>> >>>>> Any ideas? >>>>> >>>>> Chris >>>>> >>>>> >>>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 > 19:17 >>>>> ----- >>>>> >>>>> From: >> Christopher >>> Lamb/Switzerland/IBM at IBMCH >>>>> To: >> Alexander Bokovoy >>> , >>>>> freeipa-users at redhat.com >>>>> Date: >> 30.05.2015 18:52 >>>>> Subject: >> Re: >>> [Freeipa-users] ssh problem with >>> migrated FreeIPA >>>> client on >>>>> EL7.1 --> Solved >>>>> Sent by: >>> freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Hi All >>>>> >>>>> It gives me pleasure to report the problem is solved - a minute ago I >>> was >>>>> able to login via ssh with my FreeIPA user to the problem server, > while >>>>> sitting on my terrace with a glass of wine! >>>>> >>>>> Thanks to Alexander for his helpful advice - we had some mail exchange >>>>> outside the user list as I did not wish to broadcast content of keys, >>>>> config files etc. >>>>> >>>>> Regardless of what I did with commands like klist, kvno everything >>> seemed >>>>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. >>>>> >>>>> Therefore I decided to opt for brute force and (partial) ignorance. I >>>>> completely uninstalled the FreeIPA client, and then reinstalled, >>>> configured >>>>> - ?t voil? I could ssh in! >>>>> >>>>> This leaves the enigma: what caused the problem? I suspect the >>> following: >>>>> >>>>> The host is an EL 7.1, but the first FreeIPA client installed was >>> version >>>>> 3.3.3 (installed as set of standard packages that we bung on all our >>>>> servers). >>>>> >>>>> This worked fine to authenticate against our "old" 3.x FreeIPA server, >>>> but >>>>> did not work against the "new" 4.1 FreeIPA Server. >>>>> >>>>> When I realised I could not ssh in, one of the first things I did was >>> to >>>>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not >>> help. >>>>> The solution was to yum remove the FreeIPA client, then yum install > the >>>> 4.1 >>>>> client. >>>>> >>>>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client >>> installed, >>>> so >>>>> it will be interesting to see it the problem can be reproduced. >>>>> >>>>> Keep up the good work, >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: >>> > Alexander Bokovoy >>> >>>>> To: >>> > Christopher >>> Lamb/Switzerland/IBM at IBMCH >>>>> Cc: >>> freeipa-users at redhat.com >>>>> Date: >>> > 29.05.2015 18:04 >>>>> Subject: >>> > Re: >>> [Freeipa-users] ssh problem with >>>> migrated FreeIPA >>>>> client on >>>>> EL7.1 >>>>> >>>>> >>>>> >>>>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>>>> >>>>>> Hi All >>>>>> >>>>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >>>> replace >>>>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully >>> migrated >>>>>> across the users. >>>>>> >>>>>> We have 50 odd Servers that are FreeIPA clients. Today I started >>>> migrating >>>>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >>>>>> server by doing an ipa-client-install --uninstall from the old, and >>>>>> ipa-client-install to register with the new 4.1.0 server. >>>>>> >>>>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>>>> migration process above worked perfectly. After migrating the server, >>> I >>>>>> could ssh in with my FreeIPA user. >>>>>> >>>>>> Then I migrated an OEL 7.1 server. The migration itself seemed to >>> work, >>>>> and >>>>>> getent passwd was successful for my FreeIPA user. However when I try >>> and >>>>>> ssh in, my FreeIPA user / password is not accepted. >>>>>> >>>>>> Before the migration I could ssh into the problem server (though >>>> evidently >>>>>> it was using my FreeIPA user from the old FreeIPA server). >>>>>> >>>>>> I can ssh in with a local (non ldap) user, so ssh is running and >>>> working. >>>>>> >>>>>> >From user root I can successfully su to my FreeIPA user. >>>>>> >>>>>> Further investigation showed that version of ipa-client installed was >>>>>> 3.3.3, so I yum updated this to 4.1.0. >>>>>> >>>>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. >>>> The >>>>>> same user continues to work for the 6.5 boxes. >>>>>> >>>>>> A colleague tried to ssh in with his FreeIPA user, and was also >>>> rejected, >>>>>> so the problem is not my user, but is probably for all FreeIPA users. >>>>>> >>>>>> A failed ssh login attempt causes the following error >>>> in /var/log/messages >>>>>> >>>>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>>>> It means /etc/krb5.keytab contains keys from older system and SSSD >>>>> picks them up. >>>>> Can you show output of 'klist -kKet'? >>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> >> > > > > From mkosek at redhat.com Fri Jun 5 06:27:37 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 05 Jun 2015 08:27:37 +0200 Subject: [Freeipa-users] Could not update DNSSSHFP records when joining domain In-Reply-To: <0db5a917a346dddb52f1101676199b69.squirrel@webmail.nathanpeters.com> References: <737a0e7798e8ab51d4eef4eb5359a976.squirrel@webmail.nathanpeters.com> <1fdaaee7c22e638d2a2c825409981bea.squirrel@webmail.nathanpeters.com> <0db5a917a346dddb52f1101676199b69.squirrel@webmail.nathanpeters.com> Message-ID: <55714159.5060808@redhat.com> On 06/05/2015 12:27 AM, nathan at nathanpeters.com wrote: >>> I am running FreeIPA 4.1.3 on CentOS7. >>> >>> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. >>> >>> The client hostname is ipaclient.login.mydomain.net. >>> >>> The FreeIPA domain is mydomain.net. >>> >>> This post here : >>> https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html >>> states that making all dns entries into a single zone rather than having >>> a >>> separate zone for login.mydomain.net is a perfectly acceptable design >>> choice. >>> >>> However, an issue occurs when joining the client. It joins to the >>> domain >>> fine and creates the initial DNS A entry, but then according to the >>> logs, >>> when it goes to update the DNSSSHFP records, it fails because it tries >>> to >>> update the nonexistent zone login.mydomain.net instead of just updating >>> mydomain.net. To be clear, the SSH host keys are in the client record so >>> the only issue is with adding them to DNS >>> >>> Here are the relevant log entries generated with ipa-client-install: >>> >>> 2015-06-03T16:11:12Z DEBUG stderr= >>> 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to >>> /etc/ipa/.dns_update.txt: >>> 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. >>> update delete ipaclient.login.mydomain.net. IN SSHFP >>> send >>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 >>> 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 >>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 >>> 11D3F076F616F02AD74BFF4D48E8BBA239063E8F >>> send >>> >>> 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g >>> /etc/ipa/.dns_update.txt >>> 2015-06-03T16:11:13Z DEBUG stdout= >>> 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH >>> update failed: NOTAUTH >>> >>> 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate >>> -g >>> /etc/ipa/.dns_update.txt' returned non-zero exit status 2 >>> 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> Here are some more entries from /var/named/data/named.run. >> >> You'll notice in the first set of entries, I added the hosts with the >> incorrect subdomain set and it worked fine. >> >> In the second set, I gave the correct hostnames and even though it claims >> it's still trying to update the mydomain.net file it says it's not >> authorized. I am thoroughly confused by this behavior. >> >> successful >> ---------- >> 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key >> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A >> 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key >> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A >> 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key >> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP >> 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key >> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP >> 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key >> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP >> >> unsuccessful >> ------------ >> 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key >> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': update failed: not authoritative for update zone >> (NOTAUTH) >> 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key >> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': update failed: not authoritative for update zone >> (NOTAUTH) >> 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key >> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': update failed: not authoritative for update zone >> (NOTAUTH) >> 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key >> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >> 'mydomain.net/IN': update failed: not authoritative for update zone >> (NOTAUTH) >> >> >> > > So can anyone at least tell me whether it is intended that you have to > create a separate DNS subdomain rather than one big domain file in order > to get DNSSSHFP records to save or is that a bug and you should be able to > just have one large domain and not break out the subdomains? I thought it is not needed to create subdomains in order for nsupdate to work. Maybe it is a Update policy thing? Petr, do you know? From jian at traffics.de Fri Jun 5 07:56:35 2015 From: jian at traffics.de (Junhe Jian) Date: Fri, 5 Jun 2015 09:56:35 +0200 Subject: [Freeipa-users] IPA v3 Certificate not renewed References: <061FC241309C8543AAC51450EE0CA595012BB94D35FB@EX01.office.traffics-switch.de> <557062B8.2000100@redhat.com> <061FC241309C8543AAC51450EE0CA595012BB94D3611@EX01.office.traffics-switch.de> <557068DB.2020204@redhat.com> Message-ID: <061FC241309C8543AAC51450EE0CA595012BB94D363D@EX01.office.traffics-switch.de> Hi Rob and guys, i delete the server with centos 6.6 and give the ipa (centos6.4) with the new certificate the same ip in my network. Then I get on ipa webgui a lot of "unknown option no_members" error. After I upgrade ipa centos 6.4 to centos 6.6 (because all other clients run centos6.6) Now everything works fine in my network. Thank you rob :) _____________________________________________ Best regards Junhe Jian -----Urspr?ngliche Nachricht----- Von: Junhe Jian Gesendet: Donnerstag, 4. Juni 2015 17:25 An: 'Rob Crittenden'; freeipa-users at redhat.com Betreff: AW: AW: [Freeipa-users] IPA v3 Certificate not renewed Hi Rob, i have only add NSSEnforceValidCerts off" to nss.conf. ipa run last 2 years without problem since the certificate expired. I loaded all the proxy modules in apache and restart httpd and certmonger. Yeah, the certificates are renew root at be-ipasrv httpd]# getcert list | grep status status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING [root at be-ipasrv httpd]# getcert list | grep expir expires: 2017-04-29 08:14:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-05-26 08:21:01 UTC expires: 2017-05-26 08:20:43 UTC expires: 2017-05-26 08:21:08 UTC the other server with centos 6.6 and ipa-server-3.0.0-42.el6.centos.x86_64 I get error Request ID '20130528090822': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://EXAMPLE.de:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLEDE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090849': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090923': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:09:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes and http error log if i resubmit the id [Tue May 26 10:01:31 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_ r:httpd_t:s0 [Tue May 26 10:01:31 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:01:32 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured . [Tue May 26 10:01:32 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" [Tue May 26 10:01:32 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-0 9-05" [Tue May 26 10:01:32 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Tue May 26 10:01:32 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" [Tue May 26 10:01:32 2015] [notice] Digest: generating secret for digest authentication ... [Tue May 26 10:01:32 2015] [notice] Digest: done [Tue May 26 10:01:33 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.16.1 Basi c ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:02:36 2015] [error] Bad remote server certificate: -8181 [Tue May 26 10:02:36 2015] [error] SSL Library Error: -8181 Certificate has expired [Tue May 26 10:02:36 2015] [error] Re-negotiation handshake failed: Not accepted by client!? [Tue May 26 10:02:36 2015] [error] ipa: INFO: host/EXAMPLE.de at TIBET.TRAFFICS-SWIT CH.DE: cert_request(u'MIID+zCCAuMCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1 pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BK IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESY IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+FZs IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+Piu IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+SXj IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+js9 IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+Vmb IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+gEm IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+uM9 IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+Dz/ IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+4jI IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+fVQ IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+XDA ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+89F/Z2vUIXag ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+EJnJMuXEdqz3 ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+XpaXr6ahc YXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKa YXgCSDq7L8VSd7zbguEpWZmD0lZ8857+F20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd 5cG9yBwIDAQABoIIBZDAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCATkGCSqGSIb3DQEJDjGCASowggEmMA4G A1UdDwEBAAQEAwIE8DCBwQYDVR0RAQEABIG2MIGzoFAGCisGAQQBgjcUAgOgQgxAbGRhcC9iZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc 3dpdGNoLmRlQFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaBfBgYrBgEFAgKgVTBToBobGFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaE1MD OgAwIBAaEsMCobBGxkYXAbImJlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGUwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCs GAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFCvM2eOn/UvY2d4fFKR23C+YMyfrMA0GCSqGSIb3DQEBCwUAA4IBAQCDXHV+ c7ygZRTJrXFbDrhR/Mgz/CpX2HxtDTL9q2qUNjL73oDdHUAEF1i9MP/URw6ZUltA4FD5rXAT5K8t/MRnEHR7YLRCNMyM0SIb6HXC7Bo5Q vA/kTPbJdwshjc52rMgOMf+Pa/ztUUBD+zH+8xsJKPRktQb/Ku3fbWZ/b2g5VpQj6jcjCKSKI/IF4C1r0Vl1Dz6P4v4zN3D0sjt/g57Zi AzxwGmLUt4e3/KFKvi4o7UTgZam24pZqwqilAwYw4DRuYCg0wdhty8qBLVKyzxUG1IYkuXQUGOhWTlQwzyWEaCv6BR1N78egX5xpkP9hH zxGJxVhsgrexerEL5sxTk', principal=u'ldap/EXAMPLE.de at EXAMPLE.DE', ad d=True): NetworkError [Tue May 26 10:02:38 2015] [error] Bad remote server certificate: -8181 [Tue May 26 10:02:38 2015] [error] SSL Library Error: -8181 Certificate has expired Do you have a idea? Thank you! _____________________________________________ Best regards Junhe Jian -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Donnerstag, 4. Juni 2015 17:04 An: Junhe Jian; freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] IPA v3 Certificate not renewed Junhe Jian wrote: > Hi Rob, > > i set the date in past "26 MAY 2015" > and add "NSSEnforceValidCerts off" to nss.conf > > and resubmit the 3 ID > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090822 > Resubmitting "20130528090822" to "IPA". > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090849 > Resubmitting "20130528090849" to "IPA". > [root at be-ipasrv httpd]# getcert resubmit -i 20130528090923 > Resubmitting "20130528090923" to "IPA". > > Restart ipa and certmonger > > now I get error in http_error > > [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd > running as context unconfined_u:system_r:httpd_t:s0 [Tue May 26 > 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. > [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" > [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ... > [Tue May 26 10:00:31 2015] [notice] Digest: done [Tue May 26 10:00:32 > 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 > NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured > -- resuming normal operations [Tue May 26 10:00:33 2015] [error] ipa: > INFO: *** PROCESS START *** [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. > [Tue May 26 10:01:23 2015] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate > with CMS (Internal Server Error) Have you changed your apache configuration? It looks that way. You need the proxy modules loaded. rob From jhrozek at redhat.com Fri Jun 5 08:06:35 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 5 Jun 2015 10:06:35 +0200 Subject: [Freeipa-users] How to handle users with multiple homedirs on different machines? In-Reply-To: References: <20150603062919.GB9862@mail.corp.redhat.com> Message-ID: <20150605080635.GC630@hendrix.arn.redhat.com> On Thu, Jun 04, 2015 at 05:06:03PM -0600, swartz wrote: > On Wed, Jun 3, 2015 at 12:29 AM, Lukas Slebodnik > wrote: > > > However sssd is available just on linux (or FreeBSD) > > I'm not sure which clients do you use on Solaris or other > > Solaris would be configured via LDAP. RedHat appears to have a pretty good > guide for doing this. > Same goes for any other systems lacking sssd client or so I hope. > > > > > > >As an example, I have user Bob. > > >On a Linux box Bob has homedir at /home/b/bob > > ^ > > Unfortunatelly, there's no way how to say > > sssd to use just first letter from name. > > > Hmmm. Is time for a feature request? Should this be directed to SSSD or > FreeIPA group? SSSD, please. > override_homedir appears to have plenty of substitution options. This > wouldn't be a major change request. > For more flexibility, I think it would be nice to refer to an output of a > script for determining homedir overrides. > > > > >On a Solaris this is likely /export/home/bob > > >While on some other odd system it could be /mnt/nas/users/bob > > Different "prefix" for homedir "/export/home", "/home", "/mnt/nas/users" > > could be addresed with the option homedir_substring in sssd conf. > > https://fedorahosted.org/sssd/ticket/1853 > > > So you could store "%H" in ldap attribute, > > but clients need to understand such value. > > (sssd >= 1.11.6). I'm not sure about other clients. > > > As there is no sssd client for Solaris, I think I may have found a > workaround via automounter as suggested by Coy Hile. > But that only solves the Solaris specific homdir paths. In any case, I'm > further today than I was yesterday. Thank you. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Fri Jun 5 08:07:27 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 05 Jun 2015 10:07:27 +0200 Subject: [Freeipa-users] Could not update DNSSSHFP records when joining domain In-Reply-To: <55714159.5060808@redhat.com> References: <737a0e7798e8ab51d4eef4eb5359a976.squirrel@webmail.nathanpeters.com> <1fdaaee7c22e638d2a2c825409981bea.squirrel@webmail.nathanpeters.com> <0db5a917a346dddb52f1101676199b69.squirrel@webmail.nathanpeters.com> <55714159.5060808@redhat.com> Message-ID: <557158BF.6030207@redhat.com> On 5.6.2015 08:27, Martin Kosek wrote: > On 06/05/2015 12:27 AM, nathan at nathanpeters.com wrote: >>>> I am running FreeIPA 4.1.3 on CentOS7. >>>> >>>> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. >>>> >>>> The client hostname is ipaclient.login.mydomain.net. >>>> >>>> The FreeIPA domain is mydomain.net. >>>> >>>> This post here : >>>> https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html >>>> states that making all dns entries into a single zone rather than having >>>> a >>>> separate zone for login.mydomain.net is a perfectly acceptable design >>>> choice. >>>> >>>> However, an issue occurs when joining the client. It joins to the >>>> domain >>>> fine and creates the initial DNS A entry, but then according to the >>>> logs, >>>> when it goes to update the DNSSSHFP records, it fails because it tries >>>> to >>>> update the nonexistent zone login.mydomain.net instead of just updating >>>> mydomain.net. To be clear, the SSH host keys are in the client record so >>>> the only issue is with adding them to DNS >>>> >>>> Here are the relevant log entries generated with ipa-client-install: >>>> >>>> 2015-06-03T16:11:12Z DEBUG stderr= >>>> 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to >>>> /etc/ipa/.dns_update.txt: >>>> 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. >>>> update delete ipaclient.login.mydomain.net. IN SSHFP >>>> send >>>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 >>>> 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 >>>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 >>>> 11D3F076F616F02AD74BFF4D48E8BBA239063E8F >>>> send >>>> >>>> 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g >>>> /etc/ipa/.dns_update.txt >>>> 2015-06-03T16:11:13Z DEBUG stdout= >>>> 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH >>>> update failed: NOTAUTH >>>> >>>> 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate >>>> -g >>>> /etc/ipa/.dns_update.txt' returned non-zero exit status 2 >>>> 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> Here are some more entries from /var/named/data/named.run. >>> >>> You'll notice in the first set of entries, I added the hosts with the >>> incorrect subdomain set and it worked fine. >>> >>> In the second set, I gave the correct hostnames and even though it claims >>> it's still trying to update the mydomain.net file it says it's not >>> authorized. I am thoroughly confused by this behavior. >>> >>> successful >>> ---------- >>> 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A >>> 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A >>> 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP >>> 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP >>> 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP >>> >>> unsuccessful >>> ------------ >>> 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> >>> >>> >> >> So can anyone at least tell me whether it is intended that you have to >> create a separate DNS subdomain rather than one big domain file in order >> to get DNSSSHFP records to save or is that a bug and you should be able to >> just have one large domain and not break out the subdomains? > > I thought it is not needed to create subdomains in order for nsupdate to work. > Maybe it is a Update policy thing? Petr, do you know? I'm sorry for the late reply. Nathan is most probably facing this bug: https://fedorahosted.org/freeipa/ticket/4780 It was fixed in FreeIPA 4.1.3, patch is here: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=8b4301473233afdf0ae3c72ad33bcd04182e63c6 Please note that SSSD has the very same bug (unnecessary/wrong use of explicit zone statement in nsupdate input): https://fedorahosted.org/sssd/ticket/2540 This will affect A/AAAA/PTR updates done by SSSD after ipa-client-install. This should be fixed in upcoming SSSD 1.13. I do not see any other workaround except for splitting zones, sorry! -- Petr^2 Spacek From d.rabiega at gmail.com Fri Jun 5 09:40:05 2015 From: d.rabiega at gmail.com (Dawid Rabiega) Date: Fri, 5 Jun 2015 11:40:05 +0200 Subject: [Freeipa-users] ns-slapd started crashing suddenly Message-ID: Hi, One of my ipa server on fedora 19 since yesterday started to crash, with following message to dmesg: $ dmesg | tail -n 20 [6706148.291648] ns-slapd[3212]: segfault at 0 ip 00007f6fc9a84421 sp 00007f6f8f7eb928 error 4 in libc-2.17.so[7f6fc99fe000+1b6000] [6706170.887926] ns-slapd[3359]: segfault at 0 ip 00007f923ce89421 sp 00007f91fd7e7928 error 4 in libc-2.17.so[7f923ce03000+1b6000] [6706264.491787] ns-slapd[3463]: segfault at 0 ip 00007f2d9020d421 sp 00007f2d527e9928 error 4 in libc-2.17.so[7f2d90187000+1b6000] [6706311.092133] ns-slapd[4015]: segfault at 0 ip 00007f62287d7421 sp 00007f61efff4928 error 4 in libc-2.17.so[7f6228751000+1b6000] [6706500.581441] ns-slapd[4361]: segfault at 0 ip 00007facbe1e1421 sp 00007fac807e5928 error 4 in libc-2.17.so[7facbe15b000+1b6000] [6706690.693958] ns-slapd[4932]: segfault at 0 ip 00007f8d72cbc421 sp 00007f8d3d7f7928 error 4 in libc-2.17.so[7f8d72c36000+1b6000] [6715473.156094] ns-slapd[18406]: segfault at 0 ip 00007f22fedea421 sp 00007f22c1fe8928 error 4 in libc-2.17.so[7f22fed64000+1b6000] [6716455.653949] ns-slapd[20571]: segfault at 0 ip 00007f190695e421 sp 00007f18dcff6928 error 4 in libc-2.17.so[7f19068d8000+1b6000] [6716646.006961] ns-slapd[21375]: segfault at 0 ip 00007ffb9c889421 sp 00007ffb64ff6928 error 4 in libc-2.17.so[7ffb9c803000+1b6000] [6717027.574362] ns-slapd[22082]: segfault at 0 ip 00007f9fdbda7421 sp 00007f9faeffa928 error 4 in libc-2.17.so[7f9fdbd21000+1b6000] [6751004.788596] ns-slapd[9779]: segfault at 0 ip 00007f0398f48421 sp 00007f03617f7928 error 4 in libc-2.17.so[7f0398ec2000+1b6000] [6751019.360517] ns-slapd[10018]: segfault at 0 ip 00007f267852c421 sp 00007f263afea928 error 4 in libc-2.17.so[7f26784a6000+1b6000] [6751154.258362] ns-slapd[10179]: segfault at 0 ip 00007f2c6d854421 sp 00007f2c31ff0928 error 4 in libc-2.17.so[7f2c6d7ce000+1b6000] [6751208.966127] ns-slapd[10520]: segfault at 0 ip 00007f9a31a59421 sp 00007f99f87ed928 error 4 in libc-2.17.so[7f9a319d3000+1b6000] [6751305.469969] ns-slapd[10608]: segfault at 0 ip 00007f6e9348b421 sp 00007f6e55ff0928 error 4 in libc-2.17.so[7f6e93405000+1b6000] [6751328.997404] ns-slapd[10736]: segfault at 0 ip 00007f8c936b1421 sp 00007f8c5d7f7928 error 4 in libc-2.17.so[7f8c9362b000+1b6000] [6751432.356753] ns-slapd[10835]: segfault at 0 ip 00007f7dffd84421 sp 00007f7dca7f9928 error 4 in libc-2.17.so[7f7dffcfe000+1b6000] [6751454.826551] ns-slapd[11107]: segfault at 0 ip 00007f03621d5421 sp 00007f0326fea928 error 4 in libc-2.17.so[7f036214f000+1b6000] [6751549.459424] ns-slapd[11414]: segfault at 0 ip 00007f9e0f74b421 sp 00007f9dd2fea928 error 4 in libc-2.17.so[7f9e0f6c5000+1b6000] [6751573.611284] ns-slapd[11567]: segfault at 0 ip 00007f044fd73421 sp 00007f0419ff8928 error 4 in libc-2.17.so[7f044fced000+1b6000] $ rpm -qa | grep 389 389-ds-base-1.3.1.22-1.fc19.x86_64 389-ds-base-libs-1.3.1.22-1.fc19.x86_ $ rpm -qa | grep ipa libipa_hbac-python-1.11.5.1-1.fc19.x86_64 sssd-ipa-1.11.5.1-1.fc19.x86_64 freeipa-client-3.3.5-1.fc19.x86_64 freeipa-admintools-3.3.5-1.fc19.x86_64 freeipa-server-3.3.5-1.fc19.x86_64 python-iniparse-0.4-7.fc19.noarch libipa_hbac-1.11.5.1-1.fc19.x86_64 freeipa-python-3.3.5-1.fc19.x86_64 I have no idea what happened, and what check next. Any idea? Best Regards, Dawid -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Fri Jun 5 09:57:58 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Fri, 5 Jun 2015 09:57:58 +0000 Subject: [Freeipa-users] AD trust problem Message-ID: Hello! We have 17 IPA servers and AD trusts with user accounts from AD used to ssh linux servers, with IPA's HBAC and SUDO. Today on 4 of IPA servers we got "wbinfo --online-status" showing AD domain "offline" and AD users missing some groups membership. Is there some way to debug this issue? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 5 10:22:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 5 Jun 2015 13:22:44 +0300 Subject: [Freeipa-users] AD trust problem In-Reply-To: References: Message-ID: <20150605102244.GL10162@redhat.com> On Fri, 05 Jun 2015, Alexander Frolushkin wrote: >Hello! >We have 17 IPA servers and AD trusts with user accounts from AD used to ssh linux servers, with IPA's HBAC and SUDO. >Today on 4 of IPA servers we got >"wbinfo --online-status" >showing AD domain "offline" >and AD users missing some groups membership. >Is there some way to debug this issue? Yes: 1. Don't use wbinfo if you are running on RHEL7/Fedora 21+, it is not useful at all. 2. if you have issues with memberships, follow https://fedorahosted.org/sssd/wiki/Troubleshooting to generate meaningful logs. Without logs it is impossible to grasp what you are experiencing. -- / Alexander Bokovoy From Alexander.Frolushkin at megafon.ru Fri Jun 5 10:57:32 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Fri, 5 Jun 2015 10:57:32 +0000 Subject: [Freeipa-users] AD trust problem In-Reply-To: <20150605102244.GL10162@redhat.com> References: <20150605102244.GL10162@redhat.com> Message-ID: <07bae4f5ad1744f4a9d244b5fc3e3697@sib-ums03.Megafon.ru> 1. Thank you for this information, but "offline domain" this is only a correlation fact - real problem is that a number of user groups of AD account missing. 2. sssd in debug mode showing only Doman Users group on hbac stage. Am I understanding correctly that currently on ipa server there is no way to check trusts or AD servers connectivity? Because it seems like problem is site-related, only servers in two regions have problem with AD user groups... WBR, Alexander Frolushkin -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Friday, June 05, 2015 4:23 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD trust problem On Fri, 05 Jun 2015, Alexander Frolushkin wrote: >Hello! >We have 17 IPA servers and AD trusts with user accounts from AD used to ssh linux servers, with IPA's HBAC and SUDO. >Today on 4 of IPA servers we got >"wbinfo --online-status" >showing AD domain "offline" >and AD users missing some groups membership. >Is there some way to debug this issue? Yes: 1. Don't use wbinfo if you are running on RHEL7/Fedora 21+, it is not useful at all. 2. if you have issues with memberships, follow https://fedorahosted.org/sssd/wiki/Troubleshooting to generate meaningful logs. Without logs it is impossible to grasp what you are experiencing. -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From abokovoy at redhat.com Fri Jun 5 11:19:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 5 Jun 2015 14:19:05 +0300 Subject: [Freeipa-users] AD trust problem In-Reply-To: <07bae4f5ad1744f4a9d244b5fc3e3697@sib-ums03.Megafon.ru> References: <20150605102244.GL10162@redhat.com> <07bae4f5ad1744f4a9d244b5fc3e3697@sib-ums03.Megafon.ru> Message-ID: <20150605111905.GM10162@redhat.com> On Fri, 05 Jun 2015, Alexander Frolushkin wrote: >1. Thank you for this information, but "offline domain" this is only a >correlation fact - real problem is that a number of user groups of AD >account missing. wbinfo has nothing to do with the actual system state because we don't use winbindd in RHEL 7 to resolve users/groups from trusted domains. >2. sssd in debug mode showing only Doman Users group on hbac stage. -EPARSE. Show logs or it did not happen :) >Am I understanding correctly that currently on ipa server there is no >way to check trusts or AD servers connectivity? Because it seems like >problem is site-related, only servers in two regions have problem with >AD user groups... No, you are not understanding correctly. If you enable debugging information in SSSD configuration, you'll see all what SSSD thinks about connectivity towards AD DCs. -- / Alexander Bokovoy From notify.sina at gmail.com Fri Jun 5 13:14:04 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Fri, 5 Jun 2015 14:14:04 +0100 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: <1160734455.11049778.1433443003999.JavaMail.zimbra@redhat.com> References: <55706A6A.6020709@redhat.com> <55706B78.7070209@redhat.com> <1160734455.11049778.1433443003999.JavaMail.zimbra@redhat.com> Message-ID: Odd, sssd sudo up and started working properly after I added debug to the clients I was interested in. I didnt see any errors in the logs at all. Very strange. Thanks everyone. On Thu, Jun 4, 2015 at 7:36 PM, Pavel Brezina wrote: > Hi, > please put the following line to /etc/sudo.conf to obtain sudo logs and send us the file: > Debug sudo /var/log/sudo_debug all at trace > > ----- Original Message ----- >> From: "Martin Kosek" >> To: "Sina Owolabi" >> Cc: "Cory Carlton" , freeipa-users at redhat.com, "Pavel Brezina" , "Jakub >> Hrozek" >> Sent: Thursday, June 4, 2015 5:15:04 PM >> Subject: Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain >> >> On 06/04/2015 05:13 PM, Sina Owolabi wrote: >> > Hi Martin >> > >> > I have deleted everything in /var/lib/sss/db/ and restarted sssd, >> > no luck. >> >> In that case, I am afraid you might need to enable sudo and SSSD debug >> (https://fedorahosted.org/sssd/wiki/Troubleshooting) and see where it hans. >> Also CCing sudo/sssd SMEs to be aware. >> >> > >> > On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek wrote: >> >> On 06/04/2015 05:06 PM, Cory Carlton wrote: >> >>> I would check for DNS resolution from the machine executing the sudo, to >> >>> the IPA server. >> >> >> >> I would also suggest cleaning SSSD caches, since you reinstalled against >> >> the >> >> same domain, but actually different server (/var/lib/sss/db/) >> >> >> >>> On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi >> >>> wrote: >> >>> >> >>>> Hi >> >>>> >> >>>> I recently had to remove and reinstall a fresh IPA server. I am >> >>>> currently re-enrolling all the ipa clients to the recently refreshed >> >>>> domain (same name as the previous realm and domain). The new IPA >> >>>> master is RHEL7.1 with IPA 4.1.3. >> >>>> >> >>>> All client servers are running RHEL6.6. >> >>>> >> >>>> I also have sudorule that allows a group to have access to run all >> >>>> commands on all servers: >> >>>> >> >>>> Rule name: All >> >>>> Enabled: TRUE >> >>>> Host category: all >> >>>> Command category: all >> >>>> User Groups: superusers >> >>>> Sudo Option: !authenticate >> >>>> ---------------------------- >> >>>> >> >>>> I noticed that trying to run sudo on a few of the servers makes the >> >>>> command hang indefinitely. >> >>>> I am not sure what is the cause and where to look. Please what can I >> >>>> do to troubleshoot and fix this? >> >>>> >> >>>> -- >> >>>> Manage your subscription for the Freeipa-users mailing list: >> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>> Go to http://freeipa.org for more info on the project >> >>>> >> >>> >> >>> >> >>> >> >> >> >> From notify.sina at gmail.com Fri Jun 5 13:16:35 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Fri, 5 Jun 2015 14:16:35 +0100 Subject: [Freeipa-users] Is It OK to mix RHEL7 and CentOS 7 IPA domain servers? Message-ID: Hi Due to our subscriptions running out, I'm forced to have to use CentOS7 in our domain as IPA replica servers to join our existing RHEL7 server. Is this OK, or are there any issues I should be aware of? Thanks in advance. From rmeggins at redhat.com Fri Jun 5 13:35:52 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Jun 2015 07:35:52 -0600 Subject: [Freeipa-users] ns-slapd started crashing suddenly In-Reply-To: References: Message-ID: <5571A5B8.5020402@redhat.com> On 06/05/2015 03:40 AM, Dawid Rabiega wrote: > Hi, > One of my ipa server on fedora 19 since yesterday started to crash, > with following message to dmesg: > > $ dmesg | tail -n 20 > [6706148.291648] ns-slapd[3212]: segfault at 0 ip 00007f6fc9a84421 sp > 00007f6f8f7eb928 error 4 in libc-2.17.so > [7f6fc99fe000+1b6000] > [6706170.887926] ns-slapd[3359]: segfault at 0 ip 00007f923ce89421 sp > 00007f91fd7e7928 error 4 in libc-2.17.so > [7f923ce03000+1b6000] > [6706264.491787] ns-slapd[3463]: segfault at 0 ip 00007f2d9020d421 sp > 00007f2d527e9928 error 4 in libc-2.17.so > [7f2d90187000+1b6000] > [6706311.092133] ns-slapd[4015]: segfault at 0 ip 00007f62287d7421 sp > 00007f61efff4928 error 4 in libc-2.17.so > [7f6228751000+1b6000] > [6706500.581441] ns-slapd[4361]: segfault at 0 ip 00007facbe1e1421 sp > 00007fac807e5928 error 4 in libc-2.17.so > [7facbe15b000+1b6000] > [6706690.693958] ns-slapd[4932]: segfault at 0 ip 00007f8d72cbc421 sp > 00007f8d3d7f7928 error 4 in libc-2.17.so > [7f8d72c36000+1b6000] > [6715473.156094] ns-slapd[18406]: segfault at 0 ip 00007f22fedea421 sp > 00007f22c1fe8928 error 4 in libc-2.17.so > [7f22fed64000+1b6000] > [6716455.653949] ns-slapd[20571]: segfault at 0 ip 00007f190695e421 sp > 00007f18dcff6928 error 4 in libc-2.17.so > [7f19068d8000+1b6000] > [6716646.006961] ns-slapd[21375]: segfault at 0 ip 00007ffb9c889421 sp > 00007ffb64ff6928 error 4 in libc-2.17.so > [7ffb9c803000+1b6000] > [6717027.574362] ns-slapd[22082]: segfault at 0 ip 00007f9fdbda7421 sp > 00007f9faeffa928 error 4 in libc-2.17.so > [7f9fdbd21000+1b6000] > [6751004.788596] ns-slapd[9779]: segfault at 0 ip 00007f0398f48421 sp > 00007f03617f7928 error 4 in libc-2.17.so > [7f0398ec2000+1b6000] > [6751019.360517] ns-slapd[10018]: segfault at 0 ip 00007f267852c421 sp > 00007f263afea928 error 4 in libc-2.17.so > [7f26784a6000+1b6000] > [6751154.258362] ns-slapd[10179]: segfault at 0 ip 00007f2c6d854421 sp > 00007f2c31ff0928 error 4 in libc-2.17.so > [7f2c6d7ce000+1b6000] > [6751208.966127] ns-slapd[10520]: segfault at 0 ip 00007f9a31a59421 sp > 00007f99f87ed928 error 4 in libc-2.17.so > [7f9a319d3000+1b6000] > [6751305.469969] ns-slapd[10608]: segfault at 0 ip 00007f6e9348b421 sp > 00007f6e55ff0928 error 4 in libc-2.17.so > [7f6e93405000+1b6000] > [6751328.997404] ns-slapd[10736]: segfault at 0 ip 00007f8c936b1421 sp > 00007f8c5d7f7928 error 4 in libc-2.17.so > [7f8c9362b000+1b6000] > [6751432.356753] ns-slapd[10835]: segfault at 0 ip 00007f7dffd84421 sp > 00007f7dca7f9928 error 4 in libc-2.17.so > [7f7dffcfe000+1b6000] > [6751454.826551] ns-slapd[11107]: segfault at 0 ip 00007f03621d5421 sp > 00007f0326fea928 error 4 in libc-2.17.so > [7f036214f000+1b6000] > [6751549.459424] ns-slapd[11414]: segfault at 0 ip 00007f9e0f74b421 sp > 00007f9dd2fea928 error 4 in libc-2.17.so > [7f9e0f6c5000+1b6000] > [6751573.611284] ns-slapd[11567]: segfault at 0 ip 00007f044fd73421 sp > 00007f0419ff8928 error 4 in libc-2.17.so > [7f044fced000+1b6000] > > $ rpm -qa | grep 389 > 389-ds-base-1.3.1.22-1.fc19.x86_64 > 389-ds-base-libs-1.3.1.22-1.fc19.x86_ > > $ rpm -qa | grep ipa > libipa_hbac-python-1.11.5.1-1.fc19.x86_64 > sssd-ipa-1.11.5.1-1.fc19.x86_64 > freeipa-client-3.3.5-1.fc19.x86_64 > freeipa-admintools-3.3.5-1.fc19.x86_64 > freeipa-server-3.3.5-1.fc19.x86_64 > python-iniparse-0.4-7.fc19.noarch > libipa_hbac-1.11.5.1-1.fc19.x86_64 > freeipa-python-3.3.5-1.fc19.x86_64 > > I have no idea what happened, and what check next. Any idea? We'll need to get a core, and see a good stacktrace from the core. http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes Since this is IPA, you'll need to # debuginfo-install 389-ds-base ipa-server slapi-nis > > Best Regards, > Dawid > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Fri Jun 5 13:58:59 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 5 Jun 2015 15:58:59 +0200 Subject: [Freeipa-users] ns-slapd started crashing suddenly In-Reply-To: <5571A5B8.5020402@redhat.com> References: <5571A5B8.5020402@redhat.com> Message-ID: <20150605135858.GA8354@mail.corp.redhat.com> On (05/06/15 07:35), Rich Megginson wrote: >On 06/05/2015 03:40 AM, Dawid Rabiega wrote: >>Hi, >>One of my ipa server on fedora 19 since yesterday started to crash, with >>following message to dmesg: >> >>$ dmesg | tail -n 20 >>[6706148.291648] ns-slapd[3212]: segfault at 0 ip 00007f6fc9a84421 sp >>00007f6f8f7eb928 error 4 in libc-2.17.so >>[7f6fc99fe000+1b6000] >>[6706170.887926] ns-slapd[3359]: segfault at 0 ip 00007f923ce89421 sp >>00007f91fd7e7928 error 4 in libc-2.17.so >>[7f923ce03000+1b6000] >>[6706264.491787] ns-slapd[3463]: segfault at 0 ip 00007f2d9020d421 sp >>00007f2d527e9928 error 4 in libc-2.17.so >>[7f2d90187000+1b6000] >>[6706311.092133] ns-slapd[4015]: segfault at 0 ip 00007f62287d7421 sp >>00007f61efff4928 error 4 in libc-2.17.so >>[7f6228751000+1b6000] >>[6706500.581441] ns-slapd[4361]: segfault at 0 ip 00007facbe1e1421 sp >>00007fac807e5928 error 4 in libc-2.17.so >>[7facbe15b000+1b6000] >>[6706690.693958] ns-slapd[4932]: segfault at 0 ip 00007f8d72cbc421 sp >>00007f8d3d7f7928 error 4 in libc-2.17.so >>[7f8d72c36000+1b6000] >>[6715473.156094] ns-slapd[18406]: segfault at 0 ip 00007f22fedea421 sp >>00007f22c1fe8928 error 4 in libc-2.17.so >>[7f22fed64000+1b6000] >>[6716455.653949] ns-slapd[20571]: segfault at 0 ip 00007f190695e421 sp >>00007f18dcff6928 error 4 in libc-2.17.so >>[7f19068d8000+1b6000] >>[6716646.006961] ns-slapd[21375]: segfault at 0 ip 00007ffb9c889421 sp >>00007ffb64ff6928 error 4 in libc-2.17.so >>[7ffb9c803000+1b6000] >>[6717027.574362] ns-slapd[22082]: segfault at 0 ip 00007f9fdbda7421 sp >>00007f9faeffa928 error 4 in libc-2.17.so >>[7f9fdbd21000+1b6000] >>[6751004.788596] ns-slapd[9779]: segfault at 0 ip 00007f0398f48421 sp >>00007f03617f7928 error 4 in libc-2.17.so >>[7f0398ec2000+1b6000] >>[6751019.360517] ns-slapd[10018]: segfault at 0 ip 00007f267852c421 sp >>00007f263afea928 error 4 in libc-2.17.so >>[7f26784a6000+1b6000] >>[6751154.258362] ns-slapd[10179]: segfault at 0 ip 00007f2c6d854421 sp >>00007f2c31ff0928 error 4 in libc-2.17.so >>[7f2c6d7ce000+1b6000] >>[6751208.966127] ns-slapd[10520]: segfault at 0 ip 00007f9a31a59421 sp >>00007f99f87ed928 error 4 in libc-2.17.so >>[7f9a319d3000+1b6000] >>[6751305.469969] ns-slapd[10608]: segfault at 0 ip 00007f6e9348b421 sp >>00007f6e55ff0928 error 4 in libc-2.17.so >>[7f6e93405000+1b6000] >>[6751328.997404] ns-slapd[10736]: segfault at 0 ip 00007f8c936b1421 sp >>00007f8c5d7f7928 error 4 in libc-2.17.so >>[7f8c9362b000+1b6000] >>[6751432.356753] ns-slapd[10835]: segfault at 0 ip 00007f7dffd84421 sp >>00007f7dca7f9928 error 4 in libc-2.17.so >>[7f7dffcfe000+1b6000] >>[6751454.826551] ns-slapd[11107]: segfault at 0 ip 00007f03621d5421 sp >>00007f0326fea928 error 4 in libc-2.17.so >>[7f036214f000+1b6000] >>[6751549.459424] ns-slapd[11414]: segfault at 0 ip 00007f9e0f74b421 sp >>00007f9dd2fea928 error 4 in libc-2.17.so >>[7f9e0f6c5000+1b6000] >>[6751573.611284] ns-slapd[11567]: segfault at 0 ip 00007f044fd73421 sp >>00007f0419ff8928 error 4 in libc-2.17.so >>[7f044fced000+1b6000] >> >>$ rpm -qa | grep 389 >>389-ds-base-1.3.1.22-1.fc19.x86_64 >>389-ds-base-libs-1.3.1.22-1.fc19.x86_ >> >>$ rpm -qa | grep ipa >>libipa_hbac-python-1.11.5.1-1.fc19.x86_64 >>sssd-ipa-1.11.5.1-1.fc19.x86_64 >>freeipa-client-3.3.5-1.fc19.x86_64 >>freeipa-admintools-3.3.5-1.fc19.x86_64 >>freeipa-server-3.3.5-1.fc19.x86_64 >>python-iniparse-0.4-7.fc19.noarch >>libipa_hbac-1.11.5.1-1.fc19.x86_64 >>freeipa-python-3.3.5-1.fc19.x86_64 >> >>I have no idea what happened, and what check next. Any idea? > >We'll need to get a core, and see a good stacktrace from the core. >http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes >Since this is IPA, you'll need to > ># debuginfo-install 389-ds-base ipa-server slapi-nis > Fedora 19 is not supported since 2015-01-06 Could you try to test with fedora 20? It might be possible that bug is already fixed in newer versions. LS From christopher.lamb at ch.ibm.com Fri Jun 5 14:25:09 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 5 Jun 2015 16:25:09 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: <55713C51.6050809@redhat.com> References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> <55713C51.6050809@redhat.com> Message-ID: Hi Martin Thanks for updating the documenation! The suggested solution works not only my test servers, but also "in the real world". This morning I migrated the last production server (ipa host) to the new FreeIPA KDC. Just out of idle curiosity, why is the rm -f /var/lib/sss/db/* step required on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5 + ipa-client 3.3.3 machines? Is the problem down to sssd? (on the EL 6.5 machines we are running sssd 1.9.2, while on EL 7.1 we have sssd 1.12.2 Cheers Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, Rob Crittenden , freeipa-users at redhat.com Cc: Jakub Hrozek Date: 05.06.2015 08:06 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved On 06/04/2015 07:34 PM, Christopher Lamb wrote: > Hi All > > I can now report back success (at least on my throwaway EL7.1 test VM). > > To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC to > a new FreeIPA 4.1 KDC 3 steps are required: > > 1) ipa-client-install --uninstall > > 2) rm -f /var/lib/sss/db/* > > 3) ipa-client-install --server ldap.my.example.com --domain my.example.com > -N > > Having done this, my free-ipa user successfully authenticates (e.g. ssh > remote login with free-ipa user / password > > > To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. > > Kudos and thanks go to Rob C for suggesting step 2. (Note that the > directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as > suggested earlier in this thread. Cool! Thanks for reaching back. I added this advice to the FreeIPA Troubleshooting guide too: http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client > > Cheers > > Chris > > > > > From: Martin Kosek > To: Christopher Lamb/Switzerland/IBM at IBMCH, > freeipa-users at redhat.com > Cc: Jakub Hrozek , Rob Crittenden > > Date: 03.06.2015 10:39 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > > > > On 06/03/2015 10:30 AM, Christopher Lamb wrote: >> Hi all >> >> This is a quick(ish) note to bring everybody up to speed on this issue. >> Yesterday we had some private mail exchange on this issue as I did not > wish >> to broadcast the krb5 and ipa install logs to the user list. >> >> The basic situation is that we are in the process of migrating from an >> FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As > discussed >> in a thread some weeks ago we did not do this by replicating (as perhaps > we >> should have done). Instead we migrated the users across. >> >> We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to >> the old KDC. We are now in the process of migrating these hosts to the > new >> 4.1 KDC. >> >> Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these > joining >> to the new KDC was trouble free, taking a few minutes each. After joining >> the new KDC FreeIPA users authenticated properly. >> >> We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were >> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 >> KDC. These were also trouble free. >> >> The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 > hosts >> that were originally joined to the 3.3.3 KDC, and must be moved to join > the >> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I > have >> been able to reproduce this behaviour with a freshly setup VM joined > first >> to the 3.3.3 KDC, then moved to the 4.1 KDC. >> >> While the errors show in the krb5 child logs indicate that the password > is >> incorrect, the same user / password is happily accepted by all the other >> hosts. >> >> It seems that in the process of moving / migrating the EL 7.1 / > ipa-client >> 4.1 from the old KDC to the new KDC, "something" is left behind that > causes >> problems. We have seen indications in the install logs that the kinit > steps >> called during ipa-client install are getting responses from the wrong > (old) >> KDC, and not from the new KDC. >> >> Frustratingly. over the weekend i managed to get one of the problem EL > 7.1 >> boxes to work. However I can't work out exactly what I was that I did > that >> did the trick. However it seems that some kind of major de-install / >> cleanup + reinstall of the ipa-client may be needed. >> >> Rob has suggested that as part of such a cleanup I should do "rm >> -f /var/lib/sssd/db/*". I will test this later today and report back. >> >> Thanks to Rob, Jakub, Martin, Alexander et al for their help and >> suggestions so far. >> >> Chris > > Thanks for the background. The pain you are getting is exactly the reason > why > migration via replication to RHEL-7.1 is a better choice :-) Please let us > know > the result, I am curious how this works out. > >> >> >> >> >> From: Martin Kosek >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> freeipa-users at redhat.com, Jakub Hrozek >> Date: 03.06.2015 09:34 >> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated > FreeIPA >> client on EL7.1 -->Not Solved >> >> >> >> On 06/02/2015 06:15 PM, Christopher Lamb wrote: >>> >>> Hi >>> >>> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the > cause >>> of this problem. Let's call them HOST09 and HOST10 >>> >>> Both are mimimum installs of EL7.1, with NTPD installed and configured. >>> >>> HOST09 had ipa-client 4.1 installed via yum, and was configured to use >> our >>> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user >>> authenticates successfully against this machine. >>> >>> HOST10 had ipa-client 4.1 installed as a dependency of one of our >> standard >>> config packages, and was first set to use our old FreeIPA 3.3.3 server. >> --> >>> My FreeIPA user authenticates successfully. against this machine. >>> >>> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered >>> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT >>> authenticate successfully. >>> >>> This replicates well the behaviour I saw with my production servers, >> namely >>> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new >> 4.1 >>> FreeIPA server authenticate properly. >>> >>> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old >> 3.3.3 >>> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT >>> authenticate properly >>> >>> Chris >> >> Hello, >> >> This is really strange. What I do not fully understand is what is the >> "registration against a FreeIPA server". What server you install IPA > client >> should matter if the deployment is set up properly. The host enrollment >> entry >> should simply replicate to whole infrastructure. The only thing that will >> probably differ is sssd.conf and krb5.conf as they will have different >> primary >> server set up, based on what your DNS setup is. >> >> It rather seems that the "reregistration" is what causes the issue. It >> looks >> like something cleanup problem during the process. I will let Jakub to > help >> here, I would suggest including the SSSD logs from the failed login, it > may >> help. >> >>> >>> >>> >>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 >>> ----- >>> >>> From: Christopher Lamb/Switzerland/IBM at IBMCH >>> To: Jakub Hrozek >>> Cc: freeipa-users at redhat.com >>> Date: 02.06.2015 10:40 >>> Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated >> FreeIPA >>> client on EL7.1 -->Not Solved >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi Jakub >>> >>> Yes root login works, that's how I've been getting into the box. >>> >>> Surprisingly, kinit with my user seems to work on that box. After >> entering >>> my password when prompted, it returns to the commandline without error. >>> >>> However if I try kinit with another FreeIPA user, then instead of >> prompting >>> for a password, it gives "Generic preauthentication failure while > getting >>> initial credentials" error. >>> >>> Having set debug_level=10, when I try and ssh in with my FreeIPA user, I >>> find errors like >>> >>> "Retrieving host .... with result: .. Matching credential not found" >>> >>> "Received error from KDC ... Additional pre-authentication required" >>> >>> "Received error from KDC... Decrypt integrity check failed" >>> >>> "Received error code 1432158219" >>> >>> Cheers >>> >>> Chris >>> >>> >>> >>> >>> >>> From: Jakub Hrozek > >>> To: Christopher > Lamb/Switzerland/IBM at IBMCH >>> Cc: > freeipa-users at redhat.com >>> Date: 02.06.2015 09:50 >>> Subject: Re: > [Freeipa-users] Fw: ssh problem with >> migrated >>> FreeIPA >>> client on EL7.1 -->Not Solved >>> >>> >>> >>> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >>>> Hi Jakub >>>> >>>> The same user / password works with all our FreeIPA hosts - just this >> one >>>> box is the problem. So the password should be good. Of course a type is >>>> always possible (especially for strong passwords), but I have tried > many >>>> times which should eliminate the odd password typo. The user / password >>>> should also be good for both the old and the new FreeIPA Server. >>> >>> Interesting, can you add debug_level=10 to the domain section of >>> sssd.conf? Then krb5_child.log should show Kerberos tracing info >>> including which exact KDC SSSD was talking to. >>> >>>> >>>> As I can neither log in direct, or via ssh to this box with my FreeIPA >>>> user, I assume Kinit with my user won't work- i will try later in the >>> day. >>> >>> Well, login as a UNIX user (root) should work.. >>> >>>> >>>> My working assumption is that the problem is related in some way to the >>>> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA >>>> 4.1, and switched between 2 FreeIPA servers. I am currently setting up > 2 >>>> throwaway EL 7.1 VMs to better test this. On one I will first install >>>> 3.3.3, then upgrade to 4.1. The second will have a direct install of > 4.1 >>>> client. >>>> >>>> Cheers >>>> >>>> Chris >>>> >>>> >>>> >>>> From: > Jakub Hrozek >> >>>> To: >> freeipa-users at redhat.com >>>> Date: > 02.06.2015 09:22 >>>> Subject: > Re: >> [Freeipa-users] Fw: ssh problem with >>> migrated >>> FreeIPA >>>> client on EL7.1 -->Not Solved >>>> Sent by: >> freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>>>> >>>>> Hi All >>>>> >>>>> Bad news. >>>>> >>>>> Over the weekend I was able to get the original problem EL7.1 / > FreeIPA >>>> 4.1 >>>>> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh >>>>> remote login with FreeIPA user and password). >>>>> >>>>> Today I tried a second machine, and had the same problem, ssh >>> connections >>>>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >>>> check >>>>> failed" >>>> >>>> This really just means wrong password, can you kinit as that user using >>>> the same password? >>>> >>>>> >>>>> Ahh I thought, I have a solution for that: just remove ipa-client and >>>>> reinstall via yum, register with the new FreeIPA server .... >>>>> >>>>> Only with this second machine I still can't ssh in with a FreeIPA > user. >>>>> Argg..... >>>>> >>>>> b.t.w, as this machine is a real physical server, I was able to try >>>> logging >>>>> in direct with my FreeIPA user --> "Authentication Failure" >>>>> >>>>> I now have >>>>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the >>> old >>>>> FreeIPA server to the new without a hitch (i.e. they successfully >>>>> authenticate FreeIPA users.) >>>>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, > but >>>>> with problems >>>>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all > attempts >>>> to >>>>> authenticate with a FreeIPA user >>>>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the >>> new >>>>> FreeIPA server, and successfully authenticates FreeIPA users. >>>>> >>>>> Any ideas? >>>>> >>>>> Chris >>>>> >>>>> >>>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 > 19:17 >>>>> ----- >>>>> >>>>> From: >> Christopher >>> Lamb/Switzerland/IBM at IBMCH >>>>> To: >> Alexander Bokovoy >>> , >>>>> freeipa-users at redhat.com >>>>> Date: >> 30.05.2015 18:52 >>>>> Subject: >> Re: >>> [Freeipa-users] ssh problem with >>> migrated FreeIPA >>>> client on >>>>> EL7.1 --> Solved >>>>> Sent by: >>> freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Hi All >>>>> >>>>> It gives me pleasure to report the problem is solved - a minute ago I >>> was >>>>> able to login via ssh with my FreeIPA user to the problem server, > while >>>>> sitting on my terrace with a glass of wine! >>>>> >>>>> Thanks to Alexander for his helpful advice - we had some mail exchange >>>>> outside the user list as I did not wish to broadcast content of keys, >>>>> config files etc. >>>>> >>>>> Regardless of what I did with commands like klist, kvno everything >>> seemed >>>>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. >>>>> >>>>> Therefore I decided to opt for brute force and (partial) ignorance. I >>>>> completely uninstalled the FreeIPA client, and then reinstalled, >>>> configured >>>>> - ?t voil? I could ssh in! >>>>> >>>>> This leaves the enigma: what caused the problem? I suspect the >>> following: >>>>> >>>>> The host is an EL 7.1, but the first FreeIPA client installed was >>> version >>>>> 3.3.3 (installed as set of standard packages that we bung on all our >>>>> servers). >>>>> >>>>> This worked fine to authenticate against our "old" 3.x FreeIPA server, >>>> but >>>>> did not work against the "new" 4.1 FreeIPA Server. >>>>> >>>>> When I realised I could not ssh in, one of the first things I did was >>> to >>>>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not >>> help. >>>>> The solution was to yum remove the FreeIPA client, then yum install > the >>>> 4.1 >>>>> client. >>>>> >>>>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client >>> installed, >>>> so >>>>> it will be interesting to see it the problem can be reproduced. >>>>> >>>>> Keep up the good work, >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: >>> > Alexander Bokovoy >>> >>>>> To: >>> > Christopher >>> Lamb/Switzerland/IBM at IBMCH >>>>> Cc: >>> freeipa-users at redhat.com >>>>> Date: >>> > 29.05.2015 18:04 >>>>> Subject: >>> > Re: >>> [Freeipa-users] ssh problem with >>>> migrated FreeIPA >>>>> client on >>>>> EL7.1 >>>>> >>>>> >>>>> >>>>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>>>> >>>>>> Hi All >>>>>> >>>>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >>>> replace >>>>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully >>> migrated >>>>>> across the users. >>>>>> >>>>>> We have 50 odd Servers that are FreeIPA clients. Today I started >>>> migrating >>>>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >>>>>> server by doing an ipa-client-install --uninstall from the old, and >>>>>> ipa-client-install to register with the new 4.1.0 server. >>>>>> >>>>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>>>> migration process above worked perfectly. After migrating the server, >>> I >>>>>> could ssh in with my FreeIPA user. >>>>>> >>>>>> Then I migrated an OEL 7.1 server. The migration itself seemed to >>> work, >>>>> and >>>>>> getent passwd was successful for my FreeIPA user. However when I try >>> and >>>>>> ssh in, my FreeIPA user / password is not accepted. >>>>>> >>>>>> Before the migration I could ssh into the problem server (though >>>> evidently >>>>>> it was using my FreeIPA user from the old FreeIPA server). >>>>>> >>>>>> I can ssh in with a local (non ldap) user, so ssh is running and >>>> working. >>>>>> >>>>>> >From user root I can successfully su to my FreeIPA user. >>>>>> >>>>>> Further investigation showed that version of ipa-client installed was >>>>>> 3.3.3, so I yum updated this to 4.1.0. >>>>>> >>>>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. >>>> The >>>>>> same user continues to work for the 6.5 boxes. >>>>>> >>>>>> A colleague tried to ssh in with his FreeIPA user, and was also >>>> rejected, >>>>>> so the problem is not my user, but is probably for all FreeIPA users. >>>>>> >>>>>> A failed ssh login attempt causes the following error >>>> in /var/log/messages >>>>>> >>>>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>>>> It means /etc/krb5.keytab contains keys from older system and SSSD >>>>> picks them up. >>>>> Can you show output of 'klist -kKet'? >>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> >> > > > > From abokovoy at redhat.com Fri Jun 5 14:30:12 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 5 Jun 2015 17:30:12 +0300 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> <55713C51.6050809@redhat.com> Message-ID: <20150605143012.GN10162@redhat.com> On Fri, 05 Jun 2015, Christopher Lamb wrote: >Hi Martin > >Thanks for updating the documenation! > >The suggested solution works not only my test servers, but also "in the >real world". This morning I migrated the last production server (ipa host) >to the new FreeIPA KDC. > >Just out of idle curiosity, why is the rm -f /var/lib/sss/db/* step >required on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5 >+ ipa-client 3.3.3 machines? > >Is the problem down to sssd? (on the EL 6.5 machines we are running sssd >1.9.2, while on EL 7.1 we have sssd 1.12.2 I think there are more object types supported by newer SSSD versions which aren't invalidated like users or groups. > >Cheers > >Chris > > > >From: Martin Kosek >To: Christopher Lamb/Switzerland/IBM at IBMCH, Rob Crittenden > , freeipa-users at redhat.com >Cc: Jakub Hrozek >Date: 05.06.2015 08:06 >Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Solved > > > >On 06/04/2015 07:34 PM, Christopher Lamb wrote: >> Hi All >> >> I can now report back success (at least on my throwaway EL7.1 test VM). >> >> To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC >to >> a new FreeIPA 4.1 KDC 3 steps are required: >> >> 1) ipa-client-install --uninstall >> >> 2) rm -f /var/lib/sss/db/* >> >> 3) ipa-client-install --server ldap.my.example.com --domain >my.example.com >> -N >> >> Having done this, my free-ipa user successfully authenticates (e.g. ssh >> remote login with free-ipa user / password >> >> >> To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. >> >> Kudos and thanks go to Rob C for suggesting step 2. (Note that the >> directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as >> suggested earlier in this thread. > >Cool! Thanks for reaching back. I added this advice to the FreeIPA >Troubleshooting guide too: > >http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client > >> >> Cheers >> >> Chris >> >> >> >> >> From: Martin Kosek >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> freeipa-users at redhat.com >> Cc: Jakub Hrozek , Rob Crittenden >> >> Date: 03.06.2015 10:39 >> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated >FreeIPA >> client on EL7.1 -->Not Solved >> >> >> >> On 06/03/2015 10:30 AM, Christopher Lamb wrote: >>> Hi all >>> >>> This is a quick(ish) note to bring everybody up to speed on this issue. >>> Yesterday we had some private mail exchange on this issue as I did not >> wish >>> to broadcast the krb5 and ipa install logs to the user list. >>> >>> The basic situation is that we are in the process of migrating from an >>> FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As >> discussed >>> in a thread some weeks ago we did not do this by replicating (as perhaps >> we >>> should have done). Instead we migrated the users across. >>> >>> We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined >to >>> the old KDC. We are now in the process of migrating these hosts to the >> new >>> 4.1 KDC. >>> >>> Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these >> joining >>> to the new KDC was trouble free, taking a few minutes each. After >joining >>> the new KDC FreeIPA users authenticated properly. >>> >>> We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that >were >>> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 >>> KDC. These were also trouble free. >>> >>> The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 >> hosts >>> that were originally joined to the 3.3.3 KDC, and must be moved to join >> the >>> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I >> have >>> been able to reproduce this behaviour with a freshly setup VM joined >> first >>> to the 3.3.3 KDC, then moved to the 4.1 KDC. >>> >>> While the errors show in the krb5 child logs indicate that the password >> is >>> incorrect, the same user / password is happily accepted by all the other >>> hosts. >>> >>> It seems that in the process of moving / migrating the EL 7.1 / >> ipa-client >>> 4.1 from the old KDC to the new KDC, "something" is left behind that >> causes >>> problems. We have seen indications in the install logs that the kinit >> steps >>> called during ipa-client install are getting responses from the wrong >> (old) >>> KDC, and not from the new KDC. >>> >>> Frustratingly. over the weekend i managed to get one of the problem EL >> 7.1 >>> boxes to work. However I can't work out exactly what I was that I did >> that >>> did the trick. However it seems that some kind of major de-install / >>> cleanup + reinstall of the ipa-client may be needed. >>> >>> Rob has suggested that as part of such a cleanup I should do "rm >>> -f /var/lib/sssd/db/*". I will test this later today and report back. >>> >>> Thanks to Rob, Jakub, Martin, Alexander et al for their help and >>> suggestions so far. >>> >>> Chris >> >> Thanks for the background. The pain you are getting is exactly the reason >> why >> migration via replication to RHEL-7.1 is a better choice :-) Please let >us >> know >> the result, I am curious how this works out. >> >>> >>> >>> >>> >>> From: Martin Kosek >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> freeipa-users at redhat.com, Jakub Hrozek >>> Date: 03.06.2015 09:34 >>> Subject: Re: [Freeipa-users] Fw: ssh problem with >migrated >> FreeIPA >>> client on EL7.1 -->Not Solved >>> >>> >>> >>> On 06/02/2015 06:15 PM, Christopher Lamb wrote: >>>> >>>> Hi >>>> >>>> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the >> cause >>>> of this problem. Let's call them HOST09 and HOST10 >>>> >>>> Both are mimimum installs of EL7.1, with NTPD installed and configured. >>>> >>>> HOST09 had ipa-client 4.1 installed via yum, and was configured to use >>> our >>>> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user >>>> authenticates successfully against this machine. >>>> >>>> HOST10 had ipa-client 4.1 installed as a dependency of one of our >>> standard >>>> config packages, and was first set to use our old FreeIPA 3.3.3 server. >>> --> >>>> My FreeIPA user authenticates successfully. against this machine. >>>> >>>> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered >>>> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT >>>> authenticate successfully. >>>> >>>> This replicates well the behaviour I saw with my production servers, >>> namely >>>> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new >>> 4.1 >>>> FreeIPA server authenticate properly. >>>> >>>> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old >>> 3.3.3 >>>> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do >NOT >>>> authenticate properly >>>> >>>> Chris >>> >>> Hello, >>> >>> This is really strange. What I do not fully understand is what is the >>> "registration against a FreeIPA server". What server you install IPA >> client >>> should matter if the deployment is set up properly. The host enrollment >>> entry >>> should simply replicate to whole infrastructure. The only thing that >will >>> probably differ is sssd.conf and krb5.conf as they will have different >>> primary >>> server set up, based on what your DNS setup is. >>> >>> It rather seems that the "reregistration" is what causes the issue. It >>> looks >>> like something cleanup problem during the process. I will let Jakub to >> help >>> here, I would suggest including the SSSD logs from the failed login, it >> may >>> help. >>> >>>> >>>> >>>> >>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 >>>> ----- >>>> >>>> From: Christopher >Lamb/Switzerland/IBM at IBMCH >>>> To: Jakub Hrozek > >>>> Cc: >freeipa-users at redhat.com >>>> Date: 02.06.2015 10:40 >>>> Subject: Re: >[Freeipa-users] Fw: ssh problem with >> migrated >>> FreeIPA >>>> client on EL7.1 -->Not Solved >>>> Sent by: >freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> Hi Jakub >>>> >>>> Yes root login works, that's how I've been getting into the box. >>>> >>>> Surprisingly, kinit with my user seems to work on that box. After >>> entering >>>> my password when prompted, it returns to the commandline without error. >>>> >>>> However if I try kinit with another FreeIPA user, then instead of >>> prompting >>>> for a password, it gives "Generic preauthentication failure while >> getting >>>> initial credentials" error. >>>> >>>> Having set debug_level=10, when I try and ssh in with my FreeIPA user, >I >>>> find errors like >>>> >>>> "Retrieving host .... with result: .. Matching credential not found" >>>> >>>> "Received error from KDC ... Additional pre-authentication required" >>>> >>>> "Received error from KDC... Decrypt integrity check failed" >>>> >>>> "Received error code 1432158219" >>>> >>>> Cheers >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> From: > Jakub Hrozek >> >>>> To: > Christopher >> Lamb/Switzerland/IBM at IBMCH >>>> Cc: >> freeipa-users at redhat.com >>>> Date: > 02.06.2015 09:50 >>>> Subject: > Re: >> [Freeipa-users] Fw: ssh problem with >>> migrated >>>> FreeIPA >>>> client on EL7.1 -->Not Solved >>>> >>>> >>>> >>>> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >>>>> Hi Jakub >>>>> >>>>> The same user / password works with all our FreeIPA hosts - just this >>> one >>>>> box is the problem. So the password should be good. Of course a type >is >>>>> always possible (especially for strong passwords), but I have tried >> many >>>>> times which should eliminate the odd password typo. The user / >password >>>>> should also be good for both the old and the new FreeIPA Server. >>>> >>>> Interesting, can you add debug_level=10 to the domain section of >>>> sssd.conf? Then krb5_child.log should show Kerberos tracing info >>>> including which exact KDC SSSD was talking to. >>>> >>>>> >>>>> As I can neither log in direct, or via ssh to this box with my FreeIPA >>>>> user, I assume Kinit with my user won't work- i will try later in the >>>> day. >>>> >>>> Well, login as a UNIX user (root) should work.. >>>> >>>>> >>>>> My working assumption is that the problem is related in some way to >the >>>>> fact the host originally was a FreeIPA 3.3.3 client, updated to >FreeIPA >>>>> 4.1, and switched between 2 FreeIPA servers. I am currently setting up >> 2 >>>>> throwaway EL 7.1 VMs to better test this. On one I will first install >>>>> 3.3.3, then upgrade to 4.1. The second will have a direct install of >> 4.1 >>>>> client. >>>>> >>>>> Cheers >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: >> Jakub Hrozek >>> >>>>> To: >>> freeipa-users at redhat.com >>>>> Date: >> 02.06.2015 09:22 >>>>> Subject: >> Re: >>> [Freeipa-users] Fw: ssh problem with >>>> migrated >>>> FreeIPA >>>>> client on EL7.1 -->Not Solved >>>>> Sent by: >>> freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>>>>> >>>>>> Hi All >>>>>> >>>>>> Bad news. >>>>>> >>>>>> Over the weekend I was able to get the original problem EL7.1 / >> FreeIPA >>>>> 4.1 >>>>>> host (FreeIPA client) to authenticate FreeiPA users (my test being >ssh >>>>>> remote login with FreeIPA user and password). >>>>>> >>>>>> Today I tried a second machine, and had the same problem, ssh >>>> connections >>>>>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >>>>> check >>>>>> failed" >>>>> >>>>> This really just means wrong password, can you kinit as that user >using >>>>> the same password? >>>>> >>>>>> >>>>>> Ahh I thought, I have a solution for that: just remove ipa-client and >>>>>> reinstall via yum, register with the new FreeIPA server .... >>>>>> >>>>>> Only with this second machine I still can't ssh in with a FreeIPA >> user. >>>>>> Argg..... >>>>>> >>>>>> b.t.w, as this machine is a real physical server, I was able to try >>>>> logging >>>>>> in direct with my FreeIPA user --> "Authentication Failure" >>>>>> >>>>>> I now have >>>>>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the >>>> old >>>>>> FreeIPA server to the new without a hitch (i.e. they successfully >>>>>> authenticate FreeIPA users.) >>>>>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, >> but >>>>>> with problems >>>>>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all >> attempts >>>>> to >>>>>> authenticate with a FreeIPA user >>>>>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the >>>> new >>>>>> FreeIPA server, and successfully authenticates FreeIPA users. >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 >> 19:17 >>>>>> ----- >>>>>> >>>>>> From: >>> > Christopher >>>> Lamb/Switzerland/IBM at IBMCH >>>>>> To: >>> > Alexander Bokovoy >>>> , >>>>>> freeipa-users at redhat.com >>>>>> Date: >>> > 30.05.2015 18:52 >>>>>> Subject: >>> > Re: >>>> [Freeipa-users] ssh problem with >>>> migrated FreeIPA >>>>> client on >>>>>> EL7.1 --> Solved >>>>>> Sent by: >>>> freeipa-users-bounces at redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Hi All >>>>>> >>>>>> It gives me pleasure to report the problem is solved - a minute ago I >>>> was >>>>>> able to login via ssh with my FreeIPA user to the problem server, >> while >>>>>> sitting on my terrace with a glass of wine! >>>>>> >>>>>> Thanks to Alexander for his helpful advice - we had some mail >exchange >>>>>> outside the user list as I did not wish to broadcast content of keys, >>>>>> config files etc. >>>>>> >>>>>> Regardless of what I did with commands like klist, kvno everything >>>> seemed >>>>>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not >help. >>>>>> >>>>>> Therefore I decided to opt for brute force and (partial) ignorance. I >>>>>> completely uninstalled the FreeIPA client, and then reinstalled, >>>>> configured >>>>>> - ?t voil? I could ssh in! >>>>>> >>>>>> This leaves the enigma: what caused the problem? I suspect the >>>> following: >>>>>> >>>>>> The host is an EL 7.1, but the first FreeIPA client installed was >>>> version >>>>>> 3.3.3 (installed as set of standard packages that we bung on all our >>>>>> servers). >>>>>> >>>>>> This worked fine to authenticate against our "old" 3.x FreeIPA >server, >>>>> but >>>>>> did not work against the "new" 4.1 FreeIPA Server. >>>>>> >>>>>> When I realised I could not ssh in, one of the first things I did was >>>> to >>>>>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not >>>> help. >>>>>> The solution was to yum remove the FreeIPA client, then yum install >> the >>>>> 4.1 >>>>>> client. >>>>>> >>>>>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client >>>> installed, >>>>> so >>>>>> it will be interesting to see it the problem can be reproduced. >>>>>> >>>>>> Keep up the good work, >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> From: >>>> >> Alexander Bokovoy >>>> >>>>>> To: >>>> >> Christopher >>>> Lamb/Switzerland/IBM at IBMCH >>>>>> Cc: >>>> freeipa-users at redhat.com >>>>>> Date: >>>> >> 29.05.2015 18:04 >>>>>> Subject: >>>> >> > Re: >>>> [Freeipa-users] ssh problem with >>>>> migrated FreeIPA >>>>>> client on >>>>>> EL7.1 >>>>>> >>>>>> >>>>>> >>>>>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>>>>> >>>>>>> Hi All >>>>>>> >>>>>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >>>>> replace >>>>>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully >>>> migrated >>>>>>> across the users. >>>>>>> >>>>>>> We have 50 odd Servers that are FreeIPA clients. Today I started >>>>> migrating >>>>>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA >4 >>>>>>> server by doing an ipa-client-install --uninstall from the old, and >>>>>>> ipa-client-install to register with the new 4.1.0 server. >>>>>>> >>>>>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>>>>> migration process above worked perfectly. After migrating the >server, >>>> I >>>>>>> could ssh in with my FreeIPA user. >>>>>>> >>>>>>> Then I migrated an OEL 7.1 server. The migration itself seemed to >>>> work, >>>>>> and >>>>>>> getent passwd was successful for my FreeIPA user. However when I try >>>> and >>>>>>> ssh in, my FreeIPA user / password is not accepted. >>>>>>> >>>>>>> Before the migration I could ssh into the problem server (though >>>>> evidently >>>>>>> it was using my FreeIPA user from the old FreeIPA server). >>>>>>> >>>>>>> I can ssh in with a local (non ldap) user, so ssh is running and >>>>> working. >>>>>>> >>>>>>> >From user root I can successfully su to my FreeIPA user. >>>>>>> >>>>>>> Further investigation showed that version of ipa-client installed >was >>>>>>> 3.3.3, so I yum updated this to 4.1.0. >>>>>>> >>>>>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA >user. >>>>> The >>>>>>> same user continues to work for the 6.5 boxes. >>>>>>> >>>>>>> A colleague tried to ssh in with his FreeIPA user, and was also >>>>> rejected, >>>>>>> so the problem is not my user, but is probably for all FreeIPA >users. >>>>>>> >>>>>>> A failed ssh login attempt causes the following error >>>>> in /var/log/messages >>>>>>> >>>>>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>>>>> It means /etc/krb5.keytab contains keys from older system and SSSD >>>>>> picks them up. >>>>>> Can you show output of 'klist -kKet'? >>>>>> -- >>>>>> / Alexander Bokovoy >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From npmccallum at redhat.com Fri Jun 5 15:00:19 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Fri, 05 Jun 2015 11:00:19 -0400 Subject: [Freeipa-users] ipa spamming radius with otp token? In-Reply-To: References: Message-ID: <1433516419.2479.6.camel@redhat.com> On Thu, 2015-06-04 at 21:48 +0000, Bahmer, Eric Vaughn wrote: > Someone higher up decided that there was no time for me to resolve > this > and I?ve been forced to implement a different method for now. > > I can still continue to work on this, I'll just need to find > different > hardware to troubleshoot with. > > I have set up a kerberos.xml in /etc/firewalld/services restricting > to tcp > 88. > I have restricted the service to the specific interface via zone and > rich > rule. > > > ??.. > > > ?. > > > > > > > > > ?.. > > > Same for kpasswd on port 464. > > I?m also made sure that the krb5.conf has a line for > udp_preference_limit > = 1 > > I?ve also made sure to turn caching off in sssd.conf and restarted > that. > I set a 30 second timeout and 0 retries. > > Attempting to SSH from the firewall/gateway as a user to the idm > server > itself. > > I?ve managed to get things down to just 2 copies with maybe 1 second > difference: > > Fri May 15 15:23:05 > Packet-Type = Access-Request > NAS-Identifier = ?idm2.manage.monitor.net? > Service-Type = Authenticate-Only > User-Name = ?bahmer? > User-Password = ?123-4567" > > > On the Idm server /var/log/secure: > May 15 15:23:03 idm2 unix_chkpwd[15103]: check pass; user unknown > May 15 15:23:03 idm2 unix_chkpwd[15103]: password check failed for > user > (bahmer) > May 15 15:23:03 idm2 sshd[15101]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=gate1.manage.monitor.net user=bahmer > May 15 15:23:07 idm2 sshd[15101]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=gate1.manage.monitor.net user=bahmer > May 15 15:23:07 idm2 sshd[15101]: pam_sss(sshd:auth): received for > user > bahmer: 17 (Failure setting user credentials) > May 15 15:23:09 idm2 sshd[15101]: Failed password for bahmer from > 10.6.0.41 port 44347 ssh2 > > > > I?ve collected some tcpdump information, most of the kerberos traffic > is > on the loopback interface and nothing stands out. > I can see the two requests in the tcpdump on the interface the idm > server > should be using to talk to radius. > I probably need permission in order to send the captures after > sanitizing > them for security policy reasons. > > Is it possible that sssd is the culprit trying to do a pre-auth > before the > real auth? > Anything is possible. What you need to do is capture the incoming krb5 traffic and the outgoing RADIUS traffic from the KDC. The question you need to answer from this data is: does the two output RADIUS requests correspond to one or two incoming krb5 requests. If there are two krb5 requests, then there is probably a bug in SSSD. If there is only one krb5 request, then there is probably a bug or configuration issue in the krb5-otp plugin. Nathaniel > On 5/13/15, 12:00 PM, "Nathaniel McCallum" > > wrote: > > > > > On Wed, 2015-05-13 at 14:44 +0000, Bahmer, Eric Vaughn wrote: > > > > Institutionally we have a hardware token set up, you use a pin > > > > to > > > > unlock the device and it spits out a passcode. > > > > The passcode allows access through kerberos, radius, or ldap > > > > binds > > > > to linux servers, or with a custom apache module to websites. > > > > > > > > I have an out-of-band private network set up that attaches to > > > > our > > > > intranet using a firewall/gateway server which does some port > > > > forwarding for various things like SSH, RDP. > > > > I?m attempting to set up RADIUS on this firewall/gateway to be > > > > used > > > > as a proxy for freeipa to our token system which I?d like to be > > > > able > > > > to use behind the firewall. > > > > However I seem to be getting nearly a dozen requests into the > > > > radius > > > > server, about half are dropped as duplicate, but usually 3-6 > > > > get > > > > through and since it?s a single use token the first attempt > > > > succeeds, but the rest fail and cause the hardware token to be > > > > blacklisted. > > > > Is there a way to specify that the user radius login is a one > > > > -time > > > > token or is this something that sssd or pam is causing? > > > > Or does the OTP support just not work in the way I need it to? > > > > I have this issue with both the inbox 4.1.0 in RHEL7.1 or the > > > > upstream 4.1.4 rpms. > > > > > > > > My only alternative is probably to set up a KDC on the firewall > > > > to > > > > trust the institutional realm and have the IdM kerberos realm > > > > trust > > > > that. > > > > This is also a mixed linux/windows environment behind the > > > > firewall, > > > > I?ve enabled unix attributes in my AD and I?m using a script to > > > > sync > > > > uid/gid with the external ldap. > > > > > > I do think a cross realm trust is the right way to set this up. > > > > > > However, let's look more closely at the RADIUS issue. > > > > > > First, I want to ensure that you are using TCP for your kerberos > > > connections. If you are using UDP for kerberos, then the kerberos > > > client will send a new packet which will cause the KDC to fire > > > off a > > > new set of RADIUS messages. The use of TCP should be enforced > > > with > > > kerberos when using OTP. > > > > > > > > > How long does it take for the hardware token RADIUS server to > > > respond? > > > Have you tried adjusting the number of retries and timeout for > > > the > > > RADIUS server in FreeIPA? A longer timeout or fewer retries will > > > reduce the number of packets transmitted. > > > > > > If you are able to setup a test user with fake credentials and > > > could > > > perform a packet capture of kerberos and RADIUS traffic it would > > > help > > > me understand what is going on here. > > > > > > Nathaniel > > > > > > PS - If I had to take a guess based on what I know now, I would > > > suspect that the real culprit is kinit sending too many requests. > > > This > > > is based on your statement that the RADIUS server is dropping > > > *some* > > > duplicates. This means that the other RADIUS packets are *not* > > > duplicates and probably represent a subsequent AS-REQ on the KDC > > > from > > > kinit. > > > > From wia at iglass.net Fri Jun 5 15:12:01 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Fri, 5 Jun 2015 11:12:01 -0400 Subject: [Freeipa-users] Certificate expired/renew problems Message-ID: hello, I've got a problem with expired certificates in my ipa/IdM setup. I believe the root issue to be from the fact that when everything was first setup about a year ago and everything was replicated from a first ipa server which no longer exists. There are currently 3 ipa servers but none of them are the original. Couple days ago I started getting errors similar to '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired' through the web management interface. After investigating with 'getcert list' I found that several certificates expired at 2015-05-31 18:48:55 UTC. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and followed the procedure for ipa <4.0 and everything seemed to go as expected. However this did not fix my issue. With more searching it looked like once the certificates are expired the auto renew will not work. Finding https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 to try to manually renew I am stuck at the the beginning with 'Give the CSR to your external CA.' I don't believe we had our certificates externally signed. They are whatever the original install put in place. Setting the date back in time reeks havoc on our environment so I'm reluctant to leave it for to long. I can get what I believe is the original CSR from /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I should be going down. Things seem to be working for the most part except trying to make updates. Any help on what to do next, somewhere else to look, or if I'm going in the right direction would be greatly appreciated. thanks, Marc Info: CentOS 6.5 with some current updates including ipa-server-3.0.0-42.el6.centos.i686 certmonger-0.75.13-1.el6.i686 $ getcert list-cas CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit CA 'dogtag-ipa-retrieve-agent-submit': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o,O=IGLASS.NET expires: 2015-12-05 19:40:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162434': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-03 16:24:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162522': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162610': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:42 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604181945': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=CA Audit,O=IGLASS.NET expires: 2015-05-31 18:48:55 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604181956': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=OCSP Subsystem,O=IGLASS.NET expires: 2015-05-31 18:48:54 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604182006': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=CA Subsystem,O=IGLASS.NET expires: 2015-05-31 18:48:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604182012': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=IPA RA,O=IGLASS.NET expires: 2015-05-31 18:49:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes -------------- next part -------------- An HTML attachment was scrubbed... URL: From desantis at mail.usf.edu Fri Jun 5 17:03:26 2015 From: desantis at mail.usf.edu (John Desantis) Date: Fri, 5 Jun 2015 13:03:26 -0400 Subject: [Freeipa-users] Certificate expired/renew problems In-Reply-To: References: Message-ID: Marc, I experienced a similar issue earlier this year. Try restarting certmonger after temporarily changing the date back on the master. In our case that service had failed miserably and it didn't allow FreeIPA to renew the certificates properly. Our replicas however were hit with a bug [1] during this process. We applied the patched code and followed the same process and all was well. John DeSantis [1] https://fedorahosted.org/freeipa/ticket/4064 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski : > hello, > > I've got a problem with expired certificates in my ipa/IdM setup. I believe > the root issue to be from the fact that when everything was first setup > about a year ago and everything was replicated from a first ipa server which > no longer exists. There are currently 3 ipa servers but none of them are > the original. > > Couple days ago I started getting errors similar to > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your > certificate as expired' through the web management interface. After > investigating with 'getcert list' I found that several certificates expired > at 2015-05-31 18:48:55 UTC. > > I found > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and > followed the procedure for ipa <4.0 and everything seemed to go as expected. > However this did not fix my issue. > > With more searching it looked like once the certificates are expired the > auto renew will not work. Finding > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 > to try to manually renew I am stuck at the the beginning with 'Give the CSR > to your external CA.' I don't believe we had our certificates externally > signed. They are whatever the original install put in place. Setting the > date back in time reeks havoc on our environment so I'm reluctant to leave > it for to long. I can get what I believe is the original CSR from > /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I > should be going down. > > Things seem to be working for the most part except trying to make updates. > Any help on what to do next, somewhere else to look, or if I'm going in the > right direction would be greatly appreciated. > > thanks, > Marc > > Info: > CentOS 6.5 with some current updates including > ipa-server-3.0.0-42.el6.centos.i686 > certmonger-0.75.13-1.el6.i686 > > $ getcert list-cas > CA 'SelfSign': > is-default: no > ca-type: INTERNAL:SELF > next-serial-number: 01 > CA 'IPA': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/ipa-submit > CA 'certmaster': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/certmaster-submit > CA 'dogtag-ipa-renew-agent': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > CA 'local': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/local-submit > CA 'dogtag-ipa-retrieve-agent-submit': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit > > $ getcert list > Number of certificates and requests being tracked: 9. > Request ID '20131204194012': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o,O=IGLASS.NET > expires: 2015-12-05 19:40:13 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162346': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-14 16:22:37 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162434': > status: MONITORING > ca-error: Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-03 16:24:27 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162522': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-14 16:22:36 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162610': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-14 16:22:42 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604181945': > status: CA_UNREACHABLE > ca-error: Error 35 connecting to > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > error. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=CA Audit,O=IGLASS.NET > expires: 2015-05-31 18:48:55 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604181956': > status: CA_UNREACHABLE > ca-error: Error 35 connecting to > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > error. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=OCSP Subsystem,O=IGLASS.NET > expires: 2015-05-31 18:48:54 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604182006': > status: CA_UNREACHABLE > ca-error: Error 35 connecting to > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > error. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=CA Subsystem,O=IGLASS.NET > expires: 2015-05-31 18:48:54 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604182012': > status: CA_UNREACHABLE > ca-error: Error 35 connecting to > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > error. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=IPA RA,O=IGLASS.NET > expires: 2015-05-31 18:49:37 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From prasun.gera at gmail.com Fri Jun 5 17:47:19 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 5 Jun 2015 10:47:19 -0700 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: <20150605143012.GN10162@redhat.com> References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> <55713C51.6050809@redhat.com> <20150605143012.GN10162@redhat.com> Message-ID: I had faced a similar issue a month ago, for which I had created a ticket. https://fedorahosted.org/freeipa/ticket/4956 On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy wrote: > On Fri, 05 Jun 2015, Christopher Lamb wrote: > >> Hi Martin >> >> Thanks for updating the documenation! >> >> The suggested solution works not only my test servers, but also "in the >> real world". This morning I migrated the last production server (ipa host) >> to the new FreeIPA KDC. >> >> Just out of idle curiosity, why is the rm -f /var/lib/sss/db/* step >> required on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5 >> + ipa-client 3.3.3 machines? >> >> Is the problem down to sssd? (on the EL 6.5 machines we are running sssd >> 1.9.2, while on EL 7.1 we have sssd 1.12.2 >> > I think there are more object types supported by newer SSSD versions > which aren't invalidated like users or groups. > > > >> Cheers >> >> Chris >> >> >> >> From: Martin Kosek >> To: Christopher Lamb/Switzerland/IBM at IBMCH, Rob Crittenden >> , freeipa-users at redhat.com >> Cc: Jakub Hrozek >> Date: 05.06.2015 08:06 >> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA >> client on EL7.1 -->Solved >> >> >> >> On 06/04/2015 07:34 PM, Christopher Lamb wrote: >> >>> Hi All >>> >>> I can now report back success (at least on my throwaway EL7.1 test VM). >>> >>> To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC >>> >> to >> >>> a new FreeIPA 4.1 KDC 3 steps are required: >>> >>> 1) ipa-client-install --uninstall >>> >>> 2) rm -f /var/lib/sss/db/* >>> >>> 3) ipa-client-install --server ldap.my.example.com --domain >>> >> my.example.com >> >>> -N >>> >>> Having done this, my free-ipa user successfully authenticates (e.g. ssh >>> remote login with free-ipa user / password >>> >>> >>> To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. >>> >>> Kudos and thanks go to Rob C for suggesting step 2. (Note that the >>> directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as >>> suggested earlier in this thread. >>> >> >> Cool! Thanks for reaching back. I added this advice to the FreeIPA >> Troubleshooting guide too: >> >> http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client >> >> >>> Cheers >>> >>> Chris >>> >>> >>> >>> >>> From: Martin Kosek >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> freeipa-users at redhat.com >>> Cc: Jakub Hrozek , Rob Crittenden >>> >>> Date: 03.06.2015 10:39 >>> Subject: Re: [Freeipa-users] Fw: ssh problem with >>> migrated >>> >> FreeIPA >> >>> client on EL7.1 -->Not Solved >>> >>> >>> >>> On 06/03/2015 10:30 AM, Christopher Lamb wrote: >>> >>>> Hi all >>>> >>>> This is a quick(ish) note to bring everybody up to speed on this issue. >>>> Yesterday we had some private mail exchange on this issue as I did not >>>> >>> wish >>> >>>> to broadcast the krb5 and ipa install logs to the user list. >>>> >>>> The basic situation is that we are in the process of migrating from an >>>> FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As >>>> >>> discussed >>> >>>> in a thread some weeks ago we did not do this by replicating (as perhaps >>>> >>> we >>> >>>> should have done). Instead we migrated the users across. >>>> >>>> We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined >>>> >>> to >> >>> the old KDC. We are now in the process of migrating these hosts to the >>>> >>> new >>> >>>> 4.1 KDC. >>>> >>>> Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these >>>> >>> joining >>> >>>> to the new KDC was trouble free, taking a few minutes each. After >>>> >>> joining >> >>> the new KDC FreeIPA users authenticated properly. >>>> >>>> We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that >>>> >>> were >> >>> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 >>>> KDC. These were also trouble free. >>>> >>>> The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 >>>> >>> hosts >>> >>>> that were originally joined to the 3.3.3 KDC, and must be moved to join >>>> >>> the >>> >>>> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I >>>> >>> have >>> >>>> been able to reproduce this behaviour with a freshly setup VM joined >>>> >>> first >>> >>>> to the 3.3.3 KDC, then moved to the 4.1 KDC. >>>> >>>> While the errors show in the krb5 child logs indicate that the password >>>> >>> is >>> >>>> incorrect, the same user / password is happily accepted by all the other >>>> hosts. >>>> >>>> It seems that in the process of moving / migrating the EL 7.1 / >>>> >>> ipa-client >>> >>>> 4.1 from the old KDC to the new KDC, "something" is left behind that >>>> >>> causes >>> >>>> problems. We have seen indications in the install logs that the kinit >>>> >>> steps >>> >>>> called during ipa-client install are getting responses from the wrong >>>> >>> (old) >>> >>>> KDC, and not from the new KDC. >>>> >>>> Frustratingly. over the weekend i managed to get one of the problem EL >>>> >>> 7.1 >>> >>>> boxes to work. However I can't work out exactly what I was that I did >>>> >>> that >>> >>>> did the trick. However it seems that some kind of major de-install / >>>> cleanup + reinstall of the ipa-client may be needed. >>>> >>>> Rob has suggested that as part of such a cleanup I should do "rm >>>> -f /var/lib/sssd/db/*". I will test this later today and report back. >>>> >>>> Thanks to Rob, Jakub, Martin, Alexander et al for their help and >>>> suggestions so far. >>>> >>>> Chris >>>> >>> >>> Thanks for the background. The pain you are getting is exactly the reason >>> why >>> migration via replication to RHEL-7.1 is a better choice :-) Please let >>> >> us >> >>> know >>> the result, I am curious how this works out. >>> >>> >>>> >>>> >>>> >>>> From: Martin Kosek >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> , >>>> freeipa-users at redhat.com, Jakub Hrozek >>> > >>>> Date: 03.06.2015 09:34 >>>> Subject: Re: [Freeipa-users] Fw: ssh >>>> problem with >>>> >>> migrated >> >>> FreeIPA >>> >>>> client on EL7.1 -->Not Solved >>>> >>>> >>>> >>>> On 06/02/2015 06:15 PM, Christopher Lamb wrote: >>>> >>>>> >>>>> Hi >>>>> >>>>> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the >>>>> >>>> cause >>> >>>> of this problem. Let's call them HOST09 and HOST10 >>>>> >>>>> Both are mimimum installs of EL7.1, with NTPD installed and configured. >>>>> >>>>> HOST09 had ipa-client 4.1 installed via yum, and was configured to use >>>>> >>>> our >>>> >>>>> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user >>>>> authenticates successfully against this machine. >>>>> >>>>> HOST10 had ipa-client 4.1 installed as a dependency of one of our >>>>> >>>> standard >>>> >>>>> config packages, and was first set to use our old FreeIPA 3.3.3 server. >>>>> >>>> --> >>>> >>>>> My FreeIPA user authenticates successfully. against this machine. >>>>> >>>>> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered >>>>> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT >>>>> authenticate successfully. >>>>> >>>>> This replicates well the behaviour I saw with my production servers, >>>>> >>>> namely >>>> >>>>> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new >>>>> >>>> 4.1 >>>> >>>>> FreeIPA server authenticate properly. >>>>> >>>>> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old >>>>> >>>> 3.3.3 >>>> >>>>> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do >>>>> >>>> NOT >> >>> authenticate properly >>>>> >>>>> Chris >>>>> >>>> >>>> Hello, >>>> >>>> This is really strange. What I do not fully understand is what is the >>>> "registration against a FreeIPA server". What server you install IPA >>>> >>> client >>> >>>> should matter if the deployment is set up properly. The host enrollment >>>> entry >>>> should simply replicate to whole infrastructure. The only thing that >>>> >>> will >> >>> probably differ is sssd.conf and krb5.conf as they will have different >>>> primary >>>> server set up, based on what your DNS setup is. >>>> >>>> It rather seems that the "reregistration" is what causes the issue. It >>>> looks >>>> like something cleanup problem during the process. I will let Jakub to >>>> >>> help >>> >>>> here, I would suggest including the SSSD logs from the failed login, it >>>> >>> may >>> >>>> help. >>>> >>>> >>>>> >>>>> >>>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 >>>>> ----- >>>>> >>>>> From: >>>>> Christopher >>>>> >>>> Lamb/Switzerland/IBM at IBMCH >> >>> To: Jakub >>>>> Hrozek >>>>> >>>> >> >>> Cc: >>>>> >>>> freeipa-users at redhat.com >> >>> Date: >>>>> 02.06.2015 10:40 >>>>> Subject: >>>>> Re: >>>>> >>>> [Freeipa-users] Fw: ssh problem with >> >>> migrated >>> >>>> FreeIPA >>>> >>>>> client on EL7.1 -->Not Solved >>>>> Sent by: >>>>> >>>> freeipa-users-bounces at redhat.com >> >>> >>>>> >>>>> >>>>> Hi Jakub >>>>> >>>>> Yes root login works, that's how I've been getting into the box. >>>>> >>>>> Surprisingly, kinit with my user seems to work on that box. After >>>>> >>>> entering >>>> >>>>> my password when prompted, it returns to the commandline without error. >>>>> >>>>> However if I try kinit with another FreeIPA user, then instead of >>>>> >>>> prompting >>>> >>>>> for a password, it gives "Generic preauthentication failure while >>>>> >>>> getting >>> >>>> initial credentials" error. >>>>> >>>>> Having set debug_level=10, when I try and ssh in with my FreeIPA user, >>>>> >>>> I >> >>> find errors like >>>>> >>>>> "Retrieving host .... with result: .. Matching credential not found" >>>>> >>>>> "Received error from KDC ... Additional pre-authentication required" >>>>> >>>>> "Received error from KDC... Decrypt integrity check failed" >>>>> >>>>> "Received error code 1432158219" >>>>> >>>>> Cheers >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: >>>>> >>>> Jakub Hrozek >> >>> >>> >>>> To: >>>>> >>>> Christopher >> >>> Lamb/Switzerland/IBM at IBMCH >>> >>>> Cc: >>>>> >>>> freeipa-users at redhat.com >>> >>>> Date: >>>>> >>>> 02.06.2015 09:50 >> >>> Subject: >>>>> >>>> Re: >> >>> [Freeipa-users] Fw: ssh problem with >>> >>>> migrated >>>> >>>>> FreeIPA >>>>> client on EL7.1 -->Not Solved >>>>> >>>>> >>>>> >>>>> On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: >>>>> >>>>>> Hi Jakub >>>>>> >>>>>> The same user / password works with all our FreeIPA hosts - just this >>>>>> >>>>> one >>>> >>>>> box is the problem. So the password should be good. Of course a type >>>>>> >>>>> is >> >>> always possible (especially for strong passwords), but I have tried >>>>>> >>>>> many >>> >>>> times which should eliminate the odd password typo. The user / >>>>>> >>>>> password >> >>> should also be good for both the old and the new FreeIPA Server. >>>>>> >>>>> >>>>> Interesting, can you add debug_level=10 to the domain section of >>>>> sssd.conf? Then krb5_child.log should show Kerberos tracing info >>>>> including which exact KDC SSSD was talking to. >>>>> >>>>> >>>>>> As I can neither log in direct, or via ssh to this box with my FreeIPA >>>>>> user, I assume Kinit with my user won't work- i will try later in the >>>>>> >>>>> day. >>>>> >>>>> Well, login as a UNIX user (root) should work.. >>>>> >>>>> >>>>>> My working assumption is that the problem is related in some way to >>>>>> >>>>> the >> >>> fact the host originally was a FreeIPA 3.3.3 client, updated to >>>>>> >>>>> FreeIPA >> >>> 4.1, and switched between 2 FreeIPA servers. I am currently setting up >>>>>> >>>>> 2 >>> >>>> throwaway EL 7.1 VMs to better test this. On one I will first install >>>>>> 3.3.3, then upgrade to 4.1. The second will have a direct install of >>>>>> >>>>> 4.1 >>> >>>> client. >>>>>> >>>>>> Cheers >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> From: >>>>>> >>>>> >>> Jakub Hrozek >>> >>>> >>>> >>>>> To: >>>>>> >>>>> freeipa-users at redhat.com >>>> >>>>> Date: >>>>>> >>>>> >>> 02.06.2015 09:22 >>> >>>> Subject: >>>>>> >>>>> >>> Re: >>> >>>> [Freeipa-users] Fw: ssh problem with >>>> >>>>> migrated >>>>> FreeIPA >>>>> >>>>>> client on EL7.1 -->Not Solved >>>>>> Sent by: >>>>>> >>>>> freeipa-users-bounces at redhat.com >>>> >>>>> >>>>>> >>>>>> >>>>>> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: >>>>>> >>>>>>> >>>>>>> Hi All >>>>>>> >>>>>>> Bad news. >>>>>>> >>>>>>> Over the weekend I was able to get the original problem EL7.1 / >>>>>>> >>>>>> FreeIPA >>> >>>> 4.1 >>>>>> >>>>>>> host (FreeIPA client) to authenticate FreeiPA users (my test being >>>>>>> >>>>>> ssh >> >>> remote login with FreeIPA user and password). >>>>>>> >>>>>>> Today I tried a second machine, and had the same problem, ssh >>>>>>> >>>>>> connections >>>>> >>>>>> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity >>>>>>> >>>>>> check >>>>>> >>>>>>> failed" >>>>>>> >>>>>> >>>>>> This really just means wrong password, can you kinit as that user >>>>>> >>>>> using >> >>> the same password? >>>>>> >>>>>> >>>>>>> Ahh I thought, I have a solution for that: just remove ipa-client and >>>>>>> reinstall via yum, register with the new FreeIPA server .... >>>>>>> >>>>>>> Only with this second machine I still can't ssh in with a FreeIPA >>>>>>> >>>>>> user. >>> >>>> Argg..... >>>>>>> >>>>>>> b.t.w, as this machine is a real physical server, I was able to try >>>>>>> >>>>>> logging >>>>>> >>>>>>> in direct with my FreeIPA user --> "Authentication Failure" >>>>>>> >>>>>>> I now have >>>>>>> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the >>>>>>> >>>>>> old >>>>> >>>>>> FreeIPA server to the new without a hitch (i.e. they successfully >>>>>>> authenticate FreeIPA users.) >>>>>>> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, >>>>>>> >>>>>> but >>> >>>> with problems >>>>>>> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all >>>>>>> >>>>>> attempts >>> >>>> to >>>>>> >>>>>>> authenticate with a FreeIPA user >>>>>>> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the >>>>>>> >>>>>> new >>>>> >>>>>> FreeIPA server, and successfully authenticates FreeIPA users. >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 >>>>>>> >>>>>> 19:17 >>> >>>> ----- >>>>>>> >>>>>>> From: >>>>>>> >>>>>> >>>> Christopher >> >>> Lamb/Switzerland/IBM at IBMCH >>>>> >>>>>> To: >>>>>>> >>>>>> >>>> Alexander Bokovoy >> >>> , >>>>> >>>>>> freeipa-users at redhat.com >>>>>>> Date: >>>>>>> >>>>>> >>>> 30.05.2015 18:52 >> >>> Subject: >>>>>>> >>>>>> >>>> Re: >> >>> [Freeipa-users] ssh problem with >>>>> migrated FreeIPA >>>>> >>>>>> client on >>>>>> >>>>>>> EL7.1 --> Solved >>>>>>> Sent by: >>>>>>> >>>>>> freeipa-users-bounces at redhat.com >>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> Hi All >>>>>>> >>>>>>> It gives me pleasure to report the problem is solved - a minute ago I >>>>>>> >>>>>> was >>>>> >>>>>> able to login via ssh with my FreeIPA user to the problem server, >>>>>>> >>>>>> while >>> >>>> sitting on my terrace with a glass of wine! >>>>>>> >>>>>>> Thanks to Alexander for his helpful advice - we had some mail >>>>>>> >>>>>> exchange >> >>> outside the user list as I did not wish to broadcast content of keys, >>>>>>> config files etc. >>>>>>> >>>>>>> Regardless of what I did with commands like klist, kvno everything >>>>>>> >>>>>> seemed >>>>> >>>>>> "ok", but I still could not ssh in. Even a ipa-getkeytab did not >>>>>>> >>>>>> help. >> >>> >>>>>>> Therefore I decided to opt for brute force and (partial) ignorance. I >>>>>>> completely uninstalled the FreeIPA client, and then reinstalled, >>>>>>> >>>>>> configured >>>>>> >>>>>>> - ?t voil? I could ssh in! >>>>>>> >>>>>>> This leaves the enigma: what caused the problem? I suspect the >>>>>>> >>>>>> following: >>>>> >>>>>> >>>>>>> The host is an EL 7.1, but the first FreeIPA client installed was >>>>>>> >>>>>> version >>>>> >>>>>> 3.3.3 (installed as set of standard packages that we bung on all our >>>>>>> servers). >>>>>>> >>>>>>> This worked fine to authenticate against our "old" 3.x FreeIPA >>>>>>> >>>>>> server, >> >>> but >>>>>> >>>>>>> did not work against the "new" 4.1 FreeIPA Server. >>>>>>> >>>>>>> When I realised I could not ssh in, one of the first things I did was >>>>>>> >>>>>> to >>>>> >>>>>> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not >>>>>>> >>>>>> help. >>>>> >>>>>> The solution was to yum remove the FreeIPA client, then yum install >>>>>>> >>>>>> the >>> >>>> 4.1 >>>>>> >>>>>>> client. >>>>>>> >>>>>>> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client >>>>>>> >>>>>> installed, >>>>> >>>>>> so >>>>>> >>>>>>> it will be interesting to see it the problem can be reproduced. >>>>>>> >>>>>>> Keep up the good work, >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> From: >>>>>>> >>>>>> >>>>> Alexander >>> Bokovoy >>> >>>> >>>>> >>>>>> To: >>>>>>> >>>>>> >>>>> Christopher >>> >>>> Lamb/Switzerland/IBM at IBMCH >>>>> >>>>>> Cc: >>>>>>> >>>>>> freeipa-users at redhat.com >>>>> >>>>>> Date: >>>>>>> >>>>>> >>>>> 29.05.2015 >>> 18:04 >>> >>>> Subject: >>>>>>> >>>>>> >>>>> >>> Re: >> >>> [Freeipa-users] ssh problem with >>>>> >>>>>> migrated FreeIPA >>>>>> >>>>>>> client on >>>>>>> EL7.1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, 29 May 2015, Christopher Lamb wrote: >>>>>>> >>>>>>>> >>>>>>>> Hi All >>>>>>>> >>>>>>>> Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to >>>>>>>> >>>>>>> replace >>>>>> >>>>>>> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully >>>>>>>> >>>>>>> migrated >>>>> >>>>>> across the users. >>>>>>>> >>>>>>>> We have 50 odd Servers that are FreeIPA clients. Today I started >>>>>>>> >>>>>>> migrating >>>>>> >>>>>>> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA >>>>>>>> >>>>>>> 4 >> >>> server by doing an ipa-client-install --uninstall from the old, and >>>>>>>> ipa-client-install to register with the new 4.1.0 server. >>>>>>>> >>>>>>>> Most of the FreeIPA clients are running OEL 6.5, and for these the >>>>>>>> migration process above worked perfectly. After migrating the >>>>>>>> >>>>>>> server, >> >>> I >>>>> >>>>>> could ssh in with my FreeIPA user. >>>>>>>> >>>>>>>> Then I migrated an OEL 7.1 server. The migration itself seemed to >>>>>>>> >>>>>>> work, >>>>> >>>>>> and >>>>>>> >>>>>>>> getent passwd was successful for my FreeIPA user. However when I try >>>>>>>> >>>>>>> and >>>>> >>>>>> ssh in, my FreeIPA user / password is not accepted. >>>>>>>> >>>>>>>> Before the migration I could ssh into the problem server (though >>>>>>>> >>>>>>> evidently >>>>>> >>>>>>> it was using my FreeIPA user from the old FreeIPA server). >>>>>>>> >>>>>>>> I can ssh in with a local (non ldap) user, so ssh is running and >>>>>>>> >>>>>>> working. >>>>>> >>>>>>> >>>>>>>> >From user root I can successfully su to my FreeIPA user. >>>>>>>> >>>>>>>> Further investigation showed that version of ipa-client installed >>>>>>>> >>>>>>> was >> >>> 3.3.3, so I yum updated this to 4.1.0. >>>>>>>> >>>>>>>> However I still cannot ssh into the OEL 7.1 box with my FreeIPA >>>>>>>> >>>>>>> user. >> >>> The >>>>>> >>>>>>> same user continues to work for the 6.5 boxes. >>>>>>>> >>>>>>>> A colleague tried to ssh in with his FreeIPA user, and was also >>>>>>>> >>>>>>> rejected, >>>>>> >>>>>>> so the problem is not my user, but is probably for all FreeIPA >>>>>>>> >>>>>>> users. >> >>> >>>>>>>> A failed ssh login attempt causes the following error >>>>>>>> >>>>>>> in /var/log/messages >>>>>> >>>>>>> >>>>>>>> [sssd[krb5_child[5393]]]: Decrypt integrity check failed >>>>>>>> >>>>>>> It means /etc/krb5.keytab contains keys from older system and SSSD >>>>>>> picks them up. >>>>>>> Can you show output of 'klist -kKet'? >>>>>>> -- >>>>>>> / Alexander Bokovoy >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wia at iglass.net Fri Jun 5 19:49:31 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Fri, 5 Jun 2015 15:49:31 -0400 Subject: [Freeipa-users] Certificate expired/renew problems In-Reply-To: References: Message-ID: Thank you John. I had tried that but you did give me some things to look at. I was able to get 2 of the certificates to renew by setting the date back in time, a services restart, and issuing 'ipa-getcert resubmit -i ' This renewed the following 'Server-Cert' and 'ipaCert' but did not 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca' The admin web interface now gives 'ipa error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)' listing the certs shows an error along the lines of Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true ". If any of these are useful. messages: Jun 5 15:38:05 spider01o certmonger: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true ". httpd/error: [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) selftests.log: 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: system certs verification failure 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! $ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING $ certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,u,u auditSigningCert cert-pki-ca u,u,Pu $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o,O=IGLASS.NET expires: 2017-05-28 18:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162434': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-03 16:24:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162522': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162610': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:42 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604181945': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=CA Audit,O=IGLASS.NET expires: 2015-05-31 18:48:55 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604181956': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=OCSP Subsystem,O=IGLASS.NET expires: 2015-05-31 18:48:54 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604182006': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=CA Subsystem,O=IGLASS.NET expires: 2015-05-31 18:48:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604182012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=IPA RA,O=IGLASS.NET expires: 2017-05-25 13:58:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes thanks again. -Marc On Fri, Jun 5, 2015 at 1:03 PM, John Desantis wrote: > Marc, > > I experienced a similar issue earlier this year. > > Try restarting certmonger after temporarily changing the date back on > the master. In our case that service had failed miserably and it > didn't allow FreeIPA to renew the certificates properly. > > Our replicas however were hit with a bug [1] during this process. We > applied the patched code and followed the same process and all was > well. > > John DeSantis > > [1] https://fedorahosted.org/freeipa/ticket/4064 > > > 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski : > > hello, > > > > I've got a problem with expired certificates in my ipa/IdM setup. I > believe > > the root issue to be from the fact that when everything was first setup > > about a year ago and everything was replicated from a first ipa server > which > > no longer exists. There are currently 3 ipa servers but none of them are > > the original. > > > > Couple days ago I started getting errors similar to > > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your > > certificate as expired' through the web management interface. After > > investigating with 'getcert list' I found that several certificates > expired > > at 2015-05-31 18:48:55 UTC. > > > > I found > > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > and > > followed the procedure for ipa <4.0 and everything seemed to go as > expected. > > However this did not fix my issue. > > > > With more searching it looked like once the certificates are expired the > > auto renew will not work. Finding > > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 > > to try to manually renew I am stuck at the the beginning with 'Give the > CSR > > to your external CA.' I don't believe we had our certificates externally > > signed. They are whatever the original install put in place. Setting > the > > date back in time reeks havoc on our environment so I'm reluctant to > leave > > it for to long. I can get what I believe is the original CSR from > > /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the > road I > > should be going down. > > > > Things seem to be working for the most part except trying to make > updates. > > Any help on what to do next, somewhere else to look, or if I'm going in > the > > right direction would be greatly appreciated. > > > > thanks, > > Marc > > > > Info: > > CentOS 6.5 with some current updates including > > ipa-server-3.0.0-42.el6.centos.i686 > > certmonger-0.75.13-1.el6.i686 > > > > $ getcert list-cas > > CA 'SelfSign': > > is-default: no > > ca-type: INTERNAL:SELF > > next-serial-number: 01 > > CA 'IPA': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/ipa-submit > > CA 'certmaster': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/certmaster-submit > > CA 'dogtag-ipa-renew-agent': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > > CA 'local': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/local-submit > > CA 'dogtag-ipa-retrieve-agent-submit': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit > > > > $ getcert list > > Number of certificates and requests being tracked: 9. > > Request ID '20131204194012': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > certificate: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o,O=IGLASS.NET > > expires: 2015-12-05 19:40:13 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162346': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-14 16:22:37 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162434': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-03 16:24:27 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162522': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-14 16:22:36 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162610': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-14 16:22:42 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604181945': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=CA Audit,O=IGLASS.NET > > expires: 2015-05-31 18:48:55 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604181956': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=OCSP Subsystem,O=IGLASS.NET > > expires: 2015-05-31 18:48:54 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > eku: id-kp-OCSPSigning > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604182006': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=CA Subsystem,O=IGLASS.NET > > expires: 2015-05-31 18:48:54 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604182012': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=IPA RA,O=IGLASS.NET > > expires: 2015-05-31 18:49:37 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From James.Benson at utsa.edu Fri Jun 5 19:50:22 2015 From: James.Benson at utsa.edu (James Benson) Date: Fri, 5 Jun 2015 14:50:22 -0500 Subject: [Freeipa-users] Successful Install on VB... Message-ID: <5571FD7E.20202@utsa.edu> Dear all, I recently install Fedora Server 22 on a virtualbox with the ethernet bridged (can successfully ping it, ssh, etc) and I can do a kinit admin and ipa user-add as the instructions detail in the next steps, however, I cannot access the webui. Has anyone else ran into this issue? I've tried to check the services, however, they don't seem to want to start (no errors, just don't see them in the service status menu) Any help would be great as I would greatly like to use the website over commands if possible. Thank you, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: From edewata at redhat.com Fri Jun 5 20:19:51 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Jun 2015 15:19:51 -0500 Subject: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports) In-Reply-To: <555AFA44.70601@lyra-network.com> References: <5550C748.3090903@lyra-network.com> <20150512160952.GA23769@redhat.com> <55522CB1.2090805@lyra-network.com> <20150512181142.GB23769@redhat.com> <5553083E.3050203@lyra-network.com> <555AFA44.70601@lyra-network.com> Message-ID: <55720467.2020700@redhat.com> On 5/19/2015 3:54 AM, Thibaut Pouzet wrote: > Hi, > > It appeared that the NSS DB had fips enabled due to the troubleshooting > of an old problem : > > # modutil -dbdir /var/lib/pki-ca/alias/ -list > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal FIPS PKCS #11 Module > slots: 1 slot attached > status: loaded > > slot: NSS FIPS 140-2 User Private Key Services > token: NSS FIPS 140-2 Certificate DB > ----------------------------------------------------------- > > I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false > > And no longer have the stack trace in the debug logs while re-sumbitting > the certificate with certmonger. > > This is a first step in this certificate renewal, as I still cannot > renew it, I have a new error : > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with known CA certificates. > > This looks like a chicken and egg problem, the certificate served on > ipa_server:9443 is the one that needs to be renewed. I tried to step > back in time when the certificate was still valid with no luck. > > So if anyone has an idea here... > > Cheers, Hi, Is this still a problem? Per discussion with Rob it doesn't seem to be an issue with Dogtag itself. I suppose you are following this instruction: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Could you post the full getcert list output? Also after you reset the clock back and try the renewal again could you post the error messages that you get? Hopefully the IPA team will be able to troubleshoot further. Thanks. -- Endi S. Dewata From nathan at nathanpeters.com Fri Jun 5 21:17:25 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 5 Jun 2015 14:17:25 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up Message-ID: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> I have noticed that happen a couple times in the last few days. FreeIPA server 4.1.3 on CentOS 7 with a sync relationship to a Windows server 2008R2 domain controller. The web ui will stop working and just show a blank page. When I try to do a ipactl status the command just freezes and does nothing. In the exmaple I paste below, there was 5 minutes between when I entered the command and when I did ctrl-c after getting tired of waiting for nothing to happen. After the ipactl command failed to work at all, I decided to restart the httpd service manually, and then saw a whole pile of strange errors around failing to bind to ldap server and generic kerberos errors. Rebooting the server seems to work for 24 hours or so until things go wonky again. [username at dc1 ~]$ sudo su - Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 [root at dc1 ~]# ipactl status ^CCancelled. [root at dc1 ~]# ipactl restart ^CCancelled. [root at dc1 ~]# ipactl restart ^CCancelled. [root at dc1 ~]# systemctl restart httpd [root at dc1 ~]# Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP Server... Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice user-0.slice. Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of user root. Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 of user root. Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of user root. Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping timed out. Killing. Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main process exited, code=killed, status=9/KILL Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered failed state. Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP Server... Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP Server. Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152666, 0] ipa_sam.c:4144(bind_callback_cleanup) Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152995, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous bind]" Error: Local error Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.153407, 0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: failed to get machine password for account office.mydomain.net.: NT_STATUS_NONE_MAPPED Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 I also got this error from the web ui after restarting httpd: Runtime error Web UI got in unrecoverable state during "metadata" phase From nathan at nathanpeters.com Fri Jun 5 21:31:48 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 5 Jun 2015 14:31:48 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> Message-ID: <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> > I have noticed that happen a couple times in the last few days. FreeIPA > server 4.1.3 on CentOS 7 with a sync relationship to a Windows server > 2008R2 domain controller. > > The web ui will stop working and just show a blank page. > > When I try to do a ipactl status the command just freezes and does > nothing. > > In the exmaple I paste below, there was 5 minutes between when I entered > the command and when I did ctrl-c after getting tired of waiting for > nothing to happen. > After the ipactl command failed to work at all, I decided to restart the > httpd service manually, and then saw a whole pile of strange errors around > failing to bind to ldap server and generic kerberos errors. > > Rebooting the server seems to work for 24 hours or so until things go > wonky again. > > [username at dc1 ~]$ sudo su - > Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 > [root at dc1 ~]# ipactl status > ^CCancelled. > [root at dc1 ~]# ipactl restart > ^CCancelled. > [root at dc1 ~]# ipactl restart > ^CCancelled. > [root at dc1 ~]# systemctl restart httpd > [root at dc1 ~]# > > > Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP > Server... > Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice user-0.slice. > Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of user > root. > Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 of > user root. > Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of user > root. > Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): > session opened for user root by LOGIN(uid=0) > Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 > Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 > 21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) > Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 > 21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) > Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 > Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 > Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping timed > out. Killing. > Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main process > exited, code=killed, status=9/KILL > Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered > failed state. > Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP > Server... > Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP > Server. > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152666, > 0] ipa_sam.c:4144(bind_callback_cleanup) > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152995, > 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous > bind]" Error: Local error > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.153407, > 0] > ../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) > Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: > failed to get machine password for account office.mydomain.net.: > NT_STATUS_NONE_MAPPED > Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 > 21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) > Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > > I also got this error from the web ui after restarting httpd: > > Runtime error > > Web UI got in unrecoverable state during "metadata" phase > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > Further information : restarting the httpd service didn't help, but restarting the dirsrv service allowed me to once again login to the webui and the ipactl command started working again after the restart of dirsrv. Is there something I can look for in my logs next time this happens. I have a feeling it *will* happen again this is a critical server I'm in charge of so it will not be good if I cannot come up with a solid explanation or bug report on why this server spontaneously stops working. [root at dc1 ~]# ipactl restart (waiting 3 or 4 minutes with nothing happening) ^CCancelled. [root at dc1 ~]# systemctl restart dirsrv at MYDOMAIN-NET [root at dc1 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root at dc1 ~]# Here are some additional entries from my /var/log/dirsrv/slapd-MYDOMAIN logs. Strange error messages about non initialized replica. However, I know the windows machine is properly syncing data because I have over 300 synced users and when I update them in AD the updated attributes sync to IPA. [05/Jun/2015:21:22:59 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mydomain,dc=net--no CoS Templates found, which should be added before the CoS Definition. [05/Jun/2015:21:22:59 +0000] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-mydomain-NET/cldb/e054c085-ede211e4-bf10cd78-f19552bb.sem a; NSPR error - -5943 [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=mydomain,dc=net. Check if DB RUV needs to be updated [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55720c20000100040000 [05/Jun/2015:21:23:02 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.mydomain.net at mydomain.NET] in keytab [FILE:/etc/dirsrv/ds.keytab ]: -1765328324 (Generic error (see e-text)) [05/Jun/2015:21:23:02 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [05/Jun/2015:21:23:02 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - agmt="cn=meTodc1.mydomain.net" (dc1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local err or) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [05/Jun/2015:21:23:02 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mydomain,dc=net--no CoS Templates found, which should be added before the CoS Definition. [05/Jun/2015:21:23:02 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [05/Jun/2015:21:23:02 +0000] - Listening on All Interfaces port 636 for LDAPS requests [05/Jun/2015:21:23:02 +0000] - Listening on /var/run/slapd-mydomain-NET.socket for LDAPI requests [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:05 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:08 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:11 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:14 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:17 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:20 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:23 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:26 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:29 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:32 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:35 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:38 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:41 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:44 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:47 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:50 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:56 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:23:59 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:02 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:06 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:10 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:14 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:18 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:22 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:26 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:30 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:34 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:38 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:42 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:46 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:50 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:54 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:24:58 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:02 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:06 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:10 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:14 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:18 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:22 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:26 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:30 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:34 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:38 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:42 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:46 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:50 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:54 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:25:58 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:02 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:06 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:10 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:14 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:18 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:22 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:26 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:30 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:34 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:38 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:42 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:46 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:50 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:54 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:26:58 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:27:02 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:27:06 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:27:10 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:27:14 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. [05/Jun/2015:21:27:18 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update vector. It has never been initialized. From rmeggins at redhat.com Fri Jun 5 21:39:01 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Jun 2015 15:39:01 -0600 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> Message-ID: <557216F5.8050100@redhat.com> On 06/05/2015 03:31 PM, nathan at nathanpeters.com wrote: >> I have noticed that happen a couple times in the last few days. FreeIPA >> server 4.1.3 on CentOS 7 with a sync relationship to a Windows server >> 2008R2 domain controller. >> >> The web ui will stop working and just show a blank page. >> >> When I try to do a ipactl status the command just freezes and does >> nothing. >> >> In the exmaple I paste below, there was 5 minutes between when I entered >> the command and when I did ctrl-c after getting tired of waiting for >> nothing to happen. >> After the ipactl command failed to work at all, I decided to restart the >> httpd service manually, and then saw a whole pile of strange errors around >> failing to bind to ldap server and generic kerberos errors. >> >> Rebooting the server seems to work for 24 hours or so until things go >> wonky again. >> >> [username at dc1 ~]$ sudo su - >> Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 >> [root at dc1 ~]# ipactl status >> ^CCancelled. >> [root at dc1 ~]# ipactl restart >> ^CCancelled. >> [root at dc1 ~]# ipactl restart >> ^CCancelled. >> [root at dc1 ~]# systemctl restart httpd >> [root at dc1 ~]# >> >> >> Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP >> Server... >> Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice user-0.slice. >> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of user >> root. >> Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 of >> user root. >> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of user >> root. >> Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): >> session opened for user root by LOGIN(uid=0) >> Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 >> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 >> 21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) >> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: >> code=-1765328324, message=Generic error (see e-text) >> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 >> 21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) >> Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: >> code=-1765328324, message=Generic error (see e-text) >> Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >> Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping timed >> out. Killing. >> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main process >> exited, code=killed, status=9/KILL >> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered >> failed state. >> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP >> Server... >> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP >> Server. >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152666, >> 0] ipa_sam.c:4144(bind_callback_cleanup) >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: >> code=-1765328324, message=Generic error (see e-text) >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152995, >> 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server >> ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous >> bind]" Error: Local error >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.153407, >> 0] >> ../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) >> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: >> failed to get machine password for account office.mydomain.net.: >> NT_STATUS_NONE_MAPPED >> Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 >> 21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) >> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: >> code=-1765328324, message=Generic error (see e-text) >> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >> >> I also got this error from the web ui after restarting httpd: >> >> Runtime error >> >> Web UI got in unrecoverable state during "metadata" phase >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > Further information : restarting the httpd service didn't help, but > restarting the dirsrv service allowed me to once again login to the webui > and the ipactl command started working again after the restart of dirsrv. > > Is there something I can look for in my logs next time this happens. I > have a feeling it *will* happen again this is a critical server I'm in > charge of so it will not be good if I cannot come up with a solid > explanation or bug report on why this server spontaneously stops working. > > [root at dc1 ~]# ipactl restart > (waiting 3 or 4 minutes with nothing happening) > ^CCancelled. > [root at dc1 ~]# systemctl restart dirsrv at MYDOMAIN-NET > [root at dc1 ~]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > smb Service: RUNNING > winbind Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > [root at dc1 ~]# > > Here are some additional entries from my /var/log/dirsrv/slapd-MYDOMAIN > logs. Strange error messages about non initialized replica. > > However, I know the windows machine is properly syncing data because I > have over 300 synced users and when I update them in AD the updated > attributes sync to IPA. Is it possible this is an old winsync agreement that is no longer valid? > > [05/Jun/2015:21:22:59 +0000] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=mydomain,dc=net--no CoS Templates found, which > should be added before the CoS Definition. > [05/Jun/2015:21:22:59 +0000] NSMMReplicationPlugin - changelog program - > _cl5NewDBFile: PR_DeleteSemaphore: > /var/lib/dirsrv/slapd-mydomain-NET/cldb/e054c085-ede211e4-bf10cd78-f19552bb.sem > a; NSPR error - -5943 > [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: disordely shutdown for replica > dc=mydomain,dc=net. Check if DB RUV needs to be updated > [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - Force update of > database RUV (from CL RUV) -> 55720c20000100040000 > [05/Jun/2015:21:23:02 +0000] set_krb5_creds - Could not get initial > credentials for principal [ldap/dc1.mydomain.net at mydomain.NET] in keytab > [FILE:/etc/dirsrv/ds.keytab ]: -1765328324 (Generic error > (see e-text)) > [05/Jun/2015:21:23:02 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (No > Kerberos credentials available)) errno 0 (Success) > [05/Jun/2015:21:23:02 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - > agmt="cn=meTodc1.mydomain.net" (dc1:389): Replication bind with GSSAPI > auth failed: LDAP error -2 (Local err or) (SASL(-1): generic > failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more information (No Kerberos credentials available)) > [05/Jun/2015:21:23:02 +0000] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=mydomain,dc=net--no CoS Templates found, which > should be added before the CoS Definition. > [05/Jun/2015:21:23:02 +0000] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [05/Jun/2015:21:23:02 +0000] - Listening on All Interfaces port 636 for > LDAPS requests > [05/Jun/2015:21:23:02 +0000] - Listening on > /var/run/slapd-mydomain-NET.socket for LDAPI requests > [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:02 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:05 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:08 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:11 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:14 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:17 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:20 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:23 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:26 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:29 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:32 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:35 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:38 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:41 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:44 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:47 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:50 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:53 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:56 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:23:59 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:02 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:06 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:10 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:14 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:18 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:22 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:26 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:30 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:34 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:38 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:42 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:46 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:50 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:54 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:24:58 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:02 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:06 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:10 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:14 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:18 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:22 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:26 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:30 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:34 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:38 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:42 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:46 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:50 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:54 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:25:58 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:02 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:06 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:10 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:14 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:18 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:22 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:26 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:30 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:34 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:38 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:42 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:46 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:50 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:54 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:26:58 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:27:02 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:27:06 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:27:10 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:27:14 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > [05/Jun/2015:21:27:18 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meTodc2.office.addomain.net" (dc2:389): Replica has no update > vector. It has never been initialized. > > > From janellenicole80 at gmail.com Fri Jun 5 21:49:11 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 05 Jun 2015 14:49:11 -0700 Subject: [Freeipa-users] Successful Install on VB... In-Reply-To: <5571FD7E.20202@utsa.edu> References: <5571FD7E.20202@utsa.edu> Message-ID: <55721957.1090407@gmail.com> By default, fedora has all the ports blocked via "firewalld" You need to either enable the ports, or disable the firewall. PORTS='80 443 389 636 88 464' for PORT in $PORTS; do firewall-cmd --permanent --zone=public --add-port=$PORT/tcp; done PORTS='88 464 123' for PORT in $PORTS; do firewall-cmd --permanent --zone=public --add-port=$PORT/udp; done firewall-cmd --reload ~J On 6/5/15 12:50 PM, James Benson wrote: > Dear all, > I recently install Fedora Server 22 on a virtualbox with the ethernet > bridged (can successfully ping it, ssh, etc) and I can do a kinit > admin and ipa user-add as the instructions detail in the next steps, > however, I cannot access the webui. Has anyone else ran into this > issue? I've tried to check the services, however, they don't seem to > want to start (no errors, just don't see them in the service status > menu) Any help would be great as I would greatly like to use the > website over commands if possible. > > Thank you, > > James > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 5 21:50:06 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 6 Jun 2015 00:50:06 +0300 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> Message-ID: <20150605215006.GQ10162@redhat.com> On Fri, 05 Jun 2015, nathan at nathanpeters.com wrote: >I have noticed that happen a couple times in the last few days. FreeIPA >server 4.1.3 on CentOS 7 with a sync relationship to a Windows server >2008R2 domain controller. > >The web ui will stop working and just show a blank page. > >When I try to do a ipactl status the command just freezes and does nothing. > >In the exmaple I paste below, there was 5 minutes between when I entered >the command and when I did ctrl-c after getting tired of waiting for >nothing to happen. >After the ipactl command failed to work at all, I decided to restart the >httpd service manually, and then saw a whole pile of strange errors around >failing to bind to ldap server and generic kerberos errors. > >Rebooting the server seems to work for 24 hours or so until things go >wonky again. > >[username at dc1 ~]$ sudo su - >Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 >[root at dc1 ~]# ipactl status >^CCancelled. >[root at dc1 ~]# ipactl restart >^CCancelled. >[root at dc1 ~]# ipactl restart >^CCancelled. >[root at dc1 ~]# systemctl restart httpd >[root at dc1 ~]# > > >Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP >Server... >Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice user-0.slice. >Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of user >root. >Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 of >user root. >Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of user >root. >Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): >session opened for user root by LOGIN(uid=0) >Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 >21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 >21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping timed >out. Killing. >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main process >exited, code=killed, status=9/KILL >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered >failed state. >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP >Server... >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP Server. >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152666, >0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152995, >0] ../source3/lib/smbldap.c:998(smbldap_connect_system) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server >ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous >bind]" Error: Local error >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.153407, >0] >../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: >failed to get machine password for account office.mydomain.net.: >NT_STATUS_NONE_MAPPED >Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 >21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > >I also got this error from the web ui after restarting httpd: > >Runtime error > >Web UI got in unrecoverable state during "metadata" phase You said you have winsync relationship but the log output above talks about Samba being unable to connect to IPA LDAP and that looks like you did run ipa-adtrust-install on this server. Am I right? It looks like you are also using this smbd setup to join non-Linux machines (office.mydomain.net is one of them?) Do you see anything like SID filtering in /var/log/krb5kdc.log? If so, do you see anywhere in the logs that krb5kdc process has crashed? -- / Alexander Bokovoy From nathan at nathanpeters.com Fri Jun 5 23:52:32 2015 From: nathan at nathanpeters.com (Nathan Peters) Date: Fri, 5 Jun 2015 16:52:32 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <20150605215006.GQ10162@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <20150605215006.GQ10162@redhat.com> Message-ID: I had originally set this up with AD trust but when we found out that our alternative UPNs were not supported we switched to ad sync. I removed the trust relationship from the webui by deleting all trusts showing in the ui. I then set it up for sync. Do I need to remove the trust from the command line as well? Does deleting a trust in the web ui not remove *all* settings related to that trust? -----Original Message----- From: Alexander Bokovoy Sent: Friday, June 05, 2015 2:50 PM To: nathan at nathanpeters.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA web UI Freezing up On Fri, 05 Jun 2015, nathan at nathanpeters.com wrote: >I have noticed that happen a couple times in the last few days. FreeIPA >server 4.1.3 on CentOS 7 with a sync relationship to a Windows server >2008R2 domain controller. > >The web ui will stop working and just show a blank page. > >When I try to do a ipactl status the command just freezes and does nothing. > >In the exmaple I paste below, there was 5 minutes between when I entered >the command and when I did ctrl-c after getting tired of waiting for >nothing to happen. >After the ipactl command failed to work at all, I decided to restart the >httpd service manually, and then saw a whole pile of strange errors around >failing to bind to ldap server and generic kerberos errors. > >Rebooting the server seems to work for 24 hours or so until things go >wonky again. > >[username at dc1 ~]$ sudo su - >Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 >[root at dc1 ~]# ipactl status >^CCancelled. >[root at dc1 ~]# ipactl restart >^CCancelled. >[root at dc1 ~]# ipactl restart >^CCancelled. >[root at dc1 ~]# systemctl restart httpd >[root at dc1 ~]# > > >Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP >Server... >Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice user-0.slice. >Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of user >root. >Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 of >user root. >Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of user >root. >Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): >session opened for user root by LOGIN(uid=0) >Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 >21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 >21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping timed >out. Killing. >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main process >exited, code=killed, status=9/KILL >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered >failed state. >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP >Server... >Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP >Server. >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152666, >0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152995, >0] ../source3/lib/smbldap.c:998(smbldap_connect_system) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server >ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous >bind]" Error: Local error >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.153407, >0] >../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) >Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: >failed to get machine password for account office.mydomain.net.: >NT_STATUS_NONE_MAPPED >Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 >21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: >code=-1765328324, message=Generic error (see e-text) >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 > >I also got this error from the web ui after restarting httpd: > >Runtime error > >Web UI got in unrecoverable state during "metadata" phase You said you have winsync relationship but the log output above talks about Samba being unable to connect to IPA LDAP and that looks like you did run ipa-adtrust-install on this server. Am I right? It looks like you are also using this smbd setup to join non-Linux machines (office.mydomain.net is one of them?) Do you see anything like SID filtering in /var/log/krb5kdc.log? If so, do you see anywhere in the logs that krb5kdc process has crashed? -- / Alexander Bokovoy From abokovoy at redhat.com Sat Jun 6 03:49:48 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 6 Jun 2015 06:49:48 +0300 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <20150605215006.GQ10162@redhat.com> Message-ID: <20150606034948.GR10162@redhat.com> On Fri, 05 Jun 2015, Nathan Peters wrote: >I had originally set this up with AD trust but when we found out that >our alternative UPNs were not supported we switched to ad sync. I >removed the trust relationship from the webui by deleting all trusts >showing in the ui. > >I then set it up for sync. > >Do I need to remove the trust from the command line as well? Does >deleting a trust in the web ui not remove *all* settings related to >that trust? No, it removes the trust the same way. However, do you have anything in /var/log/krb5kdc.log which points to SID filtering or a crash? -- / Alexander Bokovoy From desantis at mail.usf.edu Sun Jun 7 10:58:35 2015 From: desantis at mail.usf.edu (John Desantis) Date: Sun, 7 Jun 2015 06:58:35 -0400 Subject: [Freeipa-users] Certificate expired/renew problems In-Reply-To: References: Message-ID: Marc, Unfortunately, I've never had to promote a replica to become the CA master in our environment. Is the host that's reporting the error the URL of the old master or the replica? Did you check the CS.cfg to see if the replica certificate is present vs. the old master? John DeSantis On Jun 5, 2015 3:49 PM, "Marc Wiatrowski" wrote: > Thank you John. I had tried that but you did give me some things to look > at. > > I was able to get 2 of the certificates to renew by setting the date back > in time, a services restart, and issuing 'ipa-getcert resubmit -i id>' This renewed the following 'Server-Cert' and 'ipaCert' but did not > 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or > 'subsystemCert cert-pki-ca' > > The admin web interface now gives 'ipa error 4301: Certificate operation > cannot be completed: Unable to communicate with CMS (Not Found)' > > listing the certs shows an error along the lines of > > Internal error: no response to " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true > ". > > If any of these are useful. > > messages: > Jun 5 15:38:05 spider01o certmonger: Internal error: no response to " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true > ". > > httpd/error: > [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with > CMS (Not Found) > > selftests.log: > 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: > system certs verification failure > 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > $ ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > $ certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,u,u > auditSigningCert cert-pki-ca u,u,Pu > > $ getcert list > Number of certificates and requests being tracked: 9. > Request ID '20131204194012': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o,O=IGLASS.NET > expires: 2017-05-28 18:03:59 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162346': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-14 16:22:37 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162434': > status: MONITORING > ca-error: Internal error: no response to " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-03 16:24:27 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162522': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-14 16:22:36 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162610': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net,O=IGLASS.NET > expires: 2016-11-14 16:22:42 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604181945': > status: MONITORING > ca-error: Internal error: no response to " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=CA Audit,O=IGLASS.NET > expires: 2015-05-31 18:48:55 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604181956': > status: MONITORING > ca-error: Internal error: no response to " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=OCSP Subsystem,O=IGLASS.NET > expires: 2015-05-31 18:48:54 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604182006': > status: MONITORING > ca-error: Internal error: no response to " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=CA Subsystem,O=IGLASS.NET > expires: 2015-05-31 18:48:54 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604182012': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=IPA RA,O=IGLASS.NET > expires: 2017-05-25 13:58:36 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > thanks again. -Marc > > On Fri, Jun 5, 2015 at 1:03 PM, John Desantis > wrote: > >> Marc, >> >> I experienced a similar issue earlier this year. >> >> Try restarting certmonger after temporarily changing the date back on >> the master. In our case that service had failed miserably and it >> didn't allow FreeIPA to renew the certificates properly. >> >> Our replicas however were hit with a bug [1] during this process. We >> applied the patched code and followed the same process and all was >> well. >> >> John DeSantis >> >> [1] https://fedorahosted.org/freeipa/ticket/4064 >> >> >> 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski : >> > hello, >> > >> > I've got a problem with expired certificates in my ipa/IdM setup. I >> believe >> > the root issue to be from the fact that when everything was first setup >> > about a year ago and everything was replicated from a first ipa server >> which >> > no longer exists. There are currently 3 ipa servers but none of them >> are >> > the original. >> > >> > Couple days ago I started getting errors similar to >> > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your >> > certificate as expired' through the web management interface. After >> > investigating with 'getcert list' I found that several certificates >> expired >> > at 2015-05-31 18:48:55 UTC. >> > >> > I found >> > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >> and >> > followed the procedure for ipa <4.0 and everything seemed to go as >> expected. >> > However this did not fix my issue. >> > >> > With more searching it looked like once the certificates are expired the >> > auto renew will not work. Finding >> > >> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >> > to try to manually renew I am stuck at the the beginning with 'Give the >> CSR >> > to your external CA.' I don't believe we had our certificates >> externally >> > signed. They are whatever the original install put in place. Setting >> the >> > date back in time reeks havoc on our environment so I'm reluctant to >> leave >> > it for to long. I can get what I believe is the original CSR from >> > /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the >> road I >> > should be going down. >> > >> > Things seem to be working for the most part except trying to make >> updates. >> > Any help on what to do next, somewhere else to look, or if I'm going in >> the >> > right direction would be greatly appreciated. >> > >> > thanks, >> > Marc >> > >> > Info: >> > CentOS 6.5 with some current updates including >> > ipa-server-3.0.0-42.el6.centos.i686 >> > certmonger-0.75.13-1.el6.i686 >> > >> > $ getcert list-cas >> > CA 'SelfSign': >> > is-default: no >> > ca-type: INTERNAL:SELF >> > next-serial-number: 01 >> > CA 'IPA': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/ipa-submit >> > CA 'certmaster': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/certmaster-submit >> > CA 'dogtag-ipa-renew-agent': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit >> > CA 'local': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/local-submit >> > CA 'dogtag-ipa-retrieve-agent-submit': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: >> /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit >> > >> > $ getcert list >> > Number of certificates and requests being tracked: 9. >> > Request ID '20131204194012': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > certificate: >> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=spider01o,O=IGLASS.NET >> > expires: 2015-12-05 19:40:13 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162346': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=spider01o.iglass.net,O=IGLASS.NET >> > expires: 2016-11-14 16:22:37 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162434': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=spider01o.iglass.net,O=IGLASS.NET >> > expires: 2016-11-03 16:24:27 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162522': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=spider01o.iglass.net,O=IGLASS.NET >> > expires: 2016-11-14 16:22:36 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162610': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=spider01o.iglass.net,O=IGLASS.NET >> > expires: 2016-11-14 16:22:42 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604181945': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL >> connect >> > error. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=CA Audit,O=IGLASS.NET >> > expires: 2015-05-31 18:48:55 UTC >> > key usage: digitalSignature,nonRepudiation >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604181956': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL >> connect >> > error. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=OCSP Subsystem,O=IGLASS.NET >> > expires: 2015-05-31 18:48:54 UTC >> > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> > eku: id-kp-OCSPSigning >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604182006': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL >> connect >> > error. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=CA Subsystem,O=IGLASS.NET >> > expires: 2015-05-31 18:48:54 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604182012': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL >> connect >> > error. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET >> > subject: CN=IPA RA,O=IGLASS.NET >> > expires: 2015-05-31 18:49:37 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun Jun 7 20:30:28 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 07 Jun 2015 16:30:28 -0400 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> <55713C51.6050809@redhat.com> <20150605143012.GN10162@redhat.com> Message-ID: <5574A9E4.80505@redhat.com> On 06/05/2015 01:47 PM, Prasun Gera wrote: > I had faced a similar issue a month ago, for which I had created a > ticket. https://fedorahosted.org/freeipa/ticket/4956 > > On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy > wrote: > > On Fri, 05 Jun 2015, Christopher Lamb wrote: > > Hi Martin > > Thanks for updating the documenation! > > The suggested solution works not only my test servers, but > also "in the > real world". This morning I migrated the last production > server (ipa host) > to the new FreeIPA KDC. > > Just out of idle curiosity, why is the rm -f > /var/lib/sss/db/* step > required on our EL 7.1 + ipa-client 4.1 boxes, but not on our > older EL 6.5 > + ipa-client 3.3.3 machines? > > Is the problem down to sssd? (on the EL 6.5 machines we are > running sssd > 1.9.2, while on EL 7.1 we have sssd 1.12.2 > > I think there are more object types supported by newer SSSD versions > which aren't invalidated like users or groups. > > > > Cheers > > Chris > > > > From: Martin Kosek > > To: Christopher Lamb/Switzerland/IBM at IBMCH, Rob Crittenden > >, > freeipa-users at redhat.com > Cc: Jakub Hrozek > > Date: 05.06.2015 08:06 > Subject: Re: [Freeipa-users] Fw: ssh problem with > migrated FreeIPA > client on EL7.1 -->Solved > > > > On 06/04/2015 07:34 PM, Christopher Lamb wrote: > > Hi All > > I can now report back success (at least on my throwaway > EL7.1 test VM). > > To switch an EL 7.1 + ipa-client 4.1 host from an old > FreeIPA 3.3.3 KDC > > to > > a new FreeIPA 4.1 KDC 3 steps are required: > > 1) ipa-client-install --uninstall > > 2) rm -f /var/lib/sss/db/* > > 3) ipa-client-install --server ldap.my.example.com > --domain > > my.example.com > > -N > > Having done this, my free-ipa user successfully > authenticates (e.g. ssh > remote login with free-ipa user / password > > > To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not > required. > > Kudos and thanks go to Rob C for suggesting step 2. (Note > that the > directory to be purged is /var/lib/sss/db/, not > /var/lib/sssd/db/ as > suggested earlier in this thread. > > > Cool! Thanks for reaching back. I added this advice to the FreeIPA > Troubleshooting guide too: > > http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client > > > Cheers > > Chris > > > > > From: Martin Kosek > > To: Christopher Lamb/Switzerland/IBM at IBMCH, > freeipa-users at redhat.com > Cc: Jakub Hrozek >, Rob Crittenden > > > Date: 03.06.2015 10:39 > Subject: Re: [Freeipa-users] Fw: ssh > problem with migrated > > FreeIPA > > client on EL7.1 -->Not Solved > > > > On 06/03/2015 10:30 AM, Christopher Lamb wrote: > > Hi all > > This is a quick(ish) note to bring everybody up to > speed on this issue. > Yesterday we had some private mail exchange on this > issue as I did not > > wish > > to broadcast the krb5 and ipa install logs to the user > list. > > The basic situation is that we are in the process of > migrating from an > FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server > (KDC). As > > discussed > > in a thread some weeks ago we did not do this by > replicating (as perhaps > > we > > should have done). Instead we migrated the users across. > > We have 30+ servers that are IPA clients ("Hosts" in > ipa-speak) joined > > to > > the old KDC. We are now in the process of migrating > these hosts to the > > new > > 4.1 KDC. > > Most of the hosts run EL 6.5 + ipa-client 3.3.3. For > all of these > > joining > > to the new KDC was trouble free, taking a few minutes > each. After > > joining > > the new KDC FreeIPA users authenticated properly. > > We also had a small number of new EL 7.1 + ipa-client > 4.1 hosts that > > were > > joined direct to the new 4.1 KDC, never having been > joined of the 3.3.3 > KDC. These were also trouble free. > > The problem occurs with a handful of existing EL 7.1 > +ipa-client 4.1 > > hosts > > that were originally joined to the 3.3.3 KDC, and must > be moved to join > > the > > 4.1 KDC. These machines no longer authenticate valid > FreeIPA users. I > > have > > been able to reproduce this behaviour with a freshly > setup VM joined > > first > > to the 3.3.3 KDC, then moved to the 4.1 KDC. > > While the errors show in the krb5 child logs indicate > that the password > > is > > incorrect, the same user / password is happily > accepted by all the other > hosts. > > It seems that in the process of moving / migrating the > EL 7.1 / > > ipa-client > > 4.1 from the old KDC to the new KDC, "something" is > left behind that > > causes > > problems. We have seen indications in the install logs > that the kinit > > steps > > called during ipa-client install are getting responses > from the wrong > > (old) > > KDC, and not from the new KDC. > > Frustratingly. over the weekend i managed to get one > of the problem EL > > 7.1 > > boxes to work. However I can't work out exactly what I > was that I did > > that > > did the trick. However it seems that some kind of > major de-install / > cleanup + reinstall of the ipa-client may be needed. > > Rob has suggested that as part of such a cleanup I > should do "rm > -f /var/lib/sssd/db/*". I will test this later today > and report back. > > Thanks to Rob, Jakub, Martin, Alexander et al for > their help and > suggestions so far. > > Chris > > > Thanks for the background. The pain you are getting is > exactly the reason > why > migration via replication to RHEL-7.1 is a better choice > :-) Please let > > us > > know > the result, I am curious how this works out. > > > > > > From: Martin Kosek > > > To: Christopher > Lamb/Switzerland/IBM at IBMCH, > freeipa-users at redhat.com > , Jakub Hrozek > > > Date: 03.06.2015 09:34 > Subject: Re: > [Freeipa-users] Fw: ssh problem with > > migrated > > FreeIPA > > client on EL7.1 -->Not Solved > > > > On 06/02/2015 06:15 PM, Christopher Lamb wrote: > > > Hi > > Earlier today I setup 2 throwaway EL7.1 VMs to > help narrow down the > > cause > > of this problem. Let's call them HOST09 and HOST10 > > Both are mimimum installs of EL7.1, with NTPD > installed and configured. > > HOST09 had ipa-client 4.1 installed via yum, and > was configured to use > > our > > new FreeIPA 4.1 server, right from the start. --> > My FreeIPA user > authenticates successfully against this machine. > > HOST10 had ipa-client 4.1 installed as a > dependency of one of our > > standard > > config packages, and was first set to use our old > FreeIPA 3.3.3 server. > > --> > > My FreeIPA user authenticates successfully. > against this machine. > > I then de-registered HOST10 from the FreeIPA 3.1 > server, and registered > against the new FreeIPA 4.1 server --> My FreeIPA > users does NOT > authenticate successfully. > > This replicates well the behaviour I saw with my > production servers, > > namely > > a) EL 7.1 hosts with ipa-client 4.1 registered > directly against the new > > 4.1 > > FreeIPA server authenticate properly. > > b) EL 7.1 hosts with ipa-client 4.1 first > registered against the old > > 3.3.3 > > FreeIPA server, then reregistered with the new 4.1 > FreeIPA server do > > NOT > > authenticate properly > > Chris > > > Hello, > > This is really strange. What I do not fully understand > is what is the > "registration against a FreeIPA server". What server > you install IPA > > client > > should matter if the deployment is set up properly. > The host enrollment > entry > should simply replicate to whole infrastructure. The > only thing that > > will > > probably differ is sssd.conf and krb5.conf as they > will have different > primary > server set up, based on what your DNS setup is. > > It rather seems that the "reregistration" is what > causes the issue. It > looks > like something cleanup problem during the process. I > will let Jakub to > > help > > here, I would suggest including the SSSD logs from the > failed login, it > > may > > help. > > > > > ----- Forwarded by Christopher > Lamb/Switzerland/IBM on 02.06.2015 16:52 > ----- > > From: Christopher > > Lamb/Switzerland/IBM at IBMCH > > To: Jakub Hrozek > > > > > Cc: > > freeipa-users at redhat.com > > Date: 02.06.2015 10:40 > Subject: Re: > > [Freeipa-users] Fw: ssh problem with > > migrated > > FreeIPA > > client on EL7.1 -->Not Solved > Sent by: > > freeipa-users-bounces at redhat.com > > > > > > Hi Jakub > > Yes root login works, that's how I've been getting > into the box. > > Surprisingly, kinit with my user seems to work on > that box. After > > entering > > my password when prompted, it returns to the > commandline without error. > > However if I try kinit with another FreeIPA user, > then instead of > > prompting > > for a password, it gives "Generic > preauthentication failure while > > getting > > initial credentials" error. > > Having set debug_level=10, when I try and ssh in > with my FreeIPA user, > > I > > find errors like > > "Retrieving host .... with result: .. Matching > credential not found" > > "Received error from KDC ... Additional > pre-authentication required" > > "Received error from KDC... Decrypt integrity > check failed" > > "Received error code 1432158219" > > Cheers > > Chris > > > > > > From: > > Jakub Hrozek > > > > > To: > > Christopher > > Lamb/Switzerland/IBM at IBMCH > > Cc: > > freeipa-users at redhat.com > > Date: > > 02.06.2015 09:50 > > Subject: > > Re: > > [Freeipa-users] Fw: ssh problem with > > migrated > > FreeIPA > client on EL7.1 -->Not Solved > > > > On Tue, Jun 02, 2015 at 09:43:48AM +0200, > Christopher Lamb wrote: > > Hi Jakub > > The same user / password works with all our > FreeIPA hosts - just this > > one > > box is the problem. So the password should be > good. Of course a type > > is > > always possible (especially for strong > passwords), but I have tried > > many > > times which should eliminate the odd password > typo. The user / > > password > > should also be good for both the old and the > new FreeIPA Server. > > > Interesting, can you add debug_level=10 to the > domain section of > sssd.conf? Then krb5_child.log should show > Kerberos tracing info > including which exact KDC SSSD was talking to. > > > As I can neither log in direct, or via ssh to > this box with my FreeIPA > user, I assume Kinit with my user won't work- > i will try later in the > > day. > > Well, login as a UNIX user (root) should work.. > > > My working assumption is that the problem is > related in some way to > > the > > fact the host originally was a FreeIPA 3.3.3 > client, updated to > > FreeIPA > > 4.1, and switched between 2 FreeIPA servers. I > am currently setting up > > 2 > > throwaway EL 7.1 VMs to better test this. On > one I will first install > 3.3.3, then upgrade to 4.1. The second will > have a direct install of > > 4.1 > > client. > > Cheers > > Chris > > > > From: > > Jakub Hrozek > > > > > To: > > freeipa-users at redhat.com > > Date: > > 02.06.2015 09:22 > > Subject: > > Re: > > [Freeipa-users] Fw: ssh problem with > > migrated > FreeIPA > > client on EL7.1 -->Not Solved > Sent by: > > freeipa-users-bounces at redhat.com > > > > > > On Mon, Jun 01, 2015 at 07:35:11PM +0200, > Christopher Lamb wrote: > > > Hi All > > Bad news. > > Over the weekend I was able to get the > original problem EL7.1 / > > FreeIPA > > 4.1 > > host (FreeIPA client) to authenticate > FreeiPA users (my test being > > ssh > > remote login with FreeIPA user and password). > > Today I tried a second machine, and had > the same problem, ssh > > connections > > with FreeIPA user cause > "[sssd[krb5_child[3445]]]: Decrypt integrity > > check > > failed" > > > This really just means wrong password, can you > kinit as that user > > using > > the same password? > > > Ahh I thought, I have a solution for that: > just remove ipa-client and > reinstall via yum, register with the new > FreeIPA server .... > > Only with this second machine I still > can't ssh in with a FreeIPA > > user. > > Argg..... > > b.t.w, as this machine is a real physical > server, I was able to try > > logging > > in direct with my FreeIPA user --> > "Authentication Failure" > > I now have > * a whole bunch of EL6.5 / FreeIPA 3.3.3 > hosts that migrated from the > > old > > FreeIPA server to the new without a hitch > (i.e. they successfully > authenticate FreeIPA users.) > * one migrated EL7.1 / FreeIPA 4.1 host > that I was able to migrate, > > but > > with problems > * one migrated EL7.1 / FreeIPA 4.1 host > that so far defies all > > attempts > > to > > authenticate with a FreeIPA user > * one EL7.1 / FreeIPA 4.1 host that was > only ever registered with the > > new > > FreeIPA server, and successfully > authenticates FreeIPA users. > > Any ideas? > > Chris > > > ----- Forwarded by Christopher > Lamb/Switzerland/IBM on 01.06.2015 > > 19:17 > > ----- > > From: > > > Christopher > > Lamb/Switzerland/IBM at IBMCH > > To: > > > Alexander Bokovoy > > >, > > freeipa-users at redhat.com > > Date: > > > 30.05.2015 18:52 > > Subject: > > > Re: > > [Freeipa-users] ssh problem with > migrated FreeIPA > > client on > > EL7.1 --> Solved > Sent by: > > freeipa-users-bounces at redhat.com > > > > > > Hi All > > It gives me pleasure to report the problem > is solved - a minute ago I > > was > > able to login via ssh with my FreeIPA user > to the problem server, > > while > > sitting on my terrace with a glass of wine! > > Thanks to Alexander for his helpful advice > - we had some mail > > exchange > > outside the user list as I did not wish to > broadcast content of keys, > config files etc. > > Regardless of what I did with commands > like klist, kvno everything > > seemed > > "ok", but I still could not ssh in. Even a > ipa-getkeytab did not > > help. > > > Therefore I decided to opt for brute force > and (partial) ignorance. I > completely uninstalled the FreeIPA client, > and then reinstalled, > > configured > > - ?t voil? I could ssh in! > > This leaves the enigma: what caused the > problem? I suspect the > > following: > > > The host is an EL 7.1, but the first > FreeIPA client installed was > > version > > 3.3.3 (installed as set of standard > packages that we bung on all our > servers). > > This worked fine to authenticate against > our "old" 3.x FreeIPA > > server, > > but > > did not work against the "new" 4.1 FreeIPA > Server. > > When I realised I could not ssh in, one of > the first things I did was > > to > > yum update the FreeIPA client from 3.3.3 > to 4.1 - but that did not > > help. > > The solution was to yum remove the FreeIPA > client, then yum install > > the > > 4.1 > > client. > > I have some more EL 7.1 servers with the > FreeIPA 3.3.3 client > > installed, > > so > > it will be interesting to see it the > problem can be reproduced. > > Keep up the good work, > > Chris > > > > > > > > > From: > > > Alexander Bokovoy > > > > > To: > > > Christopher > > Lamb/Switzerland/IBM at IBMCH > > Cc: > > freeipa-users at redhat.com > > > Date: > > > 29.05.2015 18:04 > > Subject: > > > > Re: > > [Freeipa-users] ssh problem with > > migrated FreeIPA > > client on > EL7.1 > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > Hi All > > Some weeks ago I setup a new FreeIPA > 4.1.0 on an OEL 7.1 server to > > replace > > the existing FreeIPA 3.0.0 running on > OEL 6.5, and successfully > > migrated > > across the users. > > We have 50 odd Servers that are > FreeIPA clients. Today I started > > migrating > > these one-by-one from the old FreeIPA > 3.x server to the new FreeIPA > > 4 > > server by doing an ipa-client-install > --uninstall from the old, and > ipa-client-install to register with > the new 4.1.0 server. > > Most of the FreeIPA clients are > running OEL 6.5, and for these the > migration process above worked > perfectly. After migrating the > > server, > > I > > could ssh in with my FreeIPA user. > > Then I migrated an OEL 7.1 server. The > migration itself seemed to > > work, > > and > > getent passwd was successful for my > FreeIPA user. However when I try > > and > > ssh in, my FreeIPA user / password is > not accepted. > > Before the migration I could ssh into > the problem server (though > > evidently > > it was using my FreeIPA user from the > old FreeIPA server). > > I can ssh in with a local (non ldap) > user, so ssh is running and > > working. > > > >From user root I can successfully su > to my FreeIPA user. > > Further investigation showed that > version of ipa-client installed > > was > > 3.3.3, so I yum updated this to 4.1.0. > > However I still cannot ssh into the > OEL 7.1 box with my FreeIPA > > user. > > The > > same user continues to work for the > 6.5 boxes. > > A colleague tried to ssh in with his > FreeIPA user, and was also > > rejected, > > so the problem is not my user, but is > probably for all FreeIPA > > users. > > > A failed ssh login attempt causes the > following error > > in /var/log/messages > > > [sssd[krb5_child[5393]]]: Decrypt > integrity check failed > > It means /etc/krb5.keytab contains keys > from older system and SSSD > picks them up. > Can you show output of 'klist -kKet'? > -- > / Alexander Bokovoy > > > > > > -- > Manage your subscription for the > Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on > the project > > > > > -- > Manage your subscription for the > Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on > the project > > > -- > Manage your subscription for the Freeipa-users > mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the > project > > > > > > > > > > -- > Manage your subscription for the Freeipa-users > mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > FYI https://fedorahosted.org/freeipa/ticket/5050 -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Jun 8 06:23:14 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Jun 2015 08:23:14 +0200 Subject: [Freeipa-users] Successful Install on VB... In-Reply-To: <55721957.1090407@gmail.com> References: <5571FD7E.20202@utsa.edu> <55721957.1090407@gmail.com> Message-ID: <557534D2.5020505@redhat.com> JFTR, this is the respective section in the guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ports It should have those ports covered as well. On 06/05/2015 11:49 PM, Janelle wrote: > By default, fedora has all the ports blocked via "firewalld" > > You need to either enable the ports, or disable the firewall. > > PORTS='80 443 389 636 88 464' > for PORT in $PORTS; do firewall-cmd --permanent --zone=public > --add-port=$PORT/tcp; done > PORTS='88 464 123' > for PORT in $PORTS; do firewall-cmd --permanent --zone=public > --add-port=$PORT/udp; done > firewall-cmd --reload > > ~J > > On 6/5/15 12:50 PM, James Benson wrote: >> Dear all, >> I recently install Fedora Server 22 on a virtualbox with the ethernet bridged >> (can successfully ping it, ssh, etc) and I can do a kinit admin and ipa >> user-add as the instructions detail in the next steps, however, I cannot >> access the webui. Has anyone else ran into this issue? I've tried to check >> the services, however, they don't seem to want to start (no errors, just >> don't see them in the service status menu) Any help would be great as I >> would greatly like to use the website over commands if possible. >> >> Thank you, >> >> James >> >> >> > > > > From mkosek at redhat.com Mon Jun 8 06:58:11 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Jun 2015 08:58:11 +0200 Subject: [Freeipa-users] Is It OK to mix RHEL7 and CentOS 7 IPA domain servers? In-Reply-To: References: Message-ID: <55753D03.7000302@redhat.com> On 06/05/2015 03:16 PM, Sina Owolabi wrote: > Hi > > Due to our subscriptions running out, OT: time to renew! :-) > I'm forced to have to use > CentOS7 in our domain as IPA replica servers to join our existing > RHEL7 server. > > Is this OK, or are there any issues I should be aware of? > > Thanks in advance. If you have IPA at RHEL-7.1 and also connect IPA replica included with CentOS 7.1, it should work just fine. If anyone in this forum knows about any possible issues in this scenario, I would like to know about them. From christopher.lamb at ch.ibm.com Mon Jun 8 07:23:11 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 8 Jun 2015 09:23:11 +0200 Subject: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved In-Reply-To: <5574A9E4.80505@redhat.com> References: <556EAE04.3030704@redhat.com> <556EBD47.6090909@redhat.com> <55713C51.6050809@redhat.com> <20150605143012.GN10162@redhat.com> <5574A9E4.80505@redhat.com> Message-ID: Hi Dmitri, Prasun Thanks for those tickets. I have commented Dimitri's with a reference to this thread. Cheers Chris From: Dmitri Pal To: freeipa-users at redhat.com Date: 07.06.2015 22:33 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved Sent by: freeipa-users-bounces at redhat.com On 06/05/2015 01:47 PM, Prasun Gera wrote: I had faced a similar issue a month ago, for which I had created a ticket. https://fedorahosted.org/freeipa/ticket/4956 On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy < abokovoy at redhat.com> wrote: On Fri, 05 Jun 2015, Christopher Lamb wrote: Hi Martin Thanks for updating the documenation! The suggested solution works not only my test servers, but also "in the real world". This morning I migrated the last production server (ipa host) to the new FreeIPA KDC. Just out of idle curiosity, why is the rm -f /var/lib/sss/db/* step required on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5 + ipa-client 3.3.3 machines? Is the problem down to sssd? (on the EL 6.5 machines we are running sssd 1.9.2, while on EL 7.1 we have sssd 1.12.2 I think there are more object types supported by newer SSSD versions which aren't invalidated like users or groups. Cheers Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, Rob Crittenden , freeipa-users at redhat.com Cc: Jakub Hrozek Date: 05.06.2015 08:06 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved On 06/04/2015 07:34 PM, Christopher Lamb wrote: Hi All I can now report back success (at least on my throwaway EL7.1 test VM). To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC to a new FreeIPA 4.1 KDC 3 steps are required: 1) ipa-client-install --uninstall 2) rm -f /var/lib/sss/db/* 3) ipa-client-install --server ldap.my.example.com --domain my.example.com -N Having done this, my free-ipa user successfully authenticates (e.g. ssh remote login with free-ipa user / password To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. Kudos and thanks go to Rob C for suggesting step 2. (Note that the directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as suggested earlier in this thread. Cool! Thanks for reaching back. I added this advice to the FreeIPA Troubleshooting guide too: http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client Cheers Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Cc: Jakub Hrozek , Rob Crittenden Date: 03.06.2015 10:39 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On 06/03/2015 10:30 AM, Christopher Lamb wrote: Hi all This is a quick(ish) note to bring everybody up to speed on this issue. Yesterday we had some private mail exchange on this issue as I did not wish to broadcast the krb5 and ipa install logs to the user list. The basic situation is that we are in the process of migrating from an FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As discussed in a thread some weeks ago we did not do this by replicating (as perhaps we should have done). Instead we migrated the users across. We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to the old KDC. We are now in the process of migrating these hosts to the new 4.1 KDC. Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these joining to the new KDC was trouble free, taking a few minutes each. After joining the new KDC FreeIPA users authenticated properly. We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 KDC. These were also trouble free. The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 hosts that were originally joined to the 3.3.3 KDC, and must be moved to join the 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I have been able to reproduce this behaviour with a freshly setup VM joined first to the 3.3.3 KDC, then moved to the 4.1 KDC. While the errors show in the krb5 child logs indicate that the password is incorrect, the same user / password is happily accepted by all the other hosts. It seems that in the process of moving / migrating the EL 7.1 / ipa-client 4.1 from the old KDC to the new KDC, "something" is left behind that causes problems. We have seen indications in the install logs that the kinit steps called during ipa-client install are getting responses from the wrong (old) KDC, and not from the new KDC. Frustratingly. over the weekend i managed to get one of the problem EL 7.1 boxes to work. However I can't work out exactly what I was that I did that did the trick. However it seems that some kind of major de-install / cleanup + reinstall of the ipa-client may be needed. Rob has suggested that as part of such a cleanup I should do "rm -f /var/lib/sssd/db/*". I will test this later today and report back. Thanks to Rob, Jakub, Martin, Alexander et al for their help and suggestions so far. Chris Thanks for the background. The pain you are getting is exactly the reason why migration via replication to RHEL-7.1 is a better choice :-) Please let us know the result, I am curious how this works out. From: Martin Kosek < mkosek at redhat.com> To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com, Jakub Hrozek < jhrozek at redhat.com> Date: 03.06.2015 09:34 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On 06/02/2015 06:15 PM, Christopher Lamb wrote: Hi Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause of this problem. Let's call them HOST09 and HOST10 Both are mimimum installs of EL7.1, with NTPD installed and configured. HOST09 had ipa-client 4.1 installed via yum, and was configured to use our new FreeIPA 4.1 server, right from the start. --> My FreeIPA user authenticates successfully against this machine. HOST10 had ipa-client 4.1 installed as a dependency of one of our standard config packages, and was first set to use our old FreeIPA 3.3.3 server. --> My FreeIPA user authenticates successfully. against this machine. I then de-registered HOST10 from the FreeIPA 3.1 server, and registered against the new FreeIPA 4.1 server --> My FreeIPA users does NOT authenticate successfully. This replicates well the behaviour I saw with my production servers, namely a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 FreeIPA server authenticate properly. b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT authenticate properly Chris Hello, This is really strange. What I do not fully understand is what is the "registration against a FreeIPA server". What server you install IPA client should matter if the deployment is set up properly. The host enrollment entry should simply replicate to whole infrastructure. The only thing that will probably differ is sssd.conf and krb5.conf as they will have different primary server set up, based on what your DNS setup is. It rather seems that the "reregistration" is what causes the issue. It looks like something cleanup problem during the process. I will let Jakub to help here, I would suggest including the SSSD logs from the failed login, it may help. ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: Jakub Hrozek Cc: freeipa-users at redhat.com Date: 02.06.2015 10:40 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by: freeipa-users-bounces at redhat.com Hi Jakub Yes root login works, that's how I've been getting into the box. Surprisingly, kinit with my user seems to work on that box. After entering my password when prompted, it returns to the commandline without error. However if I try kinit with another FreeIPA user, then instead of prompting for a password, it gives "Generic preauthentication failure while getting initial credentials" error. Having set debug_level=10, when I try and ssh in with my FreeIPA user, I find errors like "Retrieving host .... with result: .. Matching credential not found" "Received error from KDC ... Additional pre-authentication required" "Received error from KDC... Decrypt integrity check failed" "Received error code 1432158219" Cheers Chris From: Jakub Hrozek To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 02.06.2015 09:50 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: Hi Jakub The same user / password works with all our FreeIPA hosts - just this one box is the problem. So the password should be good. Of course a type is always possible (especially for strong passwords), but I have tried many times which should eliminate the odd password typo. The user / password should also be good for both the old and the new FreeIPA Server. Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. As I can neither log in direct, or via ssh to this box with my FreeIPA user, I assume Kinit with my user won't work- i will try later in the day. Well, login as a UNIX user (root) should work.. My working assumption is that the problem is related in some way to the fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 throwaway EL 7.1 VMs to better test this. On one I will first install 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 client. Cheers Chris From: Jakub Hrozek To: freeipa-users at redhat.com Date: 02.06.2015 09:22 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by: freeipa-users-bounces at redhat.com On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: Hi All Bad news. Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 host (FreeIPA client) to authenticate FreeiPA users (my test being ssh remote login with FreeIPA user and password). Today I tried a second machine, and had the same problem, ssh connections with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check failed" This really just means wrong password, can you kinit as that user using the same password? Ahh I thought, I have a solution for that: just remove ipa-client and reinstall via yum, register with the new FreeIPA server .... Only with this second machine I still can't ssh in with a FreeIPA user. Argg..... b.t.w, as this machine is a real physical server, I was able to try logging in direct with my FreeIPA user --> "Authentication Failure" I now have * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old FreeIPA server to the new without a hitch (i.e. they successfully authenticate FreeIPA users.) * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but with problems * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to authenticate with a FreeIPA user * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new FreeIPA server, and successfully authenticates FreeIPA users. Any ideas? Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , freeipa-users at redhat.com Date: 30.05.2015 18:52 Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 --> Solved Sent by: freeipa-users-bounces at redhat.com Hi All It gives me pleasure to report the problem is solved - a minute ago I was able to login via ssh with my FreeIPA user to the problem server, while sitting on my terrace with a glass of wine! Thanks to Alexander for his helpful advice - we had some mail exchange outside the user list as I did not wish to broadcast content of keys, config files etc. Regardless of what I did with commands like klist, kvno everything seemed "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. Therefore I decided to opt for brute force and (partial) ignorance. I completely uninstalled the FreeIPA client, and then reinstalled, configured - ?t voil? I could ssh in! This leaves the enigma: what caused the problem? I suspect the following: The host is an EL 7.1, but the first FreeIPA client installed was version 3.3.3 (installed as set of standard packages that we bung on all our servers). This worked fine to authenticate against our "old" 3.x FreeIPA server, but did not work against the "new" 4.1 FreeIPA Server. When I realised I could not ssh in, one of the first things I did was to yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. The solution was to yum remove the FreeIPA client, then yum install the 4.1 client. I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so it will be interesting to see it the problem can be reproduced. Keep up the good work, Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 29.05.2015 18:04 Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 On Fri, 29 May 2015, Christopher Lamb wrote: Hi All Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated across the users. We have 50 odd Servers that are FreeIPA clients. Today I started migrating these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 server by doing an ipa-client-install --uninstall from the old, and ipa-client-install to register with the new 4.1.0 server. Most of the FreeIPA clients are running OEL 6.5, and for these the migration process above worked perfectly. After migrating the server, I could ssh in with my FreeIPA user. Then I migrated an OEL 7.1 server. The migration itself seemed to work, and getent passwd was successful for my FreeIPA user. However when I try and ssh in, my FreeIPA user / password is not accepted. Before the migration I could ssh into the problem server (though evidently it was using my FreeIPA user from the old FreeIPA server). I can ssh in with a local (non ldap) user, so ssh is running and working. >From user root I can successfully su to my FreeIPA user. Further investigation showed that version of ipa-client installed was 3.3.3, so I yum updated this to 4.1.0. However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The same user continues to work for the 6.5 boxes. A colleague tried to ssh in with his FreeIPA user, and was also rejected, so the problem is not my user, but is probably for all FreeIPA users. A failed ssh login attempt causes the following error in /var/log/messages [sssd[krb5_child[5393]]]: Decrypt integrity check failed It means /etc/krb5.keytab contains keys from older system and SSSD picks them up. Can you show output of 'klist -kKet'? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project FYI https://fedorahosted.org/freeipa/ticket/5050 -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jreg2k at gmail.com Mon Jun 8 07:49:18 2015 From: jreg2k at gmail.com (James James) Date: Mon, 8 Jun 2015 09:49:18 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <5559D54B.4080408@redhat.com> References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> <5530755B.1030403@redhat.com> <5555FBEA.8090005@redhat.com> <55560360.706@redhat.com> <55560979.50508@redhat.com> <5559D54B.4080408@redhat.com> Message-ID: Hi Thierry, thanks for you answer. I was away for a long time, this is why my post comes later . This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0) to rhel7 (ipa4.xx) ? I have a physical machine for the master and a VM as replica. The solution is to use a physical machine for the replica ? How can I limit the cpu/memory in the physical machine (with cgroups ??). Any hints will be appreciated .. Regards James 2015-05-18 14:04 GMT+02:00 thierry bordaz : > On 05/15/2015 05:11 PM, James James wrote: > > ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . > > > Hi James, > > Unfortunately there is no workaround. This is a timing issue mostly seen > when the master is more powerful than the consumer. > If you are using VM you may try to get master/replica with nearly the same > cpu/memory. > > thanks > thierry > > > Best. > > James > > 2015-05-15 16:58 GMT+02:00 Rich Megginson : > >> On 05/15/2015 08:46 AM, James James wrote: >> >> [root at ipa ~]# rpm -q 389-ds-base >> 389-ds-base-1.2.11.15-50.el6_6.x86_64 >> >> >> Ok. Looks like this is planned to be fixed in RHEL 6.7 with version >> 389-ds-base-1.2.11.15-56.el6 >> >> I don't know if there are any workarounds. >> >> >> >> >> >> 2015-05-15 16:32 GMT+02:00 Rich Megginson : >> >>> On 05/15/2015 08:22 AM, James James wrote: >>> >>> I think that : >>> >>> Starting replication, please wait until this has completed. >>> Update in progress, 127 seconds elapsed >>> Update in progress yet not in progress >>> >>> >>> looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 >>> >>> >>> That issue should have been fixed in 389-ds-base-1.3.3 branch. What >>> version of 389-ds-base? rpm -q 389-ds-base >>> >>> >>> >>> 2015-05-15 16:00 GMT+02:00 Rich Megginson : >>> >>>> On 05/15/2015 07:55 AM, James James wrote: >>>> >>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of >>>> this timeout error ? >>>> >>>> >>>> What timeout error? >>>> >>>> >>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson : >>>> >>>>> On 04/15/2015 10:44 PM, James James wrote: >>>>> >>>>> The ipareplica-install.log file in attachment ... >>>>> >>>>> >>>>> Here are the pertinent bits: >>>>> >>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] >>>>> timeout 300 >>>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from >>>>> SchemaCache >>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= >>>>> ldap://ipa.example.com:389 conn=>>>> instance at 0x484f4d0> >>>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from >>>>> SchemaCache >>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= >>>>> ldaps://ipa1.example.com:636 conn=>>>> instance at 0x4170290> >>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, >>>>> in start_creation >>>>> run_step(full_msg, method) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, >>>>> in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>> 368, in __setup_replica >>>>> r_bindpw=self.dm_password) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line >>>>> 969, in setup_replication >>>>> raise RuntimeError("Failed to start replication") >>>>> RuntimeError: Failed to start replication >>>>> >>>>> 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start >>>>> replication >>>>> >>>>> The times are a little off, but I believe this corresponds to >>>>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. >>>>> Processed 1539 entries in 126 seconds. (12.21 entries/sec) >>>>> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - >>>>> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is >>>>> coming online; enabling replication >>>>> >>>>> I don't know why setup_replication is reporting an error if >>>>> replication completed successfully. >>>>> >>>>> >>>>> >>>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden : >>>>> >>>>>> Rich Megginson wrote: >>>>>> > On 04/15/2015 02:58 PM, James James wrote: >>>>>> >> Nothing on the replica .. maybye a process on the master. How can I >>>>>> >> check that ? >>>>>> > >>>>>> > I have no idea. But it seems highly unlikely that a process on the >>>>>> > master is able to shutdown a process on the replica . . . >>>>>> > >>>>>> > I would say that there is some problem with the ipa-replica-install >>>>>> not >>>>>> > properly checking the status - see below: >>>>>> > >>>>>> >> >>>>>> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson >>>>> >> >: >>>>>> >> >>>>>> >> On 04/15/2015 12:43 PM, James James wrote: >>>>>> >>> Here the log >>>>>> >>> >>>>>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson < >>>>>> rmeggins at redhat.com >>>>>> >>> >: >>>>>> >>> >>>>>> >>> On 04/15/2015 09:46 AM, James James wrote: >>>>>> >>>> Hello, >>>>>> >>>> >>>>>> >>>> I have been looking to solve my problem but I 'm asking >>>>>> for >>>>>> >>>> some help. >>>>>> >>>> >>>>>> >>>> The replication begins but cannot be completed .... >>>>>> >>>> >>>>>> >>>> I want to install a new fresh replica but I've always got >>>>>> >>>> this error : >>>>>> >>>> >>>>>> >>>> [21/35]: configure dirsrv ccache >>>>>> >>>> [22/35]: enable SASL mapping fallback >>>>>> >>>> [23/35]: restarting directory server >>>>>> >>>> [24/35]: setting up initial replication >>>>>> >>>> Starting replication, please wait until this has >>>>>> completed. >>>>>> >>>> Update in progress, 127 seconds elapsed >>>>>> >>>> Update in progress yet not in progress >>>>>> >>>> >>>>>> >>>> Update in progress yet not in progress >>>>>> >>> >>>>>> > >>>>>> > in progress yet not in progress???? The error log below clearly >>>>>> shows >>>>>> > that replica init succeeded after 127 seconds. >>>>>> > >>>>>> > IPA-ers - wasn't there some bug about checking replica status >>>>>> properly? >>>>>> > >>>>>> >>>>>> The loop looks at nsds5BeginReplicaRefresh, >>>>>> nsds5replicaUpdateInProgress >>>>>> and nsds5ReplicaLastInitStatus. >>>>>> >>>>>> It loops looking for nsds5BeginReplicaRefresh. If there is no value it >>>>>> prints "Update in progress, %d seconds elapsed". Once it gets a >>>>>> status, >>>>>> the update is done, and it looks at nsds5ReplicaLastInitStatus. If it >>>>>> isn't empty, doesn't include 'replica busy' or 'Total update >>>>>> succeeded' >>>>>> then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it >>>>>> is, >>>>>> ir prints Update in progress yet not in progress and tries the loop >>>>>> again. >>>>>> >>>>>> AFAICT this part of a replica install doesn't restart 389-ds. >>>>>> >>>>>> /var/log/ipareplica-install.log may hold some details. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Mon Jun 8 08:24:48 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Mon, 08 Jun 2015 10:24:48 +0200 Subject: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain In-Reply-To: References: <55706A6A.6020709@redhat.com> <55706B78.7070209@redhat.com> <1160734455.11049778.1433443003999.JavaMail.zimbra@redhat.com> Message-ID: <55755150.4040402@redhat.com> On 06/05/2015 03:14 PM, Sina Owolabi wrote: > Odd, sssd sudo up and started working properly after I added debug to > the clients I was interested in. > I didnt see any errors in the logs at all. This may indicate a race condition. Does it hang up again if you disable debugging? > > Very strange. Thanks everyone. > > On Thu, Jun 4, 2015 at 7:36 PM, Pavel Brezina wrote: >> Hi, >> please put the following line to /etc/sudo.conf to obtain sudo logs and send us the file: >> Debug sudo /var/log/sudo_debug all at trace >> >> ----- Original Message ----- >>> From: "Martin Kosek" >>> To: "Sina Owolabi" >>> Cc: "Cory Carlton" , freeipa-users at redhat.com, "Pavel Brezina" , "Jakub >>> Hrozek" >>> Sent: Thursday, June 4, 2015 5:15:04 PM >>> Subject: Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain >>> >>> On 06/04/2015 05:13 PM, Sina Owolabi wrote: >>>> Hi Martin >>>> >>>> I have deleted everything in /var/lib/sss/db/ and restarted sssd, >>>> no luck. >>> >>> In that case, I am afraid you might need to enable sudo and SSSD debug >>> (https://fedorahosted.org/sssd/wiki/Troubleshooting) and see where it hans. >>> Also CCing sudo/sssd SMEs to be aware. >>> >>>> >>>> On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek wrote: >>>>> On 06/04/2015 05:06 PM, Cory Carlton wrote: >>>>>> I would check for DNS resolution from the machine executing the sudo, to >>>>>> the IPA server. >>>>> >>>>> I would also suggest cleaning SSSD caches, since you reinstalled against >>>>> the >>>>> same domain, but actually different server (/var/lib/sss/db/) >>>>> >>>>>> On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi >>>>>> wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> I recently had to remove and reinstall a fresh IPA server. I am >>>>>>> currently re-enrolling all the ipa clients to the recently refreshed >>>>>>> domain (same name as the previous realm and domain). The new IPA >>>>>>> master is RHEL7.1 with IPA 4.1.3. >>>>>>> >>>>>>> All client servers are running RHEL6.6. >>>>>>> >>>>>>> I also have sudorule that allows a group to have access to run all >>>>>>> commands on all servers: >>>>>>> >>>>>>> Rule name: All >>>>>>> Enabled: TRUE >>>>>>> Host category: all >>>>>>> Command category: all >>>>>>> User Groups: superusers >>>>>>> Sudo Option: !authenticate >>>>>>> ---------------------------- >>>>>>> >>>>>>> I noticed that trying to run sudo on a few of the servers makes the >>>>>>> command hang indefinitely. >>>>>>> I am not sure what is the cause and where to look. Please what can I >>>>>>> do to troubleshoot and fix this? >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>> >>> From tbordaz at redhat.com Mon Jun 8 08:25:04 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 08 Jun 2015 10:25:04 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> <5530755B.1030403@redhat.com> <5555FBEA.8090005@redhat.com> <55560360.706@redhat.com> <55560979.50508@redhat.com> <5559D54B.4080408@redhat.com> Message-ID: <55755160.7080100@redhat.com> Hello James, The fact that the master is more powerfull than the replica increase the possibility to hit that bug. The bug fix is on the master side. The master is made smarter to adapt its replication flow to the speed of the consumer. The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and 389-ds-base-1.2.11.15-56.el6. What is the current version of your master ? thanks thierry On 06/08/2015 09:49 AM, James James wrote: > Hi Thierry, > > thanks for you answer. > > I was away for a long time, this is why my post comes later . > > This timing issue is coming when you try to upgrade from rhel 6 > (ipa-3.0) to rhel7 (ipa4.xx) ? > > I have a physical machine for the master and a VM as replica. The > solution is to use a physical machine for the replica ? > > How can I limit the cpu/memory in the physical machine (with cgroups ??). > > Any hints will be appreciated .. > > Regards > > James > > 2015-05-18 14:04 GMT+02:00 thierry bordaz >: > > On 05/15/2015 05:11 PM, James James wrote: >> ok Rob. Thanks for your help. I will wait for the Scientific >> Linux 6.7 . > > Hi James, > > Unfortunately there is no workaround. This is a timing issue > mostly seen when the master is more powerful than the consumer. > If you are using VM you may try to get master/replica with nearly > the same cpu/memory. > > thanks > thierry > >> >> Best. >> >> James >> >> 2015-05-15 16:58 GMT+02:00 Rich Megginson > >: >> >> On 05/15/2015 08:46 AM, James James wrote: >>> [root at ipa ~]# rpm -q 389-ds-base >>> 389-ds-base-1.2.11.15-50.el6_6.x86_64 >> >> Ok. Looks like this is planned to be fixed in RHEL 6.7 with >> version 389-ds-base-1.2.11.15-56.el6 >> >> I don't know if there are any workarounds. >> >> >>> >>> >>> >>> 2015-05-15 16:32 GMT+02:00 Rich Megginson >>> >: >>> >>> On 05/15/2015 08:22 AM, James James wrote: >>>> I think that : >>>> >>>> Starting replication, please wait until this has completed. >>>> Update in progress, 127 seconds elapsed >>>> Update in progress yet not in progress >>>> >>>> >>>> looks like a time error : >>>> https://fedorahosted.org/freeipa/ticket/4756 >>> >>> That issue should have been fixed in 389-ds-base-1.3.3 >>> branch. What version of 389-ds-base? rpm -q 389-ds-base >>> >>> >>>> >>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson >>>> >: >>>> >>>> On 05/15/2015 07:55 AM, James James wrote: >>>>> Is it possible to change the nsds5ReplicaTimeout >>>>> value to get rid of this timeout error ? >>>> >>>> What timeout error? >>>> >>>>> >>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson >>>>> >: >>>>> >>>>> On 04/15/2015 10:44 PM, James James wrote: >>>>>> The ipareplica-install.log file in attachment >>>>>> ... >>>>> >>>>> Here are the pertinent bits: >>>>> >>>>> 2015-04-15T15:06:31Z DEBUG >>>>> wait_for_open_ports: localhost [389] timeout 300 >>>>> 2015-04-15T15:06:32Z DEBUG flushing >>>>> ldap://ipa.example.com:389 from SchemaCache >>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema >>>>> for SchemaCache url=ldap://ipa.example.com:389 >>>>> conn=>>>> instance at 0x484f4d0> >>>>> 2015-04-15T15:06:32Z DEBUG flushing >>>>> ldaps://ipa1.example.com:636 from SchemaCache >>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema >>>>> for SchemaCache >>>>> url=ldaps://ipa1.example.com:636 >>>>> conn=>>>> instance at 0x4170290> >>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most >>>>> recent call last): >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line 382, in start_creation >>>>> run_step(full_msg, method) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line 372, in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>>> line 368, in __setup_replica >>>>> r_bindpw=self.dm_password) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>>> line 969, in setup_replication >>>>> raise RuntimeError("Failed to start >>>>> replication") >>>>> RuntimeError: Failed to start replication >>>>> >>>>> 2015-04-15T15:08:44Z DEBUG [error] >>>>> RuntimeError: Failed to start replication >>>>> >>>>> The times are a little off, but I believe this >>>>> corresponds to >>>>> [15/Apr/2015:17:08:39 +0200] - import >>>>> userRoot: Import complete. Processed 1539 >>>>> entries in 126 seconds. (12.21 entries/sec) >>>>> [15/Apr/2015:17:08:39 +0200] >>>>> NSMMReplicationPlugin - >>>>> multimaster_be_state_change: replica >>>>> dc=lix,dc=polytechnique,dc=fr is coming >>>>> online; enabling replication >>>>> >>>>> I don't know why setup_replication is >>>>> reporting an error if replication completed >>>>> successfully. >>>>> >>>>> >>>>>> >>>>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden >>>>>> >>>>> >: >>>>>> >>>>>> Rich Megginson wrote: >>>>>> > On 04/15/2015 02:58 PM, James James wrote: >>>>>> >> Nothing on the replica .. maybye a >>>>>> process on the master. How can I >>>>>> >> check that ? >>>>>> > >>>>>> > I have no idea. But it seems highly >>>>>> unlikely that a process on the >>>>>> > master is able to shutdown a process on >>>>>> the replica . . . >>>>>> > >>>>>> > I would say that there is some problem >>>>>> with the ipa-replica-install not >>>>>> > properly checking the status - see below: >>>>>> > >>>>>> >> >>>>>> >> 2015-04-15 21:37 GMT+02:00 Rich >>>>>> Megginson >>>>> >>>>>> >> >>>>> >>: >>>>>> >> >>>>>> >> On 04/15/2015 12:43 PM, James James >>>>>> wrote: >>>>>> >>> Here the log >>>>>> >>> >>>>>> >>> 2015-04-15 18:58 GMT+02:00 Rich >>>>>> Megginson >>>>> >>>>>> >>> >>>>> >>: >>>>>> >>> >>>>>> >>> On 04/15/2015 09:46 AM, James >>>>>> James wrote: >>>>>> >>>> Hello, >>>>>> >>>> >>>>>> >>>> I have been looking to solve >>>>>> my problem but I 'm asking for >>>>>> >>>> some help. >>>>>> >>>> >>>>>> >>>> The replication begins but >>>>>> cannot be completed .... >>>>>> >>>> >>>>>> >>>> I want to install a new fresh >>>>>> replica but I've always got >>>>>> >>>> this error : >>>>>> >>>> >>>>>> >>>> [21/35]: configure dirsrv ccache >>>>>> >>>> [22/35]: enable SASL mapping fallback >>>>>> >>>> [23/35]: restarting directory server >>>>>> >>>> [24/35]: setting up initial replication >>>>>> >>>> Starting replication, please wait >>>>>> until this has completed. >>>>>> >>>> Update in progress, 127 >>>>>> seconds elapsed >>>>>> >>>> Update in progress yet not in >>>>>> progress >>>>>> >>>> >>>>>> >>>> Update in progress yet not in >>>>>> progress >>>>>> >>> >>>>>> > >>>>>> > in progress yet not in progress???? The >>>>>> error log below clearly shows >>>>>> > that replica init succeeded after 127 >>>>>> seconds. >>>>>> > >>>>>> > IPA-ers - wasn't there some bug about >>>>>> checking replica status properly? >>>>>> > >>>>>> >>>>>> The loop looks at >>>>>> nsds5BeginReplicaRefresh, >>>>>> nsds5replicaUpdateInProgress >>>>>> and nsds5ReplicaLastInitStatus. >>>>>> >>>>>> It loops looking for >>>>>> nsds5BeginReplicaRefresh. If there is no >>>>>> value it >>>>>> prints "Update in progress, %d seconds >>>>>> elapsed". Once it gets a status, >>>>>> the update is done, and it looks at >>>>>> nsds5ReplicaLastInitStatus. If it >>>>>> isn't empty, doesn't include 'replica >>>>>> busy' or 'Total update succeeded' >>>>>> then it looks to see if >>>>>> nsds5replicaUpdateInProgress is TRUE. If >>>>>> it is, >>>>>> ir prints Update in progress yet not in >>>>>> progress and tries the loop again. >>>>>> >>>>>> AFAICT this part of a replica install >>>>>> doesn't restart 389-ds. >>>>>> >>>>>> /var/log/ipareplica-install.log may hold >>>>>> some details. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Mon Jun 8 10:30:09 2015 From: jreg2k at gmail.com (James James) Date: Mon, 8 Jun 2015 12:30:09 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <55755160.7080100@redhat.com> References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> <5530755B.1030403@redhat.com> <5555FBEA.8090005@redhat.com> <55560360.706@redhat.com> <55560979.50508@redhat.com> <5559D54B.4080408@redhat.com> <55755160.7080100@redhat.com> Message-ID: My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz : > Hello James, > > The fact that the master is more powerfull than the replica increase the > possibility to hit that bug. > The bug fix is on the master side. The master is made smarter to adapt its > replication flow to the speed of the consumer. > The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and > 389-ds-base-1.2.11.15-56.el6. > > What is the current version of your master ? > > thanks > thierry > > On 06/08/2015 09:49 AM, James James wrote: > > Hi Thierry, > > thanks for you answer. > > I was away for a long time, this is why my post comes later . > > This timing issue is coming when you try to upgrade from rhel 6 > (ipa-3.0) to rhel7 (ipa4.xx) ? > > I have a physical machine for the master and a VM as replica. The > solution is to use a physical machine for the replica ? > > How can I limit the cpu/memory in the physical machine (with cgroups ??). > > Any hints will be appreciated .. > > Regards > > James > > 2015-05-18 14:04 GMT+02:00 thierry bordaz : > >> On 05/15/2015 05:11 PM, James James wrote: >> >> ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . >> >> >> Hi James, >> >> Unfortunately there is no workaround. This is a timing issue mostly seen >> when the master is more powerful than the consumer. >> If you are using VM you may try to get master/replica with nearly the >> same cpu/memory. >> >> thanks >> thierry >> >> >> Best. >> >> James >> >> 2015-05-15 16:58 GMT+02:00 Rich Megginson : >> >>> On 05/15/2015 08:46 AM, James James wrote: >>> >>> [root at ipa ~]# rpm -q 389-ds-base >>> 389-ds-base-1.2.11.15-50.el6_6.x86_64 >>> >>> >>> Ok. Looks like this is planned to be fixed in RHEL 6.7 with version >>> 389-ds-base-1.2.11.15-56.el6 >>> >>> I don't know if there are any workarounds. >>> >>> >>> >>> >>> >>> 2015-05-15 16:32 GMT+02:00 Rich Megginson : >>> >>>> On 05/15/2015 08:22 AM, James James wrote: >>>> >>>> I think that : >>>> >>>> Starting replication, please wait until this has completed. >>>> Update in progress, 127 seconds elapsed >>>> Update in progress yet not in progress >>>> >>>> >>>> looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 >>>> >>>> >>>> That issue should have been fixed in 389-ds-base-1.3.3 branch. What >>>> version of 389-ds-base? rpm -q 389-ds-base >>>> >>>> >>>> >>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson : >>>> >>>>> On 05/15/2015 07:55 AM, James James wrote: >>>>> >>>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of >>>>> this timeout error ? >>>>> >>>>> >>>>> What timeout error? >>>>> >>>>> >>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson : >>>>> >>>>>> On 04/15/2015 10:44 PM, James James wrote: >>>>>> >>>>>> The ipareplica-install.log file in attachment ... >>>>>> >>>>>> >>>>>> Here are the pertinent bits: >>>>>> >>>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] >>>>>> timeout 300 >>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from >>>>>> SchemaCache >>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= >>>>>> ldap://ipa.example.com:389 conn=>>>>> instance at 0x484f4d0> >>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 >>>>>> from SchemaCache >>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= >>>>>> ldaps://ipa1.example.com:636 conn=>>>>> instance at 0x4170290> >>>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, >>>>>> in start_creation >>>>>> run_step(full_msg, method) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, >>>>>> in run_step >>>>>> method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>>> 368, in __setup_replica >>>>>> r_bindpw=self.dm_password) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line >>>>>> 969, in setup_replication >>>>>> raise RuntimeError("Failed to start replication") >>>>>> RuntimeError: Failed to start replication >>>>>> >>>>>> 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start >>>>>> replication >>>>>> >>>>>> The times are a little off, but I believe this corresponds to >>>>>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. >>>>>> Processed 1539 entries in 126 seconds. (12.21 entries/sec) >>>>>> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - >>>>>> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is >>>>>> coming online; enabling replication >>>>>> >>>>>> I don't know why setup_replication is reporting an error if >>>>>> replication completed successfully. >>>>>> >>>>>> >>>>>> >>>>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden : >>>>>> >>>>>>> Rich Megginson wrote: >>>>>>> > On 04/15/2015 02:58 PM, James James wrote: >>>>>>> >> Nothing on the replica .. maybye a process on the master. How can >>>>>>> I >>>>>>> >> check that ? >>>>>>> > >>>>>>> > I have no idea. But it seems highly unlikely that a process on the >>>>>>> > master is able to shutdown a process on the replica . . . >>>>>>> > >>>>>>> > I would say that there is some problem with the >>>>>>> ipa-replica-install not >>>>>>> > properly checking the status - see below: >>>>>>> > >>>>>>> >> >>>>>>> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson >>>>>> >> >: >>>>>>> >> >>>>>>> >> On 04/15/2015 12:43 PM, James James wrote: >>>>>>> >>> Here the log >>>>>>> >>> >>>>>>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson < >>>>>>> rmeggins at redhat.com >>>>>>> >>> >: >>>>>>> >>> >>>>>>> >>> On 04/15/2015 09:46 AM, James James wrote: >>>>>>> >>>> Hello, >>>>>>> >>>> >>>>>>> >>>> I have been looking to solve my problem but I 'm asking >>>>>>> for >>>>>>> >>>> some help. >>>>>>> >>>> >>>>>>> >>>> The replication begins but cannot be completed .... >>>>>>> >>>> >>>>>>> >>>> I want to install a new fresh replica but I've always >>>>>>> got >>>>>>> >>>> this error : >>>>>>> >>>> >>>>>>> >>>> [21/35]: configure dirsrv ccache >>>>>>> >>>> [22/35]: enable SASL mapping fallback >>>>>>> >>>> [23/35]: restarting directory server >>>>>>> >>>> [24/35]: setting up initial replication >>>>>>> >>>> Starting replication, please wait until this has >>>>>>> completed. >>>>>>> >>>> Update in progress, 127 seconds elapsed >>>>>>> >>>> Update in progress yet not in progress >>>>>>> >>>> >>>>>>> >>>> Update in progress yet not in progress >>>>>>> >>> >>>>>>> > >>>>>>> > in progress yet not in progress???? The error log below clearly >>>>>>> shows >>>>>>> > that replica init succeeded after 127 seconds. >>>>>>> > >>>>>>> > IPA-ers - wasn't there some bug about checking replica status >>>>>>> properly? >>>>>>> > >>>>>>> >>>>>>> The loop looks at nsds5BeginReplicaRefresh, >>>>>>> nsds5replicaUpdateInProgress >>>>>>> and nsds5ReplicaLastInitStatus. >>>>>>> >>>>>>> It loops looking for nsds5BeginReplicaRefresh. If there is no value >>>>>>> it >>>>>>> prints "Update in progress, %d seconds elapsed". Once it gets a >>>>>>> status, >>>>>>> the update is done, and it looks at nsds5ReplicaLastInitStatus. If it >>>>>>> isn't empty, doesn't include 'replica busy' or 'Total update >>>>>>> succeeded' >>>>>>> then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it >>>>>>> is, >>>>>>> ir prints Update in progress yet not in progress and tries the loop >>>>>>> again. >>>>>>> >>>>>>> AFAICT this part of a replica install doesn't restart 389-ds. >>>>>>> >>>>>>> /var/log/ipareplica-install.log may hold some details. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 8 12:56:04 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 08 Jun 2015 14:56:04 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> <5530755B.1030403@redhat.com> <5555FBEA.8090005@redhat.com> <55560360.706@redhat.com> <55560979.50508@redhat.com> <5559D54B.4080408@redhat.com> <55755160.7080100@redhat.com> Message-ID: <557590E4.2060803@redhat.com> Hi, Would you update your master to 389-ds-base-1.2.11.15-56.el6, before attempting the upgrade to 7 ? thanks thierry On 06/08/2015 12:30 PM, James James wrote: > My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . > > Thanks. > > > > 2015-06-08 10:25 GMT+02:00 thierry bordaz >: > > Hello James, > > The fact that the master is more powerfull than the replica > increase the possibility to hit that bug. > The bug fix is on the master side. The master is made smarter to > adapt its replication flow to the speed of the consumer. > The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and > 389-ds-base-1.2.11.15-56.el6. > > What is the current version of your master ? > > thanks > thierry > > On 06/08/2015 09:49 AM, James James wrote: >> Hi Thierry, >> >> thanks for you answer. >> >> I was away for a long time, this is why my post comes later . >> >> This timing issue is coming when you try to upgrade from rhel 6 >> (ipa-3.0) to rhel7 (ipa4.xx) ? >> >> I have a physical machine for the master and a VM as replica. The >> solution is to use a physical machine for the replica ? >> >> How can I limit the cpu/memory in the physical machine (with >> cgroups ??). >> >> Any hints will be appreciated .. >> >> Regards >> >> James >> >> 2015-05-18 14:04 GMT+02:00 thierry bordaz > >: >> >> On 05/15/2015 05:11 PM, James James wrote: >>> ok Rob. Thanks for your help. I will wait for the Scientific >>> Linux 6.7 . >> >> Hi James, >> >> Unfortunately there is no workaround. This is a timing issue >> mostly seen when the master is more powerful than the consumer. >> If you are using VM you may try to get master/replica with >> nearly the same cpu/memory. >> >> thanks >> thierry >> >>> >>> Best. >>> >>> James >>> >>> 2015-05-15 16:58 GMT+02:00 Rich Megginson >>> >: >>> >>> On 05/15/2015 08:46 AM, James James wrote: >>>> [root at ipa ~]# rpm -q 389-ds-base >>>> 389-ds-base-1.2.11.15-50.el6_6.x86_64 >>> >>> Ok. Looks like this is planned to be fixed in RHEL 6.7 >>> with version 389-ds-base-1.2.11.15-56.el6 >>> >>> I don't know if there are any workarounds. >>> >>> >>>> >>>> >>>> >>>> 2015-05-15 16:32 GMT+02:00 Rich Megginson >>>> >: >>>> >>>> On 05/15/2015 08:22 AM, James James wrote: >>>>> I think that : >>>>> >>>>> Starting replication, please wait until this has >>>>> completed. >>>>> Update in progress, 127 seconds elapsed >>>>> Update in progress yet not in progress >>>>> >>>>> >>>>> looks like a time error : >>>>> https://fedorahosted.org/freeipa/ticket/4756 >>>> >>>> That issue should have been fixed in >>>> 389-ds-base-1.3.3 branch. What version of >>>> 389-ds-base? rpm -q 389-ds-base >>>> >>>> >>>>> >>>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson >>>>> >: >>>>> >>>>> On 05/15/2015 07:55 AM, James James wrote: >>>>>> Is it possible to change the >>>>>> nsds5ReplicaTimeout value to get rid of this >>>>>> timeout error ? >>>>> >>>>> What timeout error? >>>>> >>>>>> >>>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson >>>>>> >>>>> >: >>>>>> >>>>>> On 04/15/2015 10:44 PM, James James wrote: >>>>>>> The ipareplica-install.log file in >>>>>>> attachment ... >>>>>> >>>>>> Here are the pertinent bits: >>>>>> >>>>>> 2015-04-15T15:06:31Z DEBUG >>>>>> wait_for_open_ports: localhost [389] >>>>>> timeout 300 >>>>>> 2015-04-15T15:06:32Z DEBUG flushing >>>>>> ldap://ipa.example.com:389 from SchemaCache >>>>>> 2015-04-15T15:06:32Z DEBUG retrieving >>>>>> schema for SchemaCache >>>>>> url=ldap://ipa.example.com:389 >>>>>> conn=>>>>> instance at 0x484f4d0> >>>>>> 2015-04-15T15:06:32Z DEBUG flushing >>>>>> ldaps://ipa1.example.com:636 from SchemaCache >>>>>> 2015-04-15T15:06:32Z DEBUG retrieving >>>>>> schema for SchemaCache >>>>>> url=ldaps://ipa1.example.com:636 >>>>>> conn=>>>>> instance at 0x4170290> >>>>>> 2015-04-15T15:08:44Z DEBUG Traceback >>>>>> (most recent call last): >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line 382, in start_creation >>>>>> run_step(full_msg, method) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line 372, in run_step >>>>>> method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>>>> line 368, in __setup_replica >>>>>> r_bindpw=self.dm_password) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>>>> line 969, in setup_replication >>>>>> raise RuntimeError("Failed to start >>>>>> replication") >>>>>> RuntimeError: Failed to start replication >>>>>> >>>>>> 2015-04-15T15:08:44Z DEBUG [error] >>>>>> RuntimeError: Failed to start replication >>>>>> >>>>>> The times are a little off, but I believe >>>>>> this corresponds to >>>>>> [15/Apr/2015:17:08:39 +0200] - import >>>>>> userRoot: Import complete. Processed 1539 >>>>>> entries in 126 seconds. (12.21 entries/sec) >>>>>> [15/Apr/2015:17:08:39 +0200] >>>>>> NSMMReplicationPlugin - >>>>>> multimaster_be_state_change: replica >>>>>> dc=lix,dc=polytechnique,dc=fr is coming >>>>>> online; enabling replication >>>>>> >>>>>> I don't know why setup_replication is >>>>>> reporting an error if replication >>>>>> completed successfully. >>>>>> >>>>>> >>>>>>> >>>>>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden >>>>>>> >>>>>> >: >>>>>>> >>>>>>> Rich Megginson wrote: >>>>>>> > On 04/15/2015 02:58 PM, James >>>>>>> James wrote: >>>>>>> >> Nothing on the replica .. maybye >>>>>>> a process on the master. How can I >>>>>>> >> check that ? >>>>>>> > >>>>>>> > I have no idea. But it seems >>>>>>> highly unlikely that a process on the >>>>>>> > master is able to shutdown a >>>>>>> process on the replica . . . >>>>>>> > >>>>>>> > I would say that there is some >>>>>>> problem with the ipa-replica-install not >>>>>>> > properly checking the status - see >>>>>>> below: >>>>>>> > >>>>>>> >> >>>>>>> >> 2015-04-15 21:37 GMT+02:00 Rich >>>>>>> Megginson >>>>>> >>>>>>> >> >>>>>> >>: >>>>>>> >> >>>>>>> >> On 04/15/2015 12:43 PM, James >>>>>>> James wrote: >>>>>>> >>> Here the log >>>>>>> >>> >>>>>>> >>> 2015-04-15 18:58 GMT+02:00 >>>>>>> Rich Megginson >>>>>> >>>>>>> >>> >>>>>> >>: >>>>>>> >>> >>>>>>> >>> On 04/15/2015 09:46 AM, >>>>>>> James James wrote: >>>>>>> >>>> Hello, >>>>>>> >>>> >>>>>>> >>>> I have been looking to >>>>>>> solve my problem but I 'm asking for >>>>>>> >>>> some help. >>>>>>> >>>> >>>>>>> >>>> The replication begins >>>>>>> but cannot be completed .... >>>>>>> >>>> >>>>>>> >>>> I want to install a new >>>>>>> fresh replica but I've always got >>>>>>> >>>> this error : >>>>>>> >>>> >>>>>>> >>>> [21/35]: configure dirsrv ccache >>>>>>> >>>> [22/35]: enable SASL mapping >>>>>>> fallback >>>>>>> >>>> [23/35]: restarting directory >>>>>>> server >>>>>>> >>>> [24/35]: setting up initial >>>>>>> replication >>>>>>> >>>> Starting replication, please >>>>>>> wait until this has completed. >>>>>>> >>>> Update in progress, 127 >>>>>>> seconds elapsed >>>>>>> >>>> Update in progress yet >>>>>>> not in progress >>>>>>> >>>> >>>>>>> >>>> Update in progress yet >>>>>>> not in progress >>>>>>> >>> >>>>>>> > >>>>>>> > in progress yet not in >>>>>>> progress???? The error log below >>>>>>> clearly shows >>>>>>> > that replica init succeeded after >>>>>>> 127 seconds. >>>>>>> > >>>>>>> > IPA-ers - wasn't there some bug >>>>>>> about checking replica status properly? >>>>>>> > >>>>>>> >>>>>>> The loop looks at >>>>>>> nsds5BeginReplicaRefresh, >>>>>>> nsds5replicaUpdateInProgress >>>>>>> and nsds5ReplicaLastInitStatus. >>>>>>> >>>>>>> It loops looking for >>>>>>> nsds5BeginReplicaRefresh. If there >>>>>>> is no value it >>>>>>> prints "Update in progress, %d >>>>>>> seconds elapsed". Once it gets a status, >>>>>>> the update is done, and it looks at >>>>>>> nsds5ReplicaLastInitStatus. If it >>>>>>> isn't empty, doesn't include >>>>>>> 'replica busy' or 'Total update >>>>>>> succeeded' >>>>>>> then it looks to see if >>>>>>> nsds5replicaUpdateInProgress is >>>>>>> TRUE. If it is, >>>>>>> ir prints Update in progress yet not >>>>>>> in progress and tries the loop again. >>>>>>> >>>>>>> AFAICT this part of a replica >>>>>>> install doesn't restart 389-ds. >>>>>>> >>>>>>> /var/log/ipareplica-install.log may >>>>>>> hold some details. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 8 14:24:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Jun 2015 10:24:57 -0400 Subject: [Freeipa-users] Certificate expired/renew problems In-Reply-To: References: Message-ID: <5575A5B9.90408@redhat.com> John Desantis wrote: > Marc, > > Unfortunately, I've never had to promote a replica to become the CA > master in our environment. > > Is the host that's reporting the error the URL of the old master or the > replica? Did you check the CS.cfg to see if the replica certificate is > present vs. the old master? > > John DeSantis I think he just needs to go back in time again, restart the CA, restart certmonger and that should do it. It looks like this machine is configured to do the subsystem renewal: it uses dogtag-ipa-renew-agent as the certmonger CA. rob > > On Jun 5, 2015 3:49 PM, "Marc Wiatrowski" > wrote: > > Thank you John. I had tried that but you did give me some things to > look at. > > I was able to get 2 of the certificates to renew by setting the date > back in time, a services restart, and issuing 'ipa-getcert resubmit > -i ' This renewed the following 'Server-Cert' and > 'ipaCert' but did not 'auditSigningCert cert-pki-ca' > 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca' > > The admin web interface now gives 'ipa error 4301: Certificate > operation cannot be completed: Unable to communicate with CMS (Not > Found)' > > listing the certs shows an error along the lines of > > Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true". > > If any of these are useful. > > messages: > Jun 5 15:38:05 spider01o certmonger: Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true". > > httpd/error: > [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate > with CMS (Not Found) > > selftests.log: > 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] > SystemCertsVerification: system certs verification failure > 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: > The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at > startup FAILED! > > $ ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > $ certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,u,u > auditSigningCert cert-pki-ca u,u,Pu > > $ getcert list > Number of certificates and requests being tracked: 9. > Request ID '20131204194012': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o,O=IGLASS.NET > expires: 2017-05-28 18:03:59 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162346': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > expires: 2016-11-14 16:22:37 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162434': > status: MONITORING > ca-error: Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > expires: 2016-11-03 16:24:27 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162522': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > expires: 2016-11-14 16:22:36 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20141114162610': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > expires: 2016-11-14 16:22:42 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604181945': > status: MONITORING > ca-error: Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=CA Audit,O=IGLASS.NET > expires: 2015-05-31 18:48:55 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604181956': > status: MONITORING > ca-error: Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=OCSP Subsystem,O=IGLASS.NET > expires: 2015-05-31 18:48:54 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604182006': > status: MONITORING > ca-error: Internal error: no response to > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='x' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=CA Subsystem,O=IGLASS.NET > expires: 2015-05-31 18:48:54 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150604182012': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=IPA RA,O=IGLASS.NET > expires: 2017-05-25 13:58:36 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > thanks again. -Marc > > On Fri, Jun 5, 2015 at 1:03 PM, John Desantis > wrote: > > Marc, > > I experienced a similar issue earlier this year. > > Try restarting certmonger after temporarily changing the date > back on > the master. In our case that service had failed miserably and it > didn't allow FreeIPA to renew the certificates properly. > > Our replicas however were hit with a bug [1] during this > process. We > applied the patched code and followed the same process and all was > well. > > John DeSantis > > [1] https://fedorahosted.org/freeipa/ticket/4064 > > > 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski >: > > hello, > > > > I've got a problem with expired certificates in my ipa/IdM > setup. I believe > > the root issue to be from the fact that when everything was > first setup > > about a year ago and everything was replicated from a first > ipa server which > > no longer exists. There are currently 3 ipa servers but none > of them are > > the original. > > > > Couple days ago I started getting errors similar to > > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your > > certificate as expired' through the web management > interface. After > > investigating with 'getcert list' I found that several > certificates expired > > at 2015-05-31 18:48:55 UTC. > > > > I found > > > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > and > > followed the procedure for ipa <4.0 and everything seemed to > go as expected. > > However this did not fix my issue. > > > > With more searching it looked like once the certificates are > expired the > > auto renew will not work. Finding > > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 > > to try to manually renew I am stuck at the the beginning with > 'Give the CSR > > to your external CA.' I don't believe we had our > certificates externally > > signed. They are whatever the original install put in > place. Setting the > > date back in time reeks havoc on our environment so I'm > reluctant to leave > > it for to long. I can get what I believe is the original CSR > from > > /etc/pki-ca/CS.cfg but unsure what to do next or if this is > even the road I > > should be going down. > > > > Things seem to be working for the most part except trying to > make updates. > > Any help on what to do next, somewhere else to look, or if > I'm going in the > > right direction would be greatly appreciated. > > > > thanks, > > Marc > > > > Info: > > CentOS 6.5 with some current updates including > > ipa-server-3.0.0-42.el6.centos.i686 > > certmonger-0.75.13-1.el6.i686 > > > > $ getcert list-cas > > CA 'SelfSign': > > is-default: no > > ca-type: INTERNAL:SELF > > next-serial-number: 01 > > CA 'IPA': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/ipa-submit > > CA 'certmaster': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/certmaster-submit > > CA 'dogtag-ipa-renew-agent': > > is-default: no > > ca-type: EXTERNAL > > helper-location: > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > > CA 'local': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/local-submit > > CA 'dogtag-ipa-retrieve-agent-submit': > > is-default: no > > ca-type: EXTERNAL > > helper-location: > /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit > > > > $ getcert list > > Number of certificates and requests being tracked: 9. > > Request ID '20131204194012': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > certificate: > > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o,O=IGLASS.NET > > expires: 2015-12-05 19:40:13 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162346': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > > expires: 2016-11-14 16:22:37 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162434': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > > expires: 2016-11-03 16:24:27 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162522': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > > expires: 2016-11-14 16:22:36 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162610': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net > ,O=IGLASS.NET > > expires: 2016-11-14 16:22:42 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604181945': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: > SSL connect > > error. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=CA Audit,O=IGLASS.NET > > expires: 2015-05-31 18:48:55 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604181956': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: > SSL connect > > error. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=OCSP Subsystem,O=IGLASS.NET > > expires: 2015-05-31 18:48:54 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > eku: id-kp-OCSPSigning > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604182006': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: > SSL connect > > error. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=CA Subsystem,O=IGLASS.NET > > expires: 2015-05-31 18:48:54 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604182012': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: > SSL connect > > error. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=IPA RA,O=IGLASS.NET > > expires: 2015-05-31 18:49:37 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > >https://www.redhat.com/mailman/listinfo/freeipa-users > > Go tohttp://freeipa.org for more info on the project > > > > From nathan at nathanpeters.com Mon Jun 8 15:57:43 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 08:57:43 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <20150606034948.GR10162@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <20150605215006.GQ10162@redhat.com> <20150606034948.GR10162@redhat.com> Message-ID: <0aa13178e78d7e51c8c69aec621f3e3b.squirrel@webmail.nathanpeters.com> > On Fri, 05 Jun 2015, Nathan Peters wrote: >>I had originally set this up with AD trust but when we found out that >>our alternative UPNs were not supported we switched to ad sync. I >>removed the trust relationship from the webui by deleting all trusts >>showing in the ui. >> >>I then set it up for sync. >> >>Do I need to remove the trust from the command line as well? Does >>deleting a trust in the web ui not remove *all* settings related to >>that trust? > No, it removes the trust the same way. > > However, do you have anything in /var/log/krb5kdc.log which points to > SID filtering or a crash? > > -- > / Alexander Bokovoy > I have searched the entire /var/log/krb5kdc.log for the last week and there is nothing matching "sid" or "SID" in that file. Here are the only relevant errors I could find in krb5kdc.log (filtered to remove duplicate entries) Jun 04 23:06:43 dc1.ipadomain.net krb5kdc[1845](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jun 04 23:08:24 dc1.ipadomain.net krb5kdc[1848](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 04 23:08:24 dc1.ipadomain.net krb5kdc[1848](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 10.5.5.57: PROCESS_TGS: authtime 0, for HTTP/dc1.ipadomain.net @ipadomain.net, Server not found in Kerberos database And here are some things from /var/log/dirsrv logs Jun 06 00:44:10 dc1.ipadomain.net krb5kdc[11447](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jun 06 02:53:52 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 06 04:14:17 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 06 11:54:37 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 06 13:46:07 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 06 13:50:52 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 06 18:38:18 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' Jun 06 21:59:10 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/ipadomain.net at OFFICE.ADDOMAIN.NET' So it appears that even though I removed the trust and rebooted both servers, there is still some remnant of it sticking around somewhere. The krb5kdc logs seem to indicate that we are still trying to get a shared ticket for the AD realm? The dirsrv logs also seem to point to trying to get a ticket for that realm also. From nathan at nathanpeters.com Mon Jun 8 16:02:55 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 09:02:55 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <557216F5.8050100@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> Message-ID: <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> > On 06/05/2015 03:31 PM, nathan at nathanpeters.com wrote: >>> I have noticed that happen a couple times in the last few days. >>> FreeIPA >>> server 4.1.3 on CentOS 7 with a sync relationship to a Windows server >>> 2008R2 domain controller. >>> >>> The web ui will stop working and just show a blank page. >>> >>> When I try to do a ipactl status the command just freezes and does >>> nothing. >>> >>> In the exmaple I paste below, there was 5 minutes between when I >>> entered >>> the command and when I did ctrl-c after getting tired of waiting for >>> nothing to happen. >>> After the ipactl command failed to work at all, I decided to restart >>> the >>> httpd service manually, and then saw a whole pile of strange errors >>> around >>> failing to bind to ldap server and generic kerberos errors. >>> >>> Rebooting the server seems to work for 24 hours or so until things go >>> wonky again. >>> >>> [username at dc1 ~]$ sudo su - >>> Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 >>> [root at dc1 ~]# ipactl status >>> ^CCancelled. >>> [root at dc1 ~]# ipactl restart >>> ^CCancelled. >>> [root at dc1 ~]# ipactl restart >>> ^CCancelled. >>> [root at dc1 ~]# systemctl restart httpd >>> [root at dc1 ~]# >>> >>> >>> Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP >>> Server... >>> Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice >>> user-0.slice. >>> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of >>> user >>> root. >>> Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 >>> of >>> user root. >>> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of >>> user >>> root. >>> Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): >>> session opened for user root by LOGIN(uid=0) >>> Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 >>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 >>> 21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) >>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: >>> code=-1765328324, message=Generic error (see e-text) >>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 >>> 21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) >>> Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: >>> code=-1765328324, message=Generic error (see e-text) >>> Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >>> Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping >>> timed >>> out. Killing. >>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main >>> process >>> exited, code=killed, status=9/KILL >>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered >>> failed state. >>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP >>> Server... >>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP >>> Server. >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 >>> 21:04:07.152666, >>> 0] ipa_sam.c:4144(bind_callback_cleanup) >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: >>> code=-1765328324, message=Generic error (see e-text) >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 >>> 21:04:07.152995, >>> 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server >>> ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous >>> bind]" Error: Local error >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 >>> 21:04:07.153407, >>> 0] >>> ../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) >>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: >>> failed to get machine password for account office.mydomain.net.: >>> NT_STATUS_NONE_MAPPED >>> Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 >>> 21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) >>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: >>> code=-1765328324, message=Generic error (see e-text) >>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>> >>> I also got this error from the web ui after restarting httpd: >>> >>> Runtime error >>> >>> Web UI got in unrecoverable state during "metadata" phase >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> Further information : restarting the httpd service didn't help, but >> restarting the dirsrv service allowed me to once again login to the >> webui >> and the ipactl command started working again after the restart of >> dirsrv. >> >> Is there something I can look for in my logs next time this happens. I >> have a feeling it *will* happen again this is a critical server I'm in >> charge of so it will not be good if I cannot come up with a solid >> explanation or bug report on why this server spontaneously stops >> working. >> >> [root at dc1 ~]# ipactl restart >> (waiting 3 or 4 minutes with nothing happening) >> ^CCancelled. >> [root at dc1 ~]# systemctl restart dirsrv at MYDOMAIN-NET >> [root at dc1 ~]# ipactl status >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> named Service: RUNNING >> ipa_memcached Service: RUNNING >> httpd Service: RUNNING >> pki-tomcatd Service: RUNNING >> smb Service: RUNNING >> winbind Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa-dnskeysyncd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> [root at dc1 ~]# >> >> Here are some additional entries from my /var/log/dirsrv/slapd-MYDOMAIN >> logs. Strange error messages about non initialized replica. >> >> However, I know the windows machine is properly syncing data because I >> have over 300 synced users and when I update them in AD the updated >> attributes sync to IPA. > > Is it possible this is an old winsync agreement that is no longer valid? I have only ever made a single winsync agreement on this server that I know of. How would I tell if an agreement is no longer valid? From rmeggins at redhat.com Mon Jun 8 16:07:09 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Jun 2015 10:07:09 -0600 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> Message-ID: <5575BDAD.6040907@redhat.com> On 06/08/2015 10:02 AM, nathan at nathanpeters.com wrote: >> On 06/05/2015 03:31 PM, nathan at nathanpeters.com wrote: >>>> I have noticed that happen a couple times in the last few days. >>>> FreeIPA >>>> server 4.1.3 on CentOS 7 with a sync relationship to a Windows server >>>> 2008R2 domain controller. >>>> >>>> The web ui will stop working and just show a blank page. >>>> >>>> When I try to do a ipactl status the command just freezes and does >>>> nothing. >>>> >>>> In the exmaple I paste below, there was 5 minutes between when I >>>> entered >>>> the command and when I did ctrl-c after getting tired of waiting for >>>> nothing to happen. >>>> After the ipactl command failed to work at all, I decided to restart >>>> the >>>> httpd service manually, and then saw a whole pile of strange errors >>>> around >>>> failing to bind to ldap server and generic kerberos errors. >>>> >>>> Rebooting the server seems to work for 24 hours or so until things go >>>> wonky again. >>>> >>>> [username at dc1 ~]$ sudo su - >>>> Last login: Fri Jun 5 16:05:55 UTC 2015 on pts/0 >>>> [root at dc1 ~]# ipactl status >>>> ^CCancelled. >>>> [root at dc1 ~]# ipactl restart >>>> ^CCancelled. >>>> [root at dc1 ~]# ipactl restart >>>> ^CCancelled. >>>> [root at dc1 ~]# systemctl restart httpd >>>> [root at dc1 ~]# >>>> >>>> >>>> Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP >>>> Server... >>>> Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice >>>> user-0.slice. >>>> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of >>>> user >>>> root. >>>> Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 >>>> of >>>> user root. >>>> Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of >>>> user >>>> root. >>>> Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session): >>>> session opened for user root by LOGIN(uid=0) >>>> Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1 >>>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05 >>>> 21:03:22.932855, 0] ipa_sam.c:4144(bind_callback_cleanup) >>>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error: >>>> code=-1765328324, message=Generic error (see e-text) >>>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05 >>>> 21:03:43.935800, 0] ipa_sam.c:4144(bind_callback_cleanup) >>>> Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error: >>>> code=-1765328324, message=Generic error (see e-text) >>>> Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >>>> Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1 >>>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping >>>> timed >>>> out. Killing. >>>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main >>>> process >>>> exited, code=killed, status=9/KILL >>>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered >>>> failed state. >>>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP >>>> Server... >>>> Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP >>>> Server. >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 >>>> 21:04:07.152666, >>>> 0] ipa_sam.c:4144(bind_callback_cleanup) >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error: >>>> code=-1765328324, message=Generic error (see e-text) >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 >>>> 21:04:07.152995, >>>> 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server >>>> ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous >>>> bind]" Error: Local error >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown) >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 >>>> 21:04:07.153407, >>>> 0] >>>> ../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3) >>>> Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3: >>>> failed to get machine password for account office.mydomain.net.: >>>> NT_STATUS_NONE_MAPPED >>>> Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05 >>>> 21:08:23.034001, 0] ipa_sam.c:4144(bind_callback_cleanup) >>>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error: >>>> code=-1765328324, message=Generic error (see e-text) >>>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1 >>>> >>>> I also got this error from the web ui after restarting httpd: >>>> >>>> Runtime error >>>> >>>> Web UI got in unrecoverable state during "metadata" phase >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> Further information : restarting the httpd service didn't help, but >>> restarting the dirsrv service allowed me to once again login to the >>> webui >>> and the ipactl command started working again after the restart of >>> dirsrv. >>> >>> Is there something I can look for in my logs next time this happens. I >>> have a feeling it *will* happen again this is a critical server I'm in >>> charge of so it will not be good if I cannot come up with a solid >>> explanation or bug report on why this server spontaneously stops >>> working. >>> >>> [root at dc1 ~]# ipactl restart >>> (waiting 3 or 4 minutes with nothing happening) >>> ^CCancelled. >>> [root at dc1 ~]# systemctl restart dirsrv at MYDOMAIN-NET >>> [root at dc1 ~]# ipactl status >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: RUNNING >>> ipa_memcached Service: RUNNING >>> httpd Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> smb Service: RUNNING >>> winbind Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> ipa: INFO: The ipactl command was successful >>> [root at dc1 ~]# >>> >>> Here are some additional entries from my /var/log/dirsrv/slapd-MYDOMAIN >>> logs. Strange error messages about non initialized replica. >>> >>> However, I know the windows machine is properly syncing data because I >>> have over 300 synced users and when I update them in AD the updated >>> attributes sync to IPA. >> Is it possible this is an old winsync agreement that is no longer valid? > I have only ever made a single winsync agreement on this server that I > know of. How would I tell if an agreement is no longer valid? > > ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement From nathan at nathanpeters.com Mon Jun 8 16:18:01 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 09:18:01 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <5575BDAD.6040907@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> Message-ID: <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> >>> Is it possible this is an old winsync agreement that is no longer >>> valid? >> I have only ever made a single winsync agreement on this server that I >> know of. How would I tell if an agreement is no longer valid? >> >> > > ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > > The output of that command seems to indicate that the replication agreement is valid and active? [root at dc1 sbin]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQlo1VnlCSTY1Yzl5cl Z0cWlCc0hDdQ==}ReODwX5Q7vLGjmdGX57pmrLWKFF61dPc5SzPhk3RnIM= nsds7DirsyncCookie:: TVNEUwMAAACTPfpcG5fQAQAAAAAAAAAAYAEAAKU8nAAAAAAAAAAAAAAAA AClPJwAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs0lWIQAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+4cAIQAAAAAA4qTQaC46/Ua4KXgP /ixNcerDRgAAAAAAWowbgYD1akibZ+sCul5C4dgsKwAAAAAAxSO4iapVmEGQ6R23bgLQi6U8nAAAA AAAogC6jFcyFUmhBp4B7FkaBWPPjAEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA oneWaySync: fromWindows nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608161149Z nsds5replicaLastUpdateEnd: 20150608161149Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate started nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 However, my logs are still full of the following entry: [08/Jun/2015:15:50:15 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:18 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:21 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:27 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:30 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:33 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:37 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:40 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. [08/Jun/2015:15:50:43 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has no update vector. It has never been initialized. From rmeggins at redhat.com Mon Jun 8 16:35:37 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Jun 2015 10:35:37 -0600 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> Message-ID: <5575C459.80206@redhat.com> On 06/08/2015 10:18 AM, nathan at nathanpeters.com wrote: >>>> Is it possible this is an old winsync agreement that is no longer >>>> valid? >>> I have only ever made a single winsync agreement on this server that I >>> know of. How would I tell if an agreement is no longer valid? >>> >>> >> ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config >> objectclass=nsDSWindowsReplicationAgreement >> >> > The output of that command seems to indicate that the replication > agreement is valid and active? > > [root at dc1 sbin]# ldapsearch -xLLL -D "cn=directory manager" -W -b > cn=config objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQlo1VnlCSTY1Yzl5cl > Z0cWlCc0hDdQ==}ReODwX5Q7vLGjmdGX57pmrLWKFF61dPc5SzPhk3RnIM= > nsds7DirsyncCookie:: > TVNEUwMAAACTPfpcG5fQAQAAAAAAAAAAYAEAAKU8nAAAAAAAAAAAAAAAA > AClPJwAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs0lWIQAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+4cAIQAAAAAA4qTQaC46/Ua4KXgP > /ixNcerDRgAAAAAAWowbgYD1akibZ+sCul5C4dgsKwAAAAAAxSO4iapVmEGQ6R23bgLQi6U8nAAAA > AAAogC6jFcyFUmhBp4B7FkaBWPPjAEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > oneWaySync: fromWindows > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608161149Z > nsds5replicaLastUpdateEnd: 20150608161149Z > nsds5replicaChangesSentSinceStartup: > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate started This looks like incremental update is successful . . . > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 . . . but this indicates that the sync agreement has never been initialized, which would also correspond to the errors below. I'm really puzzled as to how sync could possibly work if it has never been initialized. And I'm also not sure how you could have created the sync agreement using the IPA command line tools without initializing the agreement. AFAIK, the only way to get rid of the errors is to reinitialize http://linux.die.net/man/1/ipa-replica-manage > > However, my logs are still full of the following entry: > > [08/Jun/2015:15:50:15 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:18 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:21 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:24 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:27 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:30 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:33 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:37 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:40 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > [08/Jun/2015:15:50:43 +0000] NSMMReplicationPlugin - windows sync - > agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replica has > no update vector. It has never been initialized. > From christopher.lamb at ch.ibm.com Mon Jun 8 16:44:14 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 8 Jun 2015 18:44:14 +0200 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Message-ID: Hi All we are interested to know if anybody has succeeded (or for that matter failed) in using FreeIPA to provide user authentication for Atlassian products such as JIRA or Confluence? Somewhere in an Atlassian ticket I saw that FreeIPA is not officially supported, so I guess that should set our expectations ..... If anyone has succeeded, then of course any tips on how best to do so would be fantastic! Thanks Chris From wia at iglass.net Mon Jun 8 18:31:25 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Mon, 8 Jun 2015 14:31:25 -0400 Subject: [Freeipa-users] Certificate expired/renew problems In-Reply-To: <5575A5B9.90408@redhat.com> References: <5575A5B9.90408@redhat.com> Message-ID: Ok I found my issue. I didn't realize the server I initially tried to setup as the new master CA was 32 bit. What clued me in was the renew_ca_cert and stop_pkicad commands including a 64bit path in setting the certificates to be tracked in certmonger. But that path didn't exist on this server... The other two servers are 64 bit. Once I switched the master CA over to one of these and then set the time back before they certificates expired, all the certificates renewed and then populated out to the other servers. So all the certificates look good now. The only issue I see now is if I log into the web management console on the 32 bit server I get the error: "ipa error 4301 Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)" But the two 64 bit interfaces look good. But I'm not to worried about this as now the plan is to replace the 32 bit server with 64. thanks, Marc On Mon, Jun 8, 2015 at 10:24 AM, Rob Crittenden wrote: > John Desantis wrote: > >> Marc, >> >> Unfortunately, I've never had to promote a replica to become the CA >> master in our environment. >> >> Is the host that's reporting the error the URL of the old master or the >> replica? Did you check the CS.cfg to see if the replica certificate is >> present vs. the old master? >> >> John DeSantis >> > > I think he just needs to go back in time again, restart the CA, restart > certmonger and that should do it. > > It looks like this machine is configured to do the subsystem renewal: it > uses dogtag-ipa-renew-agent as the certmonger CA. > > rob > > >> On Jun 5, 2015 3:49 PM, "Marc Wiatrowski" > > wrote: >> >> Thank you John. I had tried that but you did give me some things to >> look at. >> >> I was able to get 2 of the certificates to renew by setting the date >> back in time, a services restart, and issuing 'ipa-getcert resubmit >> -i ' This renewed the following 'Server-Cert' and >> 'ipaCert' but did not 'auditSigningCert cert-pki-ca' >> 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca' >> >> The admin web interface now gives 'ipa error 4301: Certificate >> operation cannot be completed: Unable to communicate with CMS (Not >> Found)' >> >> listing the certs shows an error along the lines of >> >> Internal error: no response to >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true >> ". >> >> If any of these are useful. >> >> messages: >> Jun 5 15:38:05 spider01o certmonger: Internal error: no response to >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true >> ". >> >> httpd/error: >> [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate >> with CMS (Not Found) >> >> selftests.log: >> 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] >> SystemCertsVerification: system certs verification failure >> 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: >> The CRITICAL self test plugin called >> selftests.container.instance.SystemCertsVerification running at >> startup FAILED! >> >> $ ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> DNS Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> $ certutil -L -d /var/lib/pki-ca/alias >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> Server-Cert cert-pki-ca u,u,u >> caSigningCert cert-pki-ca CTu,u,u >> auditSigningCert cert-pki-ca u,u,Pu >> >> $ getcert list >> Number of certificates and requests being tracked: 9. >> Request ID '20131204194012': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS >> Certificate DB' >> certificate: >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=spider01o,O=IGLASS.NET >> expires: 2017-05-28 18:03:59 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20141114162346': >> status: MONITORING >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> expires: 2016-11-14 16:22:37 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20141114162434': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin='x' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> expires: 2016-11-03 16:24:27 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20141114162522': >> status: MONITORING >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> expires: 2016-11-14 16:22:36 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20141114162610': >> status: MONITORING >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> expires: 2016-11-14 16:22:42 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150604181945': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='x' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=CA Audit,O=IGLASS.NET >> expires: 2015-05-31 18:48:55 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150604181956': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS >> Certificate DB',pin='x' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=OCSP Subsystem,O=IGLASS.NET >> expires: 2015-05-31 18:48:54 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150604182006': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='x' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=CA Subsystem,O=IGLASS.NET >> expires: 2015-05-31 18:48:54 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150604182012': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=IGLASS.NET >> subject: CN=IPA RA,O=IGLASS.NET >> expires: 2017-05-25 13:58:36 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> thanks again. -Marc >> >> On Fri, Jun 5, 2015 at 1:03 PM, John Desantis > > wrote: >> >> Marc, >> >> I experienced a similar issue earlier this year. >> >> Try restarting certmonger after temporarily changing the date >> back on >> the master. In our case that service had failed miserably and it >> didn't allow FreeIPA to renew the certificates properly. >> >> Our replicas however were hit with a bug [1] during this >> process. We >> applied the patched code and followed the same process and all was >> well. >> >> John DeSantis >> >> [1] https://fedorahosted.org/freeipa/ticket/4064 >> >> >> 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski > >: >> >> > hello, >> > >> > I've got a problem with expired certificates in my ipa/IdM >> setup. I believe >> > the root issue to be from the fact that when everything was >> first setup >> > about a year ago and everything was replicated from a first >> ipa server which >> > no longer exists. There are currently 3 ipa servers but none >> of them are >> > the original. >> > >> > Couple days ago I started getting errors similar to >> > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your >> > certificate as expired' through the web management >> interface. After >> > investigating with 'getcert list' I found that several >> certificates expired >> > at 2015-05-31 18:48:55 UTC. >> > >> > I found >> > >> >> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master >> and >> > followed the procedure for ipa <4.0 and everything seemed to >> go as expected. >> > However this did not fix my issue. >> > >> > With more searching it looked like once the certificates are >> expired the >> > auto renew will not work. Finding >> > >> >> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >> > to try to manually renew I am stuck at the the beginning with >> 'Give the CSR >> > to your external CA.' I don't believe we had our >> certificates externally >> > signed. They are whatever the original install put in >> place. Setting the >> > date back in time reeks havoc on our environment so I'm >> reluctant to leave >> > it for to long. I can get what I believe is the original CSR >> from >> > /etc/pki-ca/CS.cfg but unsure what to do next or if this is >> even the road I >> > should be going down. >> > >> > Things seem to be working for the most part except trying to >> make updates. >> > Any help on what to do next, somewhere else to look, or if >> I'm going in the >> > right direction would be greatly appreciated. >> > >> > thanks, >> > Marc >> > >> > Info: >> > CentOS 6.5 with some current updates including >> > ipa-server-3.0.0-42.el6.centos.i686 >> > certmonger-0.75.13-1.el6.i686 >> > >> > $ getcert list-cas >> > CA 'SelfSign': >> > is-default: no >> > ca-type: INTERNAL:SELF >> > next-serial-number: 01 >> > CA 'IPA': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/ipa-submit >> > CA 'certmaster': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/certmaster-submit >> > CA 'dogtag-ipa-renew-agent': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: >> /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit >> > CA 'local': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: /usr/libexec/certmonger/local-submit >> > CA 'dogtag-ipa-retrieve-agent-submit': >> > is-default: no >> > ca-type: EXTERNAL >> > helper-location: >> /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit >> > >> > $ getcert list >> > Number of certificates and requests being tracked: 9. >> > Request ID '20131204194012': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > certificate: >> > >> >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=spider01o,O=IGLASS.NET >> > expires: 2015-12-05 19:40:13 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162346': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> > expires: 2016-11-14 16:22:37 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162434': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > >> " >> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> > expires: 2016-11-03 16:24:27 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162522': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> > Certificate >> DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> > expires: 2016-11-14 16:22:36 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20141114162610': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=spider01o.iglass.net >> ,O=IGLASS.NET >> > expires: 2016-11-14 16:22:42 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604181945': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: >> SSL connect >> > error. >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=CA Audit,O=IGLASS.NET >> > expires: 2015-05-31 18:48:55 UTC >> > key usage: digitalSignature,nonRepudiation >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604181956': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: >> SSL connect >> > error. >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=OCSP Subsystem,O=IGLASS.NET >> > expires: 2015-05-31 18:48:54 UTC >> > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> > eku: id-kp-OCSPSigning >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604182006': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: >> SSL connect >> > error. >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='x' >> > certificate: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=CA Subsystem,O=IGLASS.NET >> > expires: 2015-05-31 18:48:54 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20150604182012': >> > status: CA_UNREACHABLE >> > ca-error: Error 35 connecting to >> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: >> SSL connect >> > error. >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=IGLASS.NET < >> http://IGLASS.NET> >> > subject: CN=IPA RA,O=IGLASS.NET >> > expires: 2015-05-31 18:49:37 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> >https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go tohttp://freeipa.org for more info on the project >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nathan at nathanpeters.com Mon Jun 8 18:49:06 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 11:49:06 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <5575C459.80206@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> Message-ID: > On 06/08/2015 10:18 AM, nathan at nathanpeters.com wrote: > This looks like incremental update is successful . . . > >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 0 >> nsds5replicaLastInitEnd: 0 > > . . . but this indicates that the sync agreement has never been > initialized, which would also correspond to the errors below. I'm > really puzzled as to how sync could possibly work if it has never been > initialized. And I'm also not sure how you could have created the sync > agreement using the IPA command line tools without initializing the > agreement. AFAIK, the only way to get rid of the errors is to > reinitialize http://linux.die.net/man/1/ipa-replica-manage OK, more troubleshooting and I think I discovered the problem. Making the sync agreement into a one way sync from windows to ipa seems to break the agreement by uninitializing it? Not sure how to fix this, but here is the logs to prove that is the step that is breaking it. ============================ try to create sync agreement ============================ [root at dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw --passsync --cacert /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v Directory Manager password: winsync agreement already exists on subtree OU=Staff,DC=office,DC=addomain,DC=net ================================= failed because it already existed so disconnect ================================= [root at dc1 ~]# ipa-replica-manage disconnect officedc2.office.addomain.net Directory Manager password: Deleted replication agreement from 'dc1.ipadomain.net' to 'officedc2.office.addomain.net' ============================ try to create sync agreement ============================ [root at dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw a5Ryj2N4EAvjFLJelWOQ --passsync MVQXHEturhjqoFXGvUcH --cacert /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addomain.cer to certificate database for dc1.ipadomain.net ipa: INFO: AD Suffix is: DC=office,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 57 seconds elapsed Update succeeded Connected 'dc1.ipadomain.net' to 'officedc2.office.addomain.net' ===================================== confirm that init values are non zero ===================================== [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config Enter LDAP Password: ldap_bind: Invalid credentials (49) [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAADdp7tcGKLQAQAAAAAAAAAAYAEAAAVEoQAAAAAAAAAAAAAAA AAFRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs72tMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+9xBIgAAAAAA4qTQaC46/Ua4KXgP /ixNcdrfVAAAAAAAWowbgYD1akibZ+sCul5C4e9kLQAAAAAAxSO4iapVmEGQ6R23bgLQiwVEoQAAA AAAogC6jFcyFUmhBp4B7FkaBQwfnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608182349Z nsds5replicaLastUpdateEnd: 20150608182349Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150608182251Z nsds5replicaLastInitEnd: 20150608182349Z nsds5replicaLastInitStatus: 0 Total update succeeded ============================================================ now i update the ldap tree to do a one way sync with windows ============================================================ ----------- Expanding base 'cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping tree,cn=config'... Getting 1 entries: Dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping tree,cn=config cn: meToofficedc2.office.addomain.net; description: me to officedc2.office.addomain.net; nsds50ruv (3): {replicageneration} 553fe9bb000000040000; {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9000000040000 5575dff8000000040000; {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c4000000030000 557244db001700030000; nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net; nsDS5ReplicaBindMethod: simple; nsds5replicaChangesSentSinceStartup: 4:35/0 ; nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdmI0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=; nsDS5ReplicaHost: officedc2.office.addomain.net; nsds5replicaLastInitEnd: 0; nsds5replicaLastInitStart: 0; nsds5replicaLastUpdateEnd: 20150608183351Z; nsds5replicaLastUpdateStart: 20150608183350Z; nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded; nsDS5ReplicaPort: 389; nsds5replicareapactive: 0; nsDS5ReplicaRoot: dc=ipadomain,dc=net; nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount; nsds5replicaTimeout: 120; nsDS5ReplicaTransportInfo: TLS; nsds5replicaUpdateInProgress: FALSE; nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net; nsds7DirsyncCookie: ; nsds7NewWinGroupSyncEnabled: false; nsds7NewWinUserSyncEnabled: true; nsds7WindowsDomain: ipadomain.net; nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net; nsruvReplicaLastModified (2): {replica 4 ldap://dc1.ipadomain.net:389} 5575df5e; {replica 3 ldap://dc2.ipadomain.net:389} 00000000; objectClass (2): nsDSWindowsReplicationAgreement; top; oneWaySync: fromWindows; ----------- [root at dc1 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful ================================================= now run search to see if agreement is still valid ================================================= [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAAAJUnAmGaLQAQAAAAAAAAAAYAEAAIREoQAAAAAAAAAAAAAAA ACERKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi4REoQAAA AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA oneWaySync: fromWindows nsds50ruv: {replicageneration} 553fe9bb000000040000 nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 000000040000 5575df31000000040000 nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c 4000000030000 557244db001700030000 nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne t:389} 5575de97 nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n et:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608182928Z nsds5replicaLastUpdateEnd: 20150608182928Z nsds5replicaChangesSentSinceStartup:: NDoyOC8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 ============== um WTF? making it a one way only agreement invalidates the lastinitstart value? ============== ================================================================================= troubleshooting : removing oneWaySync: fromWindows and see if problem still exists ================================================================================= [root at dc1 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA nsds50ruv: {replicageneration} 553fe9bb000000040000 nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 000000040000 5575dff8000000040000 nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c 4000000030000 557244db001700030000 nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne t:389} 5575df5e nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n et:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608183216Z nsds5replicaLastUpdateEnd: 20150608183216Z nsds5replicaChangesSentSinceStartup:: NDozMC8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 ===================================================== hmmm, problem still exists and not sure how to fix it ===================================================== From nathan at nathanpeters.com Mon Jun 8 18:59:55 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 11:59:55 -0700 Subject: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records Message-ID: <2f83c314199e03d154abc9b7b572fd4d.squirrel@webmail.nathanpeters.com> I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role called "Super Admin". On the privileges tab for this user, I have added every single privlege in the 'Add' menu. This role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he cannot search DNS entries. He can see every dns entry if he manually pages through them one at a time (we have several thousand so this is not workable as you would have to scroll through hundreds of pages). The problem is any search always returns zero entries. I though maybe something was missing so I created a new privilege called "All privileges". I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would give the following error when I try to add them : "invalid 'permission': cannot add permission "System: Read Automount Configuration" with bindtype "anonymous" to a privilege" I can see if I go to the permissions menu that there are actually 174 possible permissions so to only be able to add 76 of them seems really strange. So my questions are : 1)Why can a user with 'all' privileges not search DNS entries? 2)Why am I only able to add 76 out of the 174 permissions to a privilege? 3)Is there anything that can be done to allow a user that is not the builtin 'admin' user to search dns entries or actually be alloted all permissions on the system? From rmeggins at redhat.com Mon Jun 8 19:06:48 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Jun 2015 13:06:48 -0600 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> Message-ID: <5575E7C8.609@redhat.com> On 06/08/2015 12:49 PM, nathan at nathanpeters.com wrote: >> On 06/08/2015 10:18 AM, nathan at nathanpeters.com wrote: >> This looks like incremental update is successful . . . >> >>> nsds5replicaUpdateInProgress: FALSE >>> nsds5replicaLastInitStart: 0 >>> nsds5replicaLastInitEnd: 0 >> . . . but this indicates that the sync agreement has never been >> initialized, which would also correspond to the errors below. I'm >> really puzzled as to how sync could possibly work if it has never been >> initialized. And I'm also not sure how you could have created the sync >> agreement using the IPA command line tools without initializing the >> agreement. AFAIK, the only way to get rid of the errors is to >> reinitialize http://linux.die.net/man/1/ipa-replica-manage > OK, more troubleshooting and I think I discovered the problem. Making the > sync agreement into a one way sync from windows to ipa seems to break the > agreement by uninitializing it? Not sure how to fix this, but here is the > logs to prove that is the step that is breaking it. > > ============================ > try to create sync agreement > ============================ > > [root at dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa > syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw > --passsync --cacert /etc/openldap/cacerts/addomain.cer > officedc2.office.addomain.net --win-subtree > "OU=Staff,DC=office,DC=addomain,DC=net" -v > Directory Manager password: > > winsync agreement already exists on subtree > OU=Staff,DC=office,DC=addomain,DC=net > > ================================= > failed because it already existed so disconnect > ================================= > > [root at dc1 ~]# ipa-replica-manage disconnect officedc2.office.addomain.net > Directory Manager password: > > Deleted replication agreement from 'dc1.ipadomain.net' to > 'officedc2.office.addomain.net' > > ============================ > try to create sync agreement > ============================ > > [root at dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa > syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw > a5Ryj2N4EAvjFLJelWOQ --passsync MVQXHEturhjqoFXGvUcH --cacert > /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net > --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/addomain.cer to certificate > database for dc1.ipadomain.net > ipa: INFO: AD Suffix is: DC=office,DC=addomain,DC=net > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net > Windows PassSync system account exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica > acquired successfully: Incremental update started: start: 0: end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > Update in progress, 57 seconds elapsed > Update succeeded > > Connected 'dc1.ipadomain.net' to 'officedc2.office.addomain.net' > > ===================================== > confirm that init values are non zero > ===================================== > > [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAADdp7tcGKLQAQAAAAAAAAAAYAEAAAVEoQAAAAAAAAAAAAAAA > AAFRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs72tMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+9xBIgAAAAAA4qTQaC46/Ua4KXgP > /ixNcdrfVAAAAAAAWowbgYD1akibZ+sCul5C4e9kLQAAAAAAxSO4iapVmEGQ6R23bgLQiwVEoQAAA > AAAogC6jFcyFUmhBp4B7FkaBQwfnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608182349Z > nsds5replicaLastUpdateEnd: 20150608182349Z > nsds5replicaChangesSentSinceStartup: > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 20150608182251Z > nsds5replicaLastInitEnd: 20150608182349Z > nsds5replicaLastInitStatus: 0 Total update succeeded > > ============================================================ > now i update the ldap tree to do a one way sync with windows > ============================================================ > > ----------- > Expanding base > 'cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping > tree,cn=config'... > Getting 1 entries: > Dn: > cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping > tree,cn=config > cn: meToofficedc2.office.addomain.net; > description: me to officedc2.office.addomain.net; > nsds50ruv (3): {replicageneration} 553fe9bb000000040000; {replica 4 > ldap://dc1.ipadomain.net:389} 553fe9c9000000040000 5575dff8000000040000; > {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c4000000030000 > 557244db001700030000; > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net; > nsDS5ReplicaBindMethod: simple; > nsds5replicaChangesSentSinceStartup: 4:35/0 ; > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdmI0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=; > nsDS5ReplicaHost: officedc2.office.addomain.net; > nsds5replicaLastInitEnd: 0; > nsds5replicaLastInitStart: 0; > nsds5replicaLastUpdateEnd: 20150608183351Z; > nsds5replicaLastUpdateStart: 20150608183350Z; > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > update succeeded; > nsDS5ReplicaPort: 389; > nsds5replicareapactive: 0; > nsDS5ReplicaRoot: dc=ipadomain,dc=net; > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount; > nsds5replicaTimeout: 120; > nsDS5ReplicaTransportInfo: TLS; > nsds5replicaUpdateInProgress: FALSE; > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net; > nsds7DirsyncCookie: ; > nsds7NewWinGroupSyncEnabled: false; > nsds7NewWinUserSyncEnabled: true; > nsds7WindowsDomain: ipadomain.net; > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net; > nsruvReplicaLastModified (2): {replica 4 ldap://dc1.ipadomain.net:389} > 5575df5e; {replica 3 ldap://dc2.ipadomain.net:389} 00000000; > objectClass (2): nsDSWindowsReplicationAgreement; top; > oneWaySync: fromWindows; > ----------- > > > [root at dc1 ~]# ipactl restart > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting named Service > Restarting ipa_memcached Service > Restarting httpd Service > Restarting pki-tomcatd Service > Restarting smb Service > Restarting winbind Service > Restarting ipa-otpd Service > Restarting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful > > ================================================= > now run search to see if agreement is still valid > ================================================= > > [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAAAJUnAmGaLQAQAAAAAAAAAAYAEAAIREoQAAAAAAAAAAAAAAA > ACERKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP > /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi4REoQAAA > AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > oneWaySync: fromWindows > nsds50ruv: {replicageneration} 553fe9bb000000040000 > nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 > 000000040000 5575df31000000040000 > nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c > 4000000030000 557244db001700030000 > nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne > t:389} 5575de97 > nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n > et:389} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608182928Z > nsds5replicaLastUpdateEnd: 20150608182928Z > nsds5replicaChangesSentSinceStartup:: NDoyOC8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > ============== > um WTF? making it a one way only agreement invalidates the lastinitstart > value? > ============== Looks like a bug. > > ================================================================================= > troubleshooting : removing oneWaySync: fromWindows and see if problem > still exists > ================================================================================= > > [root at dc1 ~]# ipactl restart > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting named Service > Restarting ipa_memcached Service > Restarting httpd Service > Restarting pki-tomcatd Service > Restarting smb Service > Restarting winbind Service > Restarting ipa-otpd Service > Restarting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful > > [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA > ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP > /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA > AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > nsds50ruv: {replicageneration} 553fe9bb000000040000 > nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 > 000000040000 5575dff8000000040000 > nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c > 4000000030000 557244db001700030000 > nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne > t:389} 5575df5e > nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n > et:389} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608183216Z > nsds5replicaLastUpdateEnd: 20150608183216Z > nsds5replicaChangesSentSinceStartup:: NDozMC8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > ===================================================== > hmmm, problem still exists and not sure how to fix it > ===================================================== > ipa-replica-manage re-initialize? From nathan at nathanpeters.com Mon Jun 8 19:09:12 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 12:09:12 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> Message-ID: <35b1285af3316e3ccc04d2b013480c91.squirrel@webmail.nathanpeters.com> > [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA > ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP > /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA > AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > nsds50ruv: {replicageneration} 553fe9bb000000040000 > nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 > 000000040000 5575dff8000000040000 > nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c > 4000000030000 557244db001700030000 > nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne > t:389} 5575df5e > nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n > et:389} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608183216Z > nsds5replicaLastUpdateEnd: 20150608183216Z > nsds5replicaChangesSentSinceStartup:: NDozMC8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > ===================================================== > hmmm, problem still exists and not sure how to fix it > ===================================================== > > This is also really strange, when I run an ipactl restart I get the following weird stuff in my log. messages about ACL targets not existing and a strange kerberos error where the host can't find it's own keytab or ldap service record? [08/Jun/2015:19:04:06 +0000] - 389-Directory/1.3.3.8 B2015.040.128 starting up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- rounding up [08/Jun/2015:19:04:06 +0000] - WARNING: userRoot: entry cache size 512000B is less than db size 12500992B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jun/2015:19:04:06 +0000] - WARNING: ipaca: entry cache size 512000B is less than db size 1343488B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jun/2015:19:04:06 +0000] - WARNING: changelog: entry cache size 512000B is less than db size 45654016B; We recommend to increase the entry cache size nsslapd-cachememsize. [08/Jun/2015:19:04:06 +0000] - resizing db cache size: 400000 -> 320000 [08/Jun/2015:19:04:06 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipadomain,dc=net [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target ou=sudoers,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=users,cn=compat,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which should be added before the CoS Definition. [08/Jun/2015:19:04:08 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [08/Jun/2015:19:04:08 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which should be added before the CoS Definition. [08/Jun/2015:19:04:08 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [08/Jun/2015:19:04:08 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [08/Jun/2015:19:04:08 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [08/Jun/2015:19:04:08 +0000] - Listening on All Interfaces port 636 for LDAPS requests [08/Jun/2015:19:04:08 +0000] - Listening on /var/run/slapd-IPADOMAIN-NET.socket for LDAPI requests [08/Jun/2015:19:04:38 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress) [08/Jun/2015:19:04:38 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [08/Jun/2015:19:04:39 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth resumed From rmeggins at redhat.com Mon Jun 8 19:15:50 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Jun 2015 13:15:50 -0600 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <35b1285af3316e3ccc04d2b013480c91.squirrel@webmail.nathanpeters.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> <35b1285af3316e3ccc04d2b013480c91.squirrel@webmail.nathanpeters.com> Message-ID: <5575E9E6.1070306@redhat.com> On 06/08/2015 01:09 PM, nathan at nathanpeters.com wrote: >> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config >> objectclass=nsDSWindowsReplicationAgreement >> Enter LDAP Password: >> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain >> \2Cdc\3Dnet,cn=mapping tree,cn=config >> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net >> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net >> cn: meToofficedc2.office.addomain.net >> nsds7NewWinGroupSyncEnabled: false >> objectClass: nsDSWindowsReplicationAgreement >> objectClass: top >> nsDS5ReplicaTransportInfo: TLS >> description: me to officedc2.office.addomain.net >> nsDS5ReplicaRoot: dc=ipadomain,dc=net >> nsDS5ReplicaHost: officedc2.office.addomain.net >> nsds5replicaTimeout: 120 >> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service >> Account,dc=office,dc=addomain,dc=net >> nsds7NewWinUserSyncEnabled: true >> nsDS5ReplicaPort: 389 >> nsds7WindowsDomain: ipadomain.net >> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof >> idnssoaserial >> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount >> nsDS5ReplicaBindMethod: simple >> nsDS5ReplicaCredentials: >> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG >> RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ >> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm >> I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= >> nsds7DirsyncCookie:: >> TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA >> ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 >> 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm >> PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP >> /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA >> AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU >> mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 >> NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA >> nsds50ruv: {replicageneration} 553fe9bb000000040000 >> nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 >> 000000040000 5575dff8000000040000 >> nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c >> 4000000030000 557244db001700030000 >> nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne >> t:389} 5575df5e >> nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n >> et:389} 00000000 >> nsds5replicareapactive: 0 >> nsds5replicaLastUpdateStart: 20150608183216Z >> nsds5replicaLastUpdateEnd: 20150608183216Z >> nsds5replicaChangesSentSinceStartup:: NDozMC8wIA== >> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental >> upd >> ate succeeded >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 0 >> nsds5replicaLastInitEnd: 0 >> >> ===================================================== >> hmmm, problem still exists and not sure how to fix it >> ===================================================== >> >> > This is also really strange, when I run an ipactl restart I get the > following weird stuff in my log. messages about ACL targets not existing Not sure about this. > and a strange kerberos error where the host can't find it's own keytab or > ldap service record? See below. > > [08/Jun/2015:19:04:06 +0000] - 389-Directory/1.3.3.8 B2015.040.128 > starting up > [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- > rounding up > [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- > rounding up > [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- > rounding up > [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- > rounding up > [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- > rounding up > [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 -- > rounding up > [08/Jun/2015:19:04:06 +0000] - WARNING: userRoot: entry cache size 512000B > is less than db size 12500992B; We recommend to increase the entry cache > size nsslapd-cachememsize. > [08/Jun/2015:19:04:06 +0000] - WARNING: ipaca: entry cache size 512000B is > less than db size 1343488B; We recommend to increase the entry cache size > nsslapd-cachememsize. > [08/Jun/2015:19:04:06 +0000] - WARNING: changelog: entry cache size > 512000B is less than db size 45654016B; We recommend to increase the entry > cache size nsslapd-cachememsize. > [08/Jun/2015:19:04:06 +0000] - resizing db cache size: 400000 -> 320000 > [08/Jun/2015:19:04:06 +0000] schema-compat-plugin - warning: no entries > set up under cn=computers, cn=compat,dc=ipadomain,dc=net > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target > cn=groups,cn=compat,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target > cn=computers,cn=compat,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target > cn=ng,cn=compat,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target > ou=sudoers,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target > cn=users,cn=compat,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist > [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=automember > rebuild membership,cn=tasks,cn=config does not exist > [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which > should be added before the CoS Definition. > [08/Jun/2015:19:04:08 +0000] set_krb5_creds - Could not get initial > credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) > [08/Jun/2015:19:04:08 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos credentials > available)) errno 0 (Success) > [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which > should be added before the CoS Definition. > [08/Jun/2015:19:04:08 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [08/Jun/2015:19:04:08 +0000] NSMMReplicationPlugin - > agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI > auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available)) > [08/Jun/2015:19:04:08 +0000] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [08/Jun/2015:19:04:08 +0000] - Listening on All Interfaces port 636 for > LDAPS requests > [08/Jun/2015:19:04:08 +0000] - Listening on > /var/run/slapd-IPADOMAIN-NET.socket for LDAPI requests > [08/Jun/2015:19:04:38 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Cannot contact any KDC > for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress) > [08/Jun/2015:19:04:38 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [08/Jun/2015:19:04:39 +0000] NSMMReplicationPlugin - > agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI > auth resumed This last line means "everything is ok now - I can use the keytab". The problem is that dirsrv starts very early, before kerberos is available. Replication keeps trying until kerberos is available. I admit the errors look scary but as long as you see the " Replication bind with GSSAPI auth resumed Then everything is fine. > > From nathan at nathanpeters.com Mon Jun 8 19:19:03 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 12:19:03 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <5575E7C8.609@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> <5575E7C8.609@redhat.com> Message-ID: >> ============== >> um WTF? making it a one way only agreement invalidates the >> lastinitstart >> value? >> ============== > > Looks like a bug. Ok, this is a pretty serious bug if making it one way can knock it offline permanently. Where should I file this bug report? > ipa-replica-manage re-initialize? > > > That seemed to work. I would have tried that already but the command does not indicate that is a valid option. Running ipa-replica-manage --help does not even list re-initialize as a valid option. See output below. [root at dc1 slapd-IPADOMAIN-NET]# ipa-replica-manage re-initialize Directory Manager password: re-initialize requires the option --from [root at dc1 slapd-IPADOMAIN-NET]# ipa-replica-manage --help Usage: ipa-replica-manage [options] Options: --version show program's version number and exit -h, --help show this help message and exit -H HOST, --host=HOST starting host -p DIRMAN_PASSWD, --password=DIRMAN_PASSWD Directory Manager password -v, --verbose provide additional information -f, --force ignore some types of errors -c, --cleanup DANGER: clean up references to a ghost master --binddn=BINDDN Bind DN to use with remote server --bindpw=BINDPW Password for Bind DN to use with remote server --winsync This is a Windows Sync Agreement --cacert=CACERT Full path and filename of CA certificate to use with TLS/SSL to the remote server --win-subtree=WIN_SUBTREE DN of Windows subtree containing the users you want to sync (default cn=Users, References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> <5575E7C8.609@redhat.com> Message-ID: <5575ED0B.70608@redhat.com> On 06/08/2015 01:19 PM, nathan at nathanpeters.com wrote: >>> ============== >>> um WTF? making it a one way only agreement invalidates the >>> lastinitstart >>> value? >>> ============== >> Looks like a bug. > Ok, this is a pretty serious bug if making it one way can knock it offline > permanently. Where should I file this bug report? https://fedorahosted.org/freeipa/newticket > >> ipa-replica-manage re-initialize? >> >> >> > That seemed to work. I would have tried that already but the command does > not indicate that is a valid option. Running ipa-replica-manage --help > does not even list re-initialize as a valid option. See output below. That looks like a bug too. However, the man page gives much more information, including the re-initialize command. > > [root at dc1 slapd-IPADOMAIN-NET]# ipa-replica-manage re-initialize > Directory Manager password: > > re-initialize requires the option --from > [root at dc1 slapd-IPADOMAIN-NET]# ipa-replica-manage --help > Usage: ipa-replica-manage [options] > > Options: > --version show program's version number and exit > -h, --help show this help message and exit > -H HOST, --host=HOST starting host > -p DIRMAN_PASSWD, --password=DIRMAN_PASSWD > Directory Manager password > -v, --verbose provide additional information > -f, --force ignore some types of errors > -c, --cleanup DANGER: clean up references to a ghost master > --binddn=BINDDN Bind DN to use with remote server > --bindpw=BINDPW Password for Bind DN to use with remote server > --winsync This is a Windows Sync Agreement > --cacert=CACERT Full path and filename of CA certificate to use with > TLS/SSL to the remote server > --win-subtree=WIN_SUBTREE > DN of Windows subtree containing the users you > want to > sync (default cn=Users, --passsync=PASSSYNC Password for the IPA system user used by the Windows > PassSync plugin to synchronize passwords > --from=FROMHOST Host to get data from > --no-lookup do not perform DNS lookup checks > [root at dc1 slapd-IPADOMAIN-NET]# ipa-replica-manage re-initialize > --from=officedc2.office.addomain.net > Directory Manager password: > > Update in progress, 30 seconds elapsed > Update succeeded > > [root at dc1 slapd-IPADOMAIN-NET]# ldapsearch -xLLL -D "cn=directory manager" > -W -b cn=config objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net > nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net > cn: meToofficedc2.office.addomain.net > nsds7NewWinGroupSyncEnabled: false > objectClass: nsDSWindowsReplicationAgreement > objectClass: top > nsDS5ReplicaTransportInfo: TLS > description: me to officedc2.office.addomain.net > nsDS5ReplicaRoot: dc=ipadomain,dc=net > nsDS5ReplicaHost: officedc2.office.addomain.net > nsds5replicaTimeout: 120 > nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service > Account,dc=office,dc=addomain,dc=net > nsds7NewWinUserSyncEnabled: true > nsDS5ReplicaPort: 389 > nsds7WindowsDomain: ipadomain.net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicaBindMethod: simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm > I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= > nsds7DirsyncCookie:: > TVNEUwMAAAD1pLkYH6LQAQAAAAAAAAAAYAEAAO1GoQAAAAAAAAAAAAAAA > ADtRqEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 > 13PwAAAAAADGzFNzznrESIxHzA74fbs4W3MAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm > PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+xRDIgAAAAAA4qTQaC46/Ua4KXgP > /ixNcbjpVAAAAAAAWowbgYD1akibZ+sCul5C4eNmLQAAAAAAxSO4iapVmEGQ6R23bgLQi+9GoQAAA > AAAogC6jFcyFUmhBp4B7FkaBbAvnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU > mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 > NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA > nsds50ruv: {replicageneration} 553fe9bb000000040000 > nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 > 000000040000 5575e79e000000040000 > nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c > 4000000030000 557244db001700030000 > nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne > t:389} 5575e704 > nsruvReplicaLastModified: {replica 3 ldap://dc2.ipadomain.n > et:389} 00000000 > oneWaySync: fromWindows > nsds5ReplicaEnabled: on > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150608191201Z > nsds5replicaLastUpdateEnd: 20150608191201Z > nsds5replicaChangesSentSinceStartup:: NDo0My8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 20150608191038Z > nsds5replicaLastInitEnd: 20150608191109Z > nsds5replicaLastInitStatus: 0 Total update succeeded > > From tompos at martos.bme.hu Mon Jun 8 19:33:59 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 08 Jun 2015 21:33:59 +0200 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: References: Message-ID: <14dd4aa4470.2774.b4c2854741c50caf28b8595b5e98fc2d@martos.bme.hu> Yes, it's fine. -- Sent from mobile On June 8, 2015 18:47:41 Christopher Lamb wrote: > > Hi All > > we are interested to know if anybody has succeeded (or for that matter > failed) in using FreeIPA to provide user authentication for Atlassian > products such as JIRA or Confluence? > > Somewhere in an Atlassian ticket I saw that FreeIPA is not officially > supported, so I guess that should set our expectations ..... > > If anyone has succeeded, then of course any tips on how best to do so would > be fantastic! > > Thanks > > Chris > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From nathan at nathanpeters.com Mon Jun 8 19:48:02 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Mon, 8 Jun 2015 12:48:02 -0700 Subject: [Freeipa-users] FreeIPA web UI Freezing up In-Reply-To: <5575ED0B.70608@redhat.com> References: <1c2b7bd8db47f6fa718719bcfebf35d4.squirrel@webmail.nathanpeters.com> <699fc10fa92be378ff77bc286fdccbbb.squirrel@webmail.nathanpeters.com> <557216F5.8050100@redhat.com> <7f0cca19bb60c9ca2985a43f20680097.squirrel@webmail.nathanpeters.com> <5575BDAD.6040907@redhat.com> <381c9cab5b2350a04c7cba086e7ceb2e.squirrel@webmail.nathanpeters.com> <5575C459.80206@redhat.com> <5575E7C8.609@redhat.com> <5575ED0B.70608@redhat.com> Message-ID: <4852b8aac3e05e871bacd895c606da7c.squirrel@webmail.nathanpeters.com> > On 06/08/2015 01:19 PM, nathan at nathanpeters.com wrote: >>>> ============== >>>> um WTF? making it a one way only agreement invalidates the >>>> lastinitstart >>>> value? >>>> ============== >>> Looks like a bug. >> Ok, this is a pretty serious bug if making it one way can knock it >> offline >> permanently. Where should I file this bug report? > > https://fedorahosted.org/freeipa/newticket Thanks :) https://fedorahosted.org/freeipa/ticket/5054 From jreg2k at gmail.com Mon Jun 8 19:48:28 2015 From: jreg2k at gmail.com (James James) Date: Mon, 8 Jun 2015 21:48:28 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <557590E4.2060803@redhat.com> References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> <5530755B.1030403@redhat.com> <5555FBEA.8090005@redhat.com> <55560360.706@redhat.com> <55560979.50508@redhat.com> <5559D54B.4080408@redhat.com> <55755160.7080100@redhat.com> <557590E4.2060803@redhat.com> Message-ID: Yes, as soon as 389-ds-base-1.2.11.15-56.el6 will be available, I will update the master. Rich Megginson says that 389-ds-base-1.2.11.15-56.el6 will be shipped with rhel 6.7. Thus I will wait for 6.7 before trying to update the master and create a rhel 7 replica. Many thanks. 2015-06-08 14:56 GMT+02:00 thierry bordaz : > Hi, > > Would you update your master to 389-ds-base-1.2.11.15-56.el6, before > attempting the upgrade to 7 ? > > thanks > thierry > > On 06/08/2015 12:30 PM, James James wrote: > > My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . > > Thanks. > > > > 2015-06-08 10:25 GMT+02:00 thierry bordaz : > >> Hello James, >> >> The fact that the master is more powerfull than the replica increase the >> possibility to hit that bug. >> The bug fix is on the master side. The master is made smarter to adapt >> its replication flow to the speed of the consumer. >> The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and >> 389-ds-base-1.2.11.15-56.el6. >> >> What is the current version of your master ? >> >> thanks >> thierry >> >> On 06/08/2015 09:49 AM, James James wrote: >> >> Hi Thierry, >> >> thanks for you answer. >> >> I was away for a long time, this is why my post comes later . >> >> This timing issue is coming when you try to upgrade from rhel 6 >> (ipa-3.0) to rhel7 (ipa4.xx) ? >> >> I have a physical machine for the master and a VM as replica. The >> solution is to use a physical machine for the replica ? >> >> How can I limit the cpu/memory in the physical machine (with cgroups >> ??). >> >> Any hints will be appreciated .. >> >> Regards >> >> James >> >> 2015-05-18 14:04 GMT+02:00 thierry bordaz : >> >>> On 05/15/2015 05:11 PM, James James wrote: >>> >>> ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 >>> . >>> >>> >>> Hi James, >>> >>> Unfortunately there is no workaround. This is a timing issue mostly seen >>> when the master is more powerful than the consumer. >>> If you are using VM you may try to get master/replica with nearly the >>> same cpu/memory. >>> >>> thanks >>> thierry >>> >>> >>> Best. >>> >>> James >>> >>> 2015-05-15 16:58 GMT+02:00 Rich Megginson : >>> >>>> On 05/15/2015 08:46 AM, James James wrote: >>>> >>>> [root at ipa ~]# rpm -q 389-ds-base >>>> 389-ds-base-1.2.11.15-50.el6_6.x86_64 >>>> >>>> >>>> Ok. Looks like this is planned to be fixed in RHEL 6.7 with version >>>> 389-ds-base-1.2.11.15-56.el6 >>>> >>>> I don't know if there are any workarounds. >>>> >>>> >>>> >>>> >>>> >>>> 2015-05-15 16:32 GMT+02:00 Rich Megginson : >>>> >>>>> On 05/15/2015 08:22 AM, James James wrote: >>>>> >>>>> I think that : >>>>> >>>>> Starting replication, please wait until this has completed. >>>>> Update in progress, 127 seconds elapsed >>>>> Update in progress yet not in progress >>>>> >>>>> >>>>> looks like a time error : >>>>> https://fedorahosted.org/freeipa/ticket/4756 >>>>> >>>>> >>>>> That issue should have been fixed in 389-ds-base-1.3.3 branch. What >>>>> version of 389-ds-base? rpm -q 389-ds-base >>>>> >>>>> >>>>> >>>>> 2015-05-15 16:00 GMT+02:00 Rich Megginson : >>>>> >>>>>> On 05/15/2015 07:55 AM, James James wrote: >>>>>> >>>>>> Is it possible to change the nsds5ReplicaTimeout value to get rid of >>>>>> this timeout error ? >>>>>> >>>>>> >>>>>> What timeout error? >>>>>> >>>>>> >>>>>> 2015-04-17 4:52 GMT+02:00 Rich Megginson : >>>>>> >>>>>>> On 04/15/2015 10:44 PM, James James wrote: >>>>>>> >>>>>>> The ipareplica-install.log file in attachment ... >>>>>>> >>>>>>> >>>>>>> Here are the pertinent bits: >>>>>>> >>>>>>> 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] >>>>>>> timeout 300 >>>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from >>>>>>> SchemaCache >>>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= >>>>>>> ldap://ipa.example.com:389 conn=>>>>>> instance at 0x484f4d0> >>>>>>> 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 >>>>>>> from SchemaCache >>>>>>> 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= >>>>>>> ldaps://ipa1.example.com:636 conn=>>>>>> instance at 0x4170290> >>>>>>> 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, >>>>>>> in start_creation >>>>>>> run_step(full_msg, method) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, >>>>>>> in run_step >>>>>>> method() >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>>>> 368, in __setup_replica >>>>>>> r_bindpw=self.dm_password) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line >>>>>>> 969, in setup_replication >>>>>>> raise RuntimeError("Failed to start replication") >>>>>>> RuntimeError: Failed to start replication >>>>>>> >>>>>>> 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start >>>>>>> replication >>>>>>> >>>>>>> The times are a little off, but I believe this corresponds to >>>>>>> [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. >>>>>>> Processed 1539 entries in 126 seconds. (12.21 entries/sec) >>>>>>> [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - >>>>>>> multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is >>>>>>> coming online; enabling replication >>>>>>> >>>>>>> I don't know why setup_replication is reporting an error if >>>>>>> replication completed successfully. >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2015-04-16 2:22 GMT+02:00 Rob Crittenden : >>>>>>> >>>>>>>> Rich Megginson wrote: >>>>>>>> > On 04/15/2015 02:58 PM, James James wrote: >>>>>>>> >> Nothing on the replica .. maybye a process on the master. How >>>>>>>> can I >>>>>>>> >> check that ? >>>>>>>> > >>>>>>>> > I have no idea. But it seems highly unlikely that a process on >>>>>>>> the >>>>>>>> > master is able to shutdown a process on the replica . . . >>>>>>>> > >>>>>>>> > I would say that there is some problem with the >>>>>>>> ipa-replica-install not >>>>>>>> > properly checking the status - see below: >>>>>>>> > >>>>>>>> >> >>>>>>>> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson >>>>>>> >> >: >>>>>>>> >> >>>>>>>> >> On 04/15/2015 12:43 PM, James James wrote: >>>>>>>> >>> Here the log >>>>>>>> >>> >>>>>>>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson < >>>>>>>> rmeggins at redhat.com >>>>>>>> >>> >: >>>>>>>> >>> >>>>>>>> >>> On 04/15/2015 09:46 AM, James James wrote: >>>>>>>> >>>> Hello, >>>>>>>> >>>> >>>>>>>> >>>> I have been looking to solve my problem but I 'm >>>>>>>> asking for >>>>>>>> >>>> some help. >>>>>>>> >>>> >>>>>>>> >>>> The replication begins but cannot be completed .... >>>>>>>> >>>> >>>>>>>> >>>> I want to install a new fresh replica but I've always >>>>>>>> got >>>>>>>> >>>> this error : >>>>>>>> >>>> >>>>>>>> >>>> [21/35]: configure dirsrv ccache >>>>>>>> >>>> [22/35]: enable SASL mapping fallback >>>>>>>> >>>> [23/35]: restarting directory server >>>>>>>> >>>> [24/35]: setting up initial replication >>>>>>>> >>>> Starting replication, please wait until this has >>>>>>>> completed. >>>>>>>> >>>> Update in progress, 127 seconds elapsed >>>>>>>> >>>> Update in progress yet not in progress >>>>>>>> >>>> >>>>>>>> >>>> Update in progress yet not in progress >>>>>>>> >>> >>>>>>>> > >>>>>>>> > in progress yet not in progress???? The error log below clearly >>>>>>>> shows >>>>>>>> > that replica init succeeded after 127 seconds. >>>>>>>> > >>>>>>>> > IPA-ers - wasn't there some bug about checking replica status >>>>>>>> properly? >>>>>>>> > >>>>>>>> >>>>>>>> The loop looks at nsds5BeginReplicaRefresh, >>>>>>>> nsds5replicaUpdateInProgress >>>>>>>> and nsds5ReplicaLastInitStatus. >>>>>>>> >>>>>>>> It loops looking for nsds5BeginReplicaRefresh. If there is no value >>>>>>>> it >>>>>>>> prints "Update in progress, %d seconds elapsed". Once it gets a >>>>>>>> status, >>>>>>>> the update is done, and it looks at nsds5ReplicaLastInitStatus. If >>>>>>>> it >>>>>>>> isn't empty, doesn't include 'replica busy' or 'Total update >>>>>>>> succeeded' >>>>>>>> then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it >>>>>>>> is, >>>>>>>> ir prints Update in progress yet not in progress and tries the loop >>>>>>>> again. >>>>>>>> >>>>>>>> AFAICT this part of a replica install doesn't restart 389-ds. >>>>>>>> >>>>>>>> /var/log/ipareplica-install.log may hold some details. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Mon Jun 8 19:57:37 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Mon, 8 Jun 2015 19:57:37 +0000 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: <14dd4aa4470.2774.b4c2854741c50caf28b8595b5e98fc2d@martos.bme.hu> References: <14dd4aa4470.2774.b4c2854741c50caf28b8595b5e98fc2d@martos.bme.hu> Message-ID: Might want to search the 'compat' tree Craig White System Administrator O 623-201-8179?? M 602-377-9752 SkyTouch Technology???? 4225 E. Windrose Dr. ????Phoenix, AZ 85032 -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tamas Papp Sent: Monday, June 08, 2015 12:34 PM To: Christopher Lamb; freeipa-users at redhat.com Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Yes, it's fine. -- Sent from mobile On June 8, 2015 18:47:41 Christopher Lamb wrote: > > Hi All > > we are interested to know if anybody has succeeded (or for that matter > failed) in using FreeIPA to provide user authentication for Atlassian > products such as JIRA or Confluence? > > Somewhere in an Atlassian ticket I saw that FreeIPA is not officially > supported, so I guess that should set our expectations ..... > > If anyone has succeeded, then of course any tips on how best to do so > would be fantastic! > > Thanks > > Chris > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From ejmalloy at gmail.com Mon Jun 8 20:03:59 2015 From: ejmalloy at gmail.com (Eric Malloy) Date: Mon, 8 Jun 2015 16:03:59 -0400 Subject: [Freeipa-users] Unable to prepare replica file after changing Directory Manager & PKI Admin Password on Freeipa-3.0.0 Message-ID: Hello Per http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password, I had changed my dm_password and followed steps two and three of this how to... Then when I run `ipa-replica-prepare -p $(cat ~/dm_password) --ip-address=172.17.0.6 ipa.us-west-2.domain.net --ca=/root/cacert.p12 --debug I am not able to prepare replica file, which now errors out at: ``` Creating SSL certificate for the Directory Server ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -N -f /tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -A -n SHOOBX.NET IPA CA -t CT,,C -a ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -R -s CN=ipa.us-west-2.XXXXX.net,O=XXXXX.NET -o /var/lib/ipa/ipa-mB7ivC/tmpcertreq -k rsa -g 2048 -z /tmp/tmpnq4o0Yipa/realm_info/noise.txt -f /tmp/tmpnq4o0Yip a/realm_info/pwdfile.txt ipa : DEBUG stdout= ipa : DEBUG stderr= Generating key. This may take a few moments... certutil: could not find certificate named "CN=XXXXX.NET Certificate Authority": SEC_ERROR_BAD_DATABASE: security library: bad database. certutil: unable to create cert (security library: bad database.) ipa : DEBUG args=/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-mB7ivC/tmpcert.der -f /tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt ipa : DEBUG stdout= ipa : DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. certutil: could not decode certificate: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-mB7ivC/tmpcert.der -f /tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt' returned non-zero exit status 255 ipa : DEBUG Command '/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-mB7ivC/tmpcert.der -f /tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt' returned non-zero exit status 255 File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e Command '/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-mB7ivC/tmpcert.der -f /tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt' returned non-zero exit status 255 File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e ``` I can run certutil successfully on these files: # certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Any ideas? Ultimately my goal is to replicate CA from freeipa-3.0.0 to freeipa >3.3 It was found from my ca_audit log that when the replica requested the cookie that the authentication failed - which prompted me to sync up the dm password with the pki admin password. This was suggested by edewata and alee -- Hoping someone has experienced this and has a fix. Thank you! Sincerely, Eric Malloy -------------- next part -------------- An HTML attachment was scrubbed... URL: From thibaut.pouzet at lyra-network.com Tue Jun 9 09:32:19 2015 From: thibaut.pouzet at lyra-network.com (Thibaut Pouzet) Date: Tue, 09 Jun 2015 11:32:19 +0200 Subject: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports) In-Reply-To: <55720467.2020700@redhat.com> References: <5550C748.3090903@lyra-network.com> <20150512160952.GA23769@redhat.com> <55522CB1.2090805@lyra-network.com> <20150512181142.GB23769@redhat.com> <5553083E.3050203@lyra-network.com> <555AFA44.70601@lyra-network.com> <55720467.2020700@redhat.com> Message-ID: <5576B2A3.2070909@lyra-network.com> Le 05/06/2015 22:19, Endi Sukma Dewata a ?crit : > On 5/19/2015 3:54 AM, Thibaut Pouzet wrote: >> Hi, >> >> It appeared that the NSS DB had fips enabled due to the troubleshooting >> of an old problem : >> >> # modutil -dbdir /var/lib/pki-ca/alias/ -list >> >> Listing of PKCS #11 Modules >> ----------------------------------------------------------- >> 1. NSS Internal FIPS PKCS #11 Module >> slots: 1 slot attached >> status: loaded >> >> slot: NSS FIPS 140-2 User Private Key Services >> token: NSS FIPS 140-2 Certificate DB >> ----------------------------------------------------------- >> >> I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false >> >> And no longer have the stack trace in the debug logs while re-sumbitting >> the certificate with certmonger. >> >> This is a first step in this certificate renewal, as I still cannot >> renew it, I have a new error : >> status: CA_UNREACHABLE >> ca-error: Error 60 connecting to >> https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate >> cannot be authenticated with known CA certificates. >> >> This looks like a chicken and egg problem, the certificate served on >> ipa_server:9443 is the one that needs to be renewed. I tried to step >> back in time when the certificate was still valid with no luck. >> >> So if anyone has an idea here... >> >> Cheers, > > Hi, > > Is this still a problem? Per discussion with Rob it doesn't seem to be > an issue with Dogtag itself. > > I suppose you are following this instruction: > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > Could you post the full getcert list output? Also after you reset the > clock back and try the renewal again could you post the error messages > that you get? > > Hopefully the IPA team will be able to troubleshoot further. Thanks. > Hi Endi, Indeed, this is still a problem for this server. I did not had any new idea on how to troubleshoot this issue unfortunately... Here is what you asked : With ntp running, date is now : $ sudo getcert list -c dogtag-ipa-renew-agent Number of certificates and requests being tracked: 9. Request ID '20150511123414': status: MONITORING stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=CA Audit,O=ipa_domain expires: 2017-04-10 05:34:30 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150511123614': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=CA Subsystem,O=ipa_domain expires: 2015-04-09 04:58:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150511123705': status: MONITORING stuck: no key pair storage: type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=IPA RA,O=ipa_domain expires: 2017-04-18 07:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150513074100': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=ipa_server,O=ipa_domain expires: 2015-04-09 04:58:33 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150107225544': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=OCSP Subsystem,O=ipa_domain expires: 2015-04-09 04:58:33 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes I set the date to before the expiration date of the certificate, and do ipa getcert resubmit -i 20150513074100 : $ sudo getcert list -c dogtag-ipa-renew-agent Number of certificates and requests being tracked: 9. Request ID '20150511123414': status: MONITORING stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=CA Audit,O=ipa_domain expires: 2017-04-10 05:34:30 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150511123614': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=CA Subsystem,O=ipa_domain expires: 2015-04-09 04:58:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150511123705': status: MONITORING stuck: no key pair storage: type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=IPA RA,O=ipa_domain expires: 2017-04-18 07:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150513074100': status: NEED_TO_SUBMIT ca-error: Error 35 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=ipa_server,O=ipa_domain expires: 2015-04-09 04:58:33 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150107225544': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=OCSP Subsystem,O=ipa_domain expires: 2015-04-09 04:58:33 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Nothing inside /var/log/pki-ca/debug regarding this resubmit request Cheers, -- Thibaut Pouzet Lyra Network Ing?nieur Syst?mes et R?seaux (+33) 5 31 22 40 08 www.lyra-network.com From Alexander.Frolushkin at megafon.ru Tue Jun 9 10:00:30 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 9 Jun 2015 10:00:30 +0000 Subject: [Freeipa-users] IPA and AD trusts Message-ID: <6634279bcd2e475dadecfcaf5aa61c1b@sib-ums03.Megafon.ru> Hello! I need some clarification, because I already killed one of my replica twice... After new replica server installation, do I need to run ipa-adtrust-install on it? WBR, Alexander Frolushkin ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 9 10:12:08 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 9 Jun 2015 13:12:08 +0300 Subject: [Freeipa-users] IPA and AD trusts In-Reply-To: <6634279bcd2e475dadecfcaf5aa61c1b@sib-ums03.Megafon.ru> References: <6634279bcd2e475dadecfcaf5aa61c1b@sib-ums03.Megafon.ru> Message-ID: <20150609101208.GB10162@redhat.com> On Tue, 09 Jun 2015, Alexander Frolushkin wrote: >Hello! >I need some clarification, because I already killed one of my replica twice... > >After new replica server installation, do I need to run ipa-adtrust-install on it? Once initial replication finished, yes, you need to run ipa-adtrust-install. It will set up proper configuration for this host. -- / Alexander Bokovoy From Alexander.Frolushkin at megafon.ru Tue Jun 9 10:33:05 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 9 Jun 2015 10:33:05 +0000 Subject: [Freeipa-users] IPA and AD trusts In-Reply-To: <20150609101208.GB10162@redhat.com> References: <6634279bcd2e475dadecfcaf5aa61c1b@sib-ums03.Megafon.ru> <20150609101208.GB10162@redhat.com> Message-ID: <8f502c4ddead412ea149e6247b355191@sib-ums03.Megafon.ru> It's little sad for me, because after that my new replica fails to start after reboot, on smb: Jun 09 15:41:23 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:23.174023, 0] ipa_sam.c:4128(bind_callback_cleanup) Jun 09 15:41:23 nw-rhidm02 smbd[4692]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/nw-rhidm02 at UNIX.MEGAFON.RU Jun 09 15:41:24 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:24.174961, 0] ipa_sam.c:4440(pdb_init_ipasam) Jun 09 15:41:24 nw-rhidm02 smbd[4692]: Failed to get base DN. Jun 09 15:41:24 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:24.175187, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jun 09 15:41:24 nw-rhidm02 smbd[4692]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-MEGAFON-RU.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Jun 09 15:41:24 nw-rhidm02 systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jun 09 15:41:24 nw-rhidm02 systemd[1]: Failed to start Samba SMB Daemon. Jun 09 15:41:24 nw-rhidm02 systemd[1]: Unit smb.service entered failed state. Jun 09 15:41:26 nw-rhidm02 systemd[1]: Stopped Samba SMB Daemon. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Tuesday, June 09, 2015 4:12 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA and AD trusts On Tue, 09 Jun 2015, Alexander Frolushkin wrote: >Hello! >I need some clarification, because I already killed one of my replica twice... > >After new replica server installation, do I need to run ipa-adtrust-install on it? Once initial replication finished, yes, you need to run ipa-adtrust-install. It will set up proper configuration for this host. -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From abokovoy at redhat.com Tue Jun 9 10:37:19 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 9 Jun 2015 13:37:19 +0300 Subject: [Freeipa-users] IPA and AD trusts In-Reply-To: <8f502c4ddead412ea149e6247b355191@sib-ums03.Megafon.ru> References: <6634279bcd2e475dadecfcaf5aa61c1b@sib-ums03.Megafon.ru> <20150609101208.GB10162@redhat.com> <8f502c4ddead412ea149e6247b355191@sib-ums03.Megafon.ru> Message-ID: <20150609103719.GA4402@redhat.com> On Tue, 09 Jun 2015, Alexander Frolushkin wrote: >It's little sad for me, because after that my new replica fails to start after reboot, on smb: > >Jun 09 15:41:23 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:23.174023, 0] ipa_sam.c:4128(bind_callback_cleanup) >Jun 09 15:41:23 nw-rhidm02 smbd[4692]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/nw-rhidm02 at UNIX.MEGAFON.RU ^^ check your hostname, most likely you have broken one. It looks for cifs/nw-rhidm02 at UNIX.MEGAFON.RU and most likely there is a key for cifs/nw-rhidm02.unix.megafon.ru at UNIX.MEGAFON.RU. You cannot mix together fully-qualified and non-qualified hostnames. -- / Alexander Bokovoy From Alexander.Frolushkin at megafon.ru Tue Jun 9 10:41:28 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 9 Jun 2015 10:41:28 +0000 Subject: [Freeipa-users] IPA and AD trusts In-Reply-To: <20150609103719.GA4402@redhat.com> References: <6634279bcd2e475dadecfcaf5aa61c1b@sib-ums03.Megafon.ru> <20150609101208.GB10162@redhat.com> <8f502c4ddead412ea149e6247b355191@sib-ums03.Megafon.ru> <20150609103719.GA4402@redhat.com> Message-ID: Thank you very much, I really missed this detail. Not good thing, this is not checked anywhere during replica installation... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Tuesday, June 09, 2015 4:37 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA and AD trusts On Tue, 09 Jun 2015, Alexander Frolushkin wrote: >It's little sad for me, because after that my new replica fails to start after reboot, on smb: > >Jun 09 15:41:23 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:23.174023, 0] ipa_sam.c:4128(bind_callback_cleanup) >Jun 09 15:41:23 nw-rhidm02 smbd[4692]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/nw-rhidm02 at UNIX.MEGAFON.RU ^^ check your hostname, most likely you have broken one. It looks for cifs/nw-rhidm02 at UNIX.MEGAFON.RU and most likely there is a key for cifs/nw-rhidm02.unix.megafon.ru at UNIX.MEGAFON.RU. You cannot mix together fully-qualified and non-qualified hostnames. -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From mbasti at redhat.com Tue Jun 9 10:58:34 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 09 Jun 2015 12:58:34 +0200 Subject: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records In-Reply-To: <2f83c314199e03d154abc9b7b572fd4d.squirrel@webmail.nathanpeters.com> References: <2f83c314199e03d154abc9b7b572fd4d.squirrel@webmail.nathanpeters.com> Message-ID: <5576C6DA.6000704@redhat.com> On 08/06/15 20:59, nathan at nathanpeters.com wrote: > I am trying my best to figure out why any FreeIPA internal > 'administrators' that I create cannot search DNS entries. > > The builtin admin user can search and get results for DNS entries just > fine, but we would rather not share this account with every sysadmin in > our staff. > > I have created a new role called "Super Admin". On the privileges tab for > this user, I have added every single privlege in the 'Add' menu. This > role now has all 29 privileges defined on the system. However, even after > assigned a user to have this role, and loggging out and back in again, he > cannot search DNS entries. He can see every dns entry if he manually > pages through them one at a time (we have several thousand so this is not > workable as you would have to scroll through hundreds of pages). The > problem is any search always returns zero entries. > > I though maybe something was missing so I created a new privilege called > "All privileges". I then tried to add each individual permission to this > privilege. I could only add 76 permissions. All other permissions would > give the following error when I try to add them : "invalid 'permission': > cannot add permission "System: Read Automount Configuration" with bindtype > "anonymous" to a privilege" > > I can see if I go to the permissions menu that there are actually 174 > possible permissions so to only be able to add 76 of them seems really > strange. > > So my questions are : > 1)Why can a user with 'all' privileges not search DNS entries? > 2)Why am I only able to add 76 out of the 174 permissions to a privilege? > 3)Is there anything that can be done to allow a user that is not the > builtin 'admin' user to search dns entries or actually be alloted all > permissions on the system? > > Hello, which version of IPA do you use? I was able to find all zones with new user on IPA 4.1. I just add the 'DNS administrators' privilege for the new user. Martin -- Martin Basti From mbasti at redhat.com Tue Jun 9 11:05:30 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 09 Jun 2015 13:05:30 +0200 Subject: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records In-Reply-To: <5576C6DA.6000704@redhat.com> References: <2f83c314199e03d154abc9b7b572fd4d.squirrel@webmail.nathanpeters.com> <5576C6DA.6000704@redhat.com> Message-ID: <5576C87A.1050301@redhat.com> On 09/06/15 12:58, Martin Basti wrote: > On 08/06/15 20:59, nathan at nathanpeters.com wrote: >> I am trying my best to figure out why any FreeIPA internal >> 'administrators' that I create cannot search DNS entries. >> >> The builtin admin user can search and get results for DNS entries just >> fine, but we would rather not share this account with every sysadmin in >> our staff. >> >> I have created a new role called "Super Admin". On the privileges >> tab for >> this user, I have added every single privlege in the 'Add' menu. This >> role now has all 29 privileges defined on the system. However, even >> after >> assigned a user to have this role, and loggging out and back in >> again, he >> cannot search DNS entries. He can see every dns entry if he manually >> pages through them one at a time (we have several thousand so this is >> not >> workable as you would have to scroll through hundreds of pages). The >> problem is any search always returns zero entries. >> >> I though maybe something was missing so I created a new privilege called >> "All privileges". I then tried to add each individual permission to >> this >> privilege. I could only add 76 permissions. All other permissions >> would >> give the following error when I try to add them : "invalid 'permission': >> cannot add permission "System: Read Automount Configuration" with >> bindtype >> "anonymous" to a privilege" >> >> I can see if I go to the permissions menu that there are actually 174 >> possible permissions so to only be able to add 76 of them seems really >> strange. >> >> So my questions are : >> 1)Why can a user with 'all' privileges not search DNS entries? >> 2)Why am I only able to add 76 out of the 174 permissions to a >> privilege? >> 3)Is there anything that can be done to allow a user that is not the >> builtin 'admin' user to search dns entries or actually be alloted all >> permissions on the system? >> >> > Hello, > > which version of IPA do you use? > > I was able to find all zones with new user on IPA 4.1. > I just add the 'DNS administrators' privilege for the new user. > > Martin > I reproduce this issue, IMO it is not related to permissions, but the search command itself, I will investigate. -- Martin Basti From mbasti at redhat.com Tue Jun 9 11:54:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 09 Jun 2015 13:54:20 +0200 Subject: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records In-Reply-To: <5576C87A.1050301@redhat.com> References: <2f83c314199e03d154abc9b7b572fd4d.squirrel@webmail.nathanpeters.com> <5576C6DA.6000704@redhat.com> <5576C87A.1050301@redhat.com> Message-ID: <5576D3EC.5070808@redhat.com> On 09/06/15 13:05, Martin Basti wrote: > On 09/06/15 12:58, Martin Basti wrote: >> On 08/06/15 20:59, nathan at nathanpeters.com wrote: >>> I am trying my best to figure out why any FreeIPA internal >>> 'administrators' that I create cannot search DNS entries. >>> >>> The builtin admin user can search and get results for DNS entries just >>> fine, but we would rather not share this account with every sysadmin in >>> our staff. >>> >>> I have created a new role called "Super Admin". On the privileges >>> tab for >>> this user, I have added every single privlege in the 'Add' menu. This >>> role now has all 29 privileges defined on the system. However, even >>> after >>> assigned a user to have this role, and loggging out and back in >>> again, he >>> cannot search DNS entries. He can see every dns entry if he manually >>> pages through them one at a time (we have several thousand so this >>> is not >>> workable as you would have to scroll through hundreds of pages). The >>> problem is any search always returns zero entries. >>> >>> I though maybe something was missing so I created a new privilege >>> called >>> "All privileges". I then tried to add each individual permission to >>> this >>> privilege. I could only add 76 permissions. All other permissions >>> would >>> give the following error when I try to add them : "invalid >>> 'permission': >>> cannot add permission "System: Read Automount Configuration" with >>> bindtype >>> "anonymous" to a privilege" >>> >>> I can see if I go to the permissions menu that there are actually 174 >>> possible permissions so to only be able to add 76 of them seems really >>> strange. >>> >>> So my questions are : >>> 1)Why can a user with 'all' privileges not search DNS entries? >>> 2)Why am I only able to add 76 out of the 174 permissions to a >>> privilege? >>> 3)Is there anything that can be done to allow a user that is not the >>> builtin 'admin' user to search dns entries or actually be alloted all >>> permissions on the system? >>> >>> >> Hello, >> >> which version of IPA do you use? >> >> I was able to find all zones with new user on IPA 4.1. >> I just add the 'DNS administrators' privilege for the new user. >> >> Martin >> > > I reproduce this issue, IMO it is not related to permissions, but the > search command itself, I will investigate. > Indeed you were right, there is wrong filter, which is denied by ACI. Thank you for this bug report. -- Martin Basti From pspacek at redhat.com Tue Jun 9 13:37:23 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 09 Jun 2015 15:37:23 +0200 Subject: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records In-Reply-To: <5576D3EC.5070808@redhat.com> References: <2f83c314199e03d154abc9b7b572fd4d.squirrel@webmail.nathanpeters.com> <5576C6DA.6000704@redhat.com> <5576C87A.1050301@redhat.com> <5576D3EC.5070808@redhat.com> Message-ID: <5576EC13.4060803@redhat.com> On 9.6.2015 13:54, Martin Basti wrote: > On 09/06/15 13:05, Martin Basti wrote: >> On 09/06/15 12:58, Martin Basti wrote: >>> On 08/06/15 20:59, nathan at nathanpeters.com wrote: >>>> I am trying my best to figure out why any FreeIPA internal >>>> 'administrators' that I create cannot search DNS entries. >>>> >>>> The builtin admin user can search and get results for DNS entries just >>>> fine, but we would rather not share this account with every sysadmin in >>>> our staff. >>>> >>>> I have created a new role called "Super Admin". On the privileges tab for >>>> this user, I have added every single privlege in the 'Add' menu. This >>>> role now has all 29 privileges defined on the system. However, even after >>>> assigned a user to have this role, and loggging out and back in again, he >>>> cannot search DNS entries. He can see every dns entry if he manually >>>> pages through them one at a time (we have several thousand so this is not >>>> workable as you would have to scroll through hundreds of pages). The >>>> problem is any search always returns zero entries. >>>> >>>> I though maybe something was missing so I created a new privilege called >>>> "All privileges". I then tried to add each individual permission to this >>>> privilege. I could only add 76 permissions. All other permissions would >>>> give the following error when I try to add them : "invalid 'permission': >>>> cannot add permission "System: Read Automount Configuration" with bindtype >>>> "anonymous" to a privilege" >>>> >>>> I can see if I go to the permissions menu that there are actually 174 >>>> possible permissions so to only be able to add 76 of them seems really >>>> strange. >>>> >>>> So my questions are : >>>> 1)Why can a user with 'all' privileges not search DNS entries? >>>> 2)Why am I only able to add 76 out of the 174 permissions to a privilege? >>>> 3)Is there anything that can be done to allow a user that is not the >>>> builtin 'admin' user to search dns entries or actually be alloted all >>>> permissions on the system? >>>> >>>> >>> Hello, >>> >>> which version of IPA do you use? >>> >>> I was able to find all zones with new user on IPA 4.1. >>> I just add the 'DNS administrators' privilege for the new user. >>> >>> Martin >>> >> >> I reproduce this issue, IMO it is not related to permissions, but the search >> command itself, I will investigate. >> > Indeed you were right, there is wrong filter, which is denied by ACI. > > Thank you for this bug report. Ticket: https://fedorahosted.org/freeipa/ticket/5055 -- Petr^2 Spacek From rcritten at redhat.com Tue Jun 9 13:50:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Jun 2015 09:50:57 -0400 Subject: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports) In-Reply-To: <5576B2A3.2070909@lyra-network.com> References: <5550C748.3090903@lyra-network.com> <20150512160952.GA23769@redhat.com> <55522CB1.2090805@lyra-network.com> <20150512181142.GB23769@redhat.com> <5553083E.3050203@lyra-network.com> <555AFA44.70601@lyra-network.com> <55720467.2020700@redhat.com> <5576B2A3.2070909@lyra-network.com> Message-ID: <5576EF41.8070208@redhat.com> Thibaut Pouzet wrote: > Le 05/06/2015 22:19, Endi Sukma Dewata a ?crit : >> Is this still a problem? Per discussion with Rob it doesn't seem to be >> an issue with Dogtag itself. >> >> I suppose you are following this instruction: >> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal >> >> Could you post the full getcert list output? Also after you reset the >> clock back and try the renewal again could you post the error messages >> that you get? >> >> Hopefully the IPA team will be able to troubleshoot further. Thanks. >> > > Hi Endi, > > Indeed, this is still a problem for this server. I did not had any new > idea on how to troubleshoot this issue unfortunately... Here is what you > asked : > > With ntp running, date is now : > > $ sudo getcert list -c dogtag-ipa-renew-agent Thanks for including the full output. Are you restarting IPA when setting the date back? If not, you need to. rob From thibaut.pouzet at lyra-network.com Tue Jun 9 14:28:05 2015 From: thibaut.pouzet at lyra-network.com (Thibaut Pouzet) Date: Tue, 09 Jun 2015 16:28:05 +0200 Subject: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports) In-Reply-To: <5576EF41.8070208@redhat.com> References: <5550C748.3090903@lyra-network.com> <20150512160952.GA23769@redhat.com> <55522CB1.2090805@lyra-network.com> <20150512181142.GB23769@redhat.com> <5553083E.3050203@lyra-network.com> <555AFA44.70601@lyra-network.com> <55720467.2020700@redhat.com> <5576B2A3.2070909@lyra-network.com> <5576EF41.8070208@redhat.com> Message-ID: <5576F7F5.4030209@lyra-network.com> Le 09/06/2015 15:50, Rob Crittenden a ?crit : > Thibaut Pouzet wrote: >> Le 05/06/2015 22:19, Endi Sukma Dewata a ?crit : >>> Is this still a problem? Per discussion with Rob it doesn't seem to be >>> an issue with Dogtag itself. >>> >>> I suppose you are following this instruction: >>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal >>> >>> Could you post the full getcert list output? Also after you reset the >>> clock back and try the renewal again could you post the error messages >>> that you get? >>> >>> Hopefully the IPA team will be able to troubleshoot further. Thanks. >>> >> >> Hi Endi, >> >> Indeed, this is still a problem for this server. I did not had any new >> idea on how to troubleshoot this issue unfortunately... Here is what you >> asked : >> >> With ntp running, date is now : >> >> $ sudo getcert list -c dogtag-ipa-renew-agent > > Thanks for including the full output. Are you restarting IPA when > setting the date back? If not, you need to. > > rob Hi, Restarting IPA or not do not change anything : no logs, same error in getcert list Cheers, -- Thibaut Pouzet Lyra Network Ing?nieur Syst?mes et R?seaux (+33) 5 31 22 40 08 www.lyra-network.com From mohammadsereshki at yahoo.com Tue Jun 9 15:11:22 2015 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Tue, 9 Jun 2015 15:11:22 +0000 (UTC) Subject: [Freeipa-users] add suse 11 sp3 to ipa In-Reply-To: <20150609142117.GH26062@redhat.com> References: <20150609142117.GH26062@redhat.com> Message-ID: <1258707210.9754851.1433862682762.JavaMail.yahoo@mail.yahoo.com> ?hiWould you please let me know is it possible to add suse 11 sp3 to IPA? and how it is possible?Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 9 17:59:38 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Jun 2015 13:59:38 -0400 Subject: [Freeipa-users] add suse 11 sp3 to ipa In-Reply-To: <1258707210.9754851.1433862682762.JavaMail.yahoo@mail.yahoo.com> References: <20150609142117.GH26062@redhat.com> <1258707210.9754851.1433862682762.JavaMail.yahoo@mail.yahoo.com> Message-ID: <5577298A.4050305@redhat.com> mohammad sereshki wrote: > > > > > > hi > Would you please let me know is it possible to add suse 11 sp3 to IPA? > and how it is possible? > Regards > > > > > I'm not sure if any version of SUSE has ipa-client or freeipa-client, but I know that 12+ has sssd. If 11 also has sssd then you can configure that part using this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html Note that a bunch of the steps don't really apply to you, like getting a host cert. Oddly enough, the docs don't include setting up krb5.conf, but you can get the jist of that from an ipa-cleint enrolled client. If you don't have sssd then you'll need to go the nss_ldap route. rob From mkosek at redhat.com Wed Jun 10 07:22:03 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 09:22:03 +0200 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: References: Message-ID: <5577E59B.9010001@redhat.com> On 06/08/2015 06:44 PM, Christopher Lamb wrote: > > Hi All > > we are interested to know if anybody has succeeded (or for that matter > failed) in using FreeIPA to provide user authentication for Atlassian > products such as JIRA or Confluence? > > Somewhere in an Atlassian ticket I saw that FreeIPA is not officially > supported, so I guess that should set our expectations ..... > > If anyone has succeeded, then of course any tips on how best to do so would > be fantastic! I saw reply in the threads, so it should be covered. BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. It would be really cool if Jira would know FreeIPA out of the box and could connect to it natively! From sjuhasz at chemaxon.com Wed Jun 10 07:47:46 2015 From: sjuhasz at chemaxon.com (Sandor Juhasz) Date: Wed, 10 Jun 2015 09:47:46 +0200 (CEST) Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: <5577E59B.9010001@redhat.com> References: <5577E59B.9010001@redhat.com> Message-ID: <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> Hi, here are our working configurations. Might be useful. We use compat tree for auth. We use user in group matching. We use group filter for login authorization. We use FedoraDS as ldap connector on JIRA's side. We don't use pw change or user create in IPA from JIRA side. Watch out not to have matching local users/groups or you will suffer bigtime. Initially it was setup not to use ldap groups, but was changed afterwards by creating all new groups in ldap for this purpose and readding the users. We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA. Attributes: "autoAddGroups": "" "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" "com.atlassian.crowd.directory.sync.issynchronising": "false" "com.atlassian.crowd.directory.sync.lastdurationms": "373" "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" "crowd.sync.incremental.enabled": "false" "directory.cache.synchronise.interval": "3600" "ldap.basedn": "dc=" "ldap.connection.timeout": "0" "ldap.external.id": "" "ldap.group.description": "description" "ldap.group.dn": "cn=groups,cn=compat" "ldap.group.filter": "(&(objectClass=posixgroup)(|(cn=)(cn=)(cn=)))" "ldap.group.name": "cn" "ldap.group.objectclass": "groupOfUniqueNames" "ldap.group.usernames": "memberUid" "ldap.local.groups": "false" "ldap.nestedgroups.disabled": "true" "ldap.pagedresults": "false" "ldap.pagedresults.size": "1000" "ldap.password": ******** "ldap.pool.initsize": "null" "ldap.pool.maxsize": "null" "ldap.pool.prefsize": "null" "ldap.pool.timeout": "0" "ldap.propogate.changes": "false" "ldap.read.timeout": "120000" "ldap.referral": "false" "ldap.relaxed.dn.standardisation": "true" "ldap.roles.disabled": "true" "ldap.search.timelimit": "60000" "ldap.secure": "false" "ldap.url": "ldap://" "ldap.user.displayname": "cn" "ldap.user.dn": "cn=users,cn=accounts" "ldap.user.email": "mail" "ldap.user.encryption": "sha" "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" "ldap.user.firstname": "givenName" "ldap.user.group": "memberOf" "ldap.user.lastname": "sn" "ldap.user.objectclass": "person" "ldap.user.password": "userPassword" "ldap.user.username": "uid" "ldap.user.username.rdn": "" "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" "ldap.usermembership.use": "false" "ldap.usermembership.use.for.groups": "false" "localUserStatusEnabled": "false" S?ndor Juh?sz System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 From: "Martin Kosek" To: "Christopher Lamb" , freeipa-users at redhat.com Sent: Wednesday, June 10, 2015 9:22:03 AM Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA On 06/08/2015 06:44 PM, Christopher Lamb wrote: > > Hi All > > we are interested to know if anybody has succeeded (or for that matter > failed) in using FreeIPA to provide user authentication for Atlassian > products such as JIRA or Confluence? > > Somewhere in an Atlassian ticket I saw that FreeIPA is not officially > supported, so I guess that should set our expectations ..... > > If anyone has succeeded, then of course any tips on how best to do so would > be fantastic! I saw reply in the threads, so it should be covered. BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. It would be really cool if Jira would know FreeIPA out of the box and could connect to it natively! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.topping at gmail.com Wed Jun 10 09:29:04 2015 From: brian.topping at gmail.com (Brian Topping) Date: Wed, 10 Jun 2015 02:29:04 -0700 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> References: <5577E59B.9010001@redhat.com> <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> Message-ID: <9BF9C8C4-B066-44C5-A5E5-9FFE56FC99B9@gmail.com> FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. Cheers, Brian > On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: > > Hi, > > here are our working configurations. Might be useful. > We use compat tree for auth. > We use user in group matching. > We use group filter for login authorization. > We use FedoraDS as ldap connector on JIRA's side. > We don't use pw change or user create in IPA from JIRA side. > Watch out not to have matching local users/groups or you will suffer bigtime. > Initially it was setup not to use ldap groups, but was changed afterwards by > creating all new groups in ldap for this purpose and readding the users. > We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA. > > Attributes: > "autoAddGroups": "" > "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" > "com.atlassian.crowd.directory.sync.issynchronising": "false" > "com.atlassian.crowd.directory.sync.lastdurationms": "373" > "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" > "crowd.sync.incremental.enabled": "false" > "directory.cache.synchronise.interval": "3600" > "ldap.basedn": "dc=" > "ldap.connection.timeout": "0" > "ldap.external.id": "" > "ldap.group.description": "description" > "ldap.group.dn": "cn=groups,cn=compat" > "ldap.group.filter": "(&(objectClass=posixgroup)(|(cn=)(cn=)(cn=)))" > "ldap.group.name": "cn" > "ldap.group.objectclass": "groupOfUniqueNames" > "ldap.group.usernames": "memberUid" > "ldap.local.groups": "false" > "ldap.nestedgroups.disabled": "true" > "ldap.pagedresults": "false" > "ldap.pagedresults.size": "1000" > "ldap.password": ******** > "ldap.pool.initsize": "null" > "ldap.pool.maxsize": "null" > "ldap.pool.prefsize": "null" > "ldap.pool.timeout": "0" > "ldap.propogate.changes": "false" > "ldap.read.timeout": "120000" > "ldap.referral": "false" > "ldap.relaxed.dn.standardisation": "true" > "ldap.roles.disabled": "true" > "ldap.search.timelimit": "60000" > "ldap.secure": "false" > "ldap.url": "ldap://" > "ldap.user.displayname": "cn" > "ldap.user.dn": "cn=users,cn=accounts" > "ldap.user.email": "mail" > "ldap.user.encryption": "sha" > "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" > "ldap.user.firstname": "givenName" > "ldap.user.group": "memberOf" > "ldap.user.lastname": "sn" > "ldap.user.objectclass": "person" > "ldap.user.password": "userPassword" > "ldap.user.username": "uid" > "ldap.user.username.rdn": "" > "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" > "ldap.usermembership.use": "false" > "ldap.usermembership.use.for.groups": "false" > "localUserStatusEnabled": "false" > > S?ndor Juh?sz > System Administrator > ChemAxon Ltd. > Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > From: "Martin Kosek" > To: "Christopher Lamb" , freeipa-users at redhat.com > Sent: Wednesday, June 10, 2015 9:22:03 AM > Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA > > On 06/08/2015 06:44 PM, Christopher Lamb wrote: > > > > Hi All > > > > we are interested to know if anybody has succeeded (or for that matter > > failed) in using FreeIPA to provide user authentication for Atlassian > > products such as JIRA or Confluence? > > > > Somewhere in an Atlassian ticket I saw that FreeIPA is not officially > > supported, so I guess that should set our expectations ..... > > > > If anyone has succeeded, then of course any tips on how best to do so would > > be fantastic! > > I saw reply in the threads, so it should be covered. > > BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. > It would be really cool if Jira would know FreeIPA out of the box and could > connect to it natively! > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mkosek at redhat.com Wed Jun 10 10:11:50 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 12:11:50 +0200 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: <9BF9C8C4-B066-44C5-A5E5-9FFE56FC99B9@gmail.com> References: <5577E59B.9010001@redhat.com> <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> <9BF9C8C4-B066-44C5-A5E5-9FFE56FC99B9@gmail.com> Message-ID: <55780D66.1070701@redhat.com> Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on "how to configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: > FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. > > Cheers, Brian > >> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: >> >> Hi, >> >> here are our working configurations. Might be useful. >> We use compat tree for auth. >> We use user in group matching. >> We use group filter for login authorization. >> We use FedoraDS as ldap connector on JIRA's side. >> We don't use pw change or user create in IPA from JIRA side. >> Watch out not to have matching local users/groups or you will suffer bigtime. >> Initially it was setup not to use ldap groups, but was changed afterwards by >> creating all new groups in ldap for this purpose and readding the users. >> We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA. >> >> Attributes: >> "autoAddGroups": "" >> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" >> "com.atlassian.crowd.directory.sync.issynchronising": "false" >> "com.atlassian.crowd.directory.sync.lastdurationms": "373" >> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" >> "crowd.sync.incremental.enabled": "false" >> "directory.cache.synchronise.interval": "3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(|(cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": ******** >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "120000" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "60000" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" >> "ldap.user.username": "uid" >> "ldap.user.username.rdn": "" >> "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" >> "ldap.usermembership.use": "false" >> "ldap.usermembership.use.for.groups": "false" >> "localUserStatusEnabled": "false" >> >> S?ndor Juh?sz >> System Administrator >> ChemAxon Ltd. >> Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> From: "Martin Kosek" >> To: "Christopher Lamb" , freeipa-users at redhat.com >> Sent: Wednesday, June 10, 2015 9:22:03 AM >> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA >> >> On 06/08/2015 06:44 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> we are interested to know if anybody has succeeded (or for that matter >>> failed) in using FreeIPA to provide user authentication for Atlassian >>> products such as JIRA or Confluence? >>> >>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially >>> supported, so I guess that should set our expectations ..... >>> >>> If anyone has succeeded, then of course any tips on how best to do so would >>> be fantastic! >> >> I saw reply in the threads, so it should be covered. >> >> BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. >> It would be really cool if Jira would know FreeIPA out of the box and could >> connect to it natively! >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > From Alexander.Frolushkin at megafon.ru Wed Jun 10 10:18:28 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 10 Jun 2015 10:18:28 +0000 Subject: [Freeipa-users] RHEL 5.11 as IPA client Message-ID: <2da1614c2fa3479c86e433edeff31f52@sib-ums03.Megafon.ru> Hello. We cannot login to our IPA enrolled RHEL 5.11 host using any IPA (4.1) native or AD trusted users. Seems like it fails on connection to server. SSSD logs attached. Additionally, is it ever possible now to use AD trusted users to ssh RHEL 5 servers? Logs and sssd config attached. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd.conf Type: application/octet-stream Size: 365 bytes Desc: sssd.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_default.log Type: application/octet-stream Size: 89838 bytes Desc: sssd_default.log URL: From abokovoy at redhat.com Wed Jun 10 10:29:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Jun 2015 13:29:44 +0300 Subject: [Freeipa-users] RHEL 5.11 as IPA client In-Reply-To: <2da1614c2fa3479c86e433edeff31f52@sib-ums03.Megafon.ru> References: <2da1614c2fa3479c86e433edeff31f52@sib-ums03.Megafon.ru> Message-ID: <20150610102944.GN4402@redhat.com> On Wed, 10 Jun 2015, Alexander Frolushkin wrote: >Hello. >We cannot login to our IPA enrolled RHEL 5.11 host using any IPA (4.1) native or AD trusted users. >Seems like it fails on connection to server. SSSD logs attached. >Additionally, is it ever possible now to use AD trusted users to ssh RHEL 5 servers? >Logs and sssd config attached. RHEL5 uses OpenSSL crypto library which doesn't support TLS 1.1+ which is required by default by IPA 4.1. Your potential fix would be to allow tls1.0 use at the server side but you need to know what this leads to: https://access.redhat.com/articles/1294573 You seem to have issues on RHEL5 with TLS1.0+ configuration which is in use by the LDAP server: (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x15b01590], connected[1], ops[0x15b01e40], ldap[0x15b019d0] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL. (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3): ldap_install_tls failed: [Connect error] [Start TLS request accepted.Server willing to negotiate SSL.] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_handle_release] (8): Trace: sh[0x15b01590], connected[1], ops[(nil)], ldap[0x15b019d0], destructor_lock[0], release_memory[0] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [remove_connection_callback] (9): Successfully removed connection callback. (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [fo_set_port_status] (4): Marking port 389 of server 'sib-rhidm01.unix.megafon.ru' as 'not working' (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, ) [Internal Error (System error)] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback] (4): Sending result [4][default] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback] (4): Sent result [4][default] (Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 15AF0830 (Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. -- / Alexander Bokovoy From bob at jackland.demon.co.uk Wed Jun 10 10:33:02 2015 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 10 Jun 2015 11:33:02 +0100 Subject: [Freeipa-users] ssh known hosts gets recreated on client Message-ID: <5578125E.4040001@jackland.demon.co.uk> Hello, If I uninstall the ipa client with "ipa-client-install --uninstall" then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 Thanks Bob From Alexander.Frolushkin at megafon.ru Wed Jun 10 10:35:48 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 10 Jun 2015 10:35:48 +0000 Subject: [Freeipa-users] RHEL 5.11 as IPA client In-Reply-To: <20150610102944.GN4402@redhat.com> References: <2da1614c2fa3479c86e433edeff31f52@sib-ums03.Megafon.ru> <20150610102944.GN4402@redhat.com> Message-ID: <27a7164ee5e244988ce360234d27d34c@sib-ums03.Megafon.ru> This is not good at all... Firstly old sssd, now crypto issues... Can you also say, will HBAC and SUDO in IPA work for trusted AD users on RHEL 5 servers if we will enable vulnerable tls? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Wednesday, June 10, 2015 4:30 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] RHEL 5.11 as IPA client On Wed, 10 Jun 2015, Alexander Frolushkin wrote: >Hello. >We cannot login to our IPA enrolled RHEL 5.11 host using any IPA (4.1) native or AD trusted users. >Seems like it fails on connection to server. SSSD logs attached. >Additionally, is it ever possible now to use AD trusted users to ssh RHEL 5 servers? >Logs and sssd config attached. RHEL5 uses OpenSSL crypto library which doesn't support TLS 1.1+ which is required by default by IPA 4.1. Your potential fix would be to allow tls1.0 use at the server side but you need to know what this leads to: https://access.redhat.com/articles/1294573 You seem to have issues on RHEL5 with TLS1.0+ configuration which is in use by the LDAP server: (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x15b01590], connected[1], ops[0x15b01e40], ldap[0x15b019d0] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL. (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3): ldap_install_tls failed: [Connect error] [Start TLS request accepted.Server willing to negotiate SSL.] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_handle_release] (8): Trace: sh[0x15b01590], connected[1], ops[(nil)], ldap[0x15b019d0], destructor_lock[0], release_memory[0] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [remove_connection_callback] (9): Successfully removed connection callback. (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [fo_set_port_status] (4): Marking port 389 of server 'sib-rhidm01.unix.megafon.ru' as 'not working' (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, ) [Internal Error (System error)] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback] (4): Sending result [4][default] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback] (4): Sent result [4][default] (Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 15AF0830 (Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From abokovoy at redhat.com Wed Jun 10 10:46:12 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Jun 2015 13:46:12 +0300 Subject: [Freeipa-users] RHEL 5.11 as IPA client In-Reply-To: <27a7164ee5e244988ce360234d27d34c@sib-ums03.Megafon.ru> References: <2da1614c2fa3479c86e433edeff31f52@sib-ums03.Megafon.ru> <20150610102944.GN4402@redhat.com> <27a7164ee5e244988ce360234d27d34c@sib-ums03.Megafon.ru> Message-ID: <20150610104612.GO4402@redhat.com> On Wed, 10 Jun 2015, Alexander Frolushkin wrote: >This is not good at all... Firstly old sssd, now crypto issues... >Can you also say, will HBAC and SUDO in IPA work for trusted AD users >on RHEL 5 servers if we will enable vulnerable tls? SSSD on RHEL 5 does not support SUDO natively, look at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/configuring-rhel5.html SSSD on RHEL 5 does not support HBAC rules when configured against compat tree. https://www.redhat.com/archives/freeipa-users/2015-April/msg00523.html -- / Alexander Bokovoy From Alexander.Frolushkin at megafon.ru Wed Jun 10 11:00:22 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 10 Jun 2015 11:00:22 +0000 Subject: [Freeipa-users] RHEL 5.11 as IPA client In-Reply-To: <20150610104612.GO4402@redhat.com> References: <2da1614c2fa3479c86e433edeff31f52@sib-ums03.Megafon.ru> <20150610102944.GN4402@redhat.com> <27a7164ee5e244988ce360234d27d34c@sib-ums03.Megafon.ru> <20150610104612.GO4402@redhat.com> Message-ID: <651e503fb8c74d6cb5528306c491b4c1@sib-ums03.Megafon.ru> Okay, the situation now become completely cleared, thank you! WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Wednesday, June 10, 2015 4:46 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] RHEL 5.11 as IPA client On Wed, 10 Jun 2015, Alexander Frolushkin wrote: >This is not good at all... Firstly old sssd, now crypto issues... >Can you also say, will HBAC and SUDO in IPA work for trusted AD users >on RHEL 5 servers if we will enable vulnerable tls? SSSD on RHEL 5 does not support SUDO natively, look at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/configuring-rhel5.html SSSD on RHEL 5 does not support HBAC rules when configured against compat tree. https://www.redhat.com/archives/freeipa-users/2015-April/msg00523.html -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From christopher.lamb at ch.ibm.com Wed Jun 10 11:55:15 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 10 Jun 2015 13:55:15 +0200 Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: <55780D66.1070701@redhat.com> References: <5577E59B.9010001@redhat.com> <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> <9BF9C8C4-B066-44C5-A5E5-9FFE56FC99B9@gmail.com> <55780D66.1070701@redhat.com> Message-ID: Hi All Thanks to Brian and Sandor for their input so far - this gives me another approach to try. >From my side this is a work-in-progress report: we have got something working, but are not quite happy with it. Stepping back a bit: I suspect there are a number of integration approaches that may (or may not) work. Atlassian offer several default ldap configurations inc. the FedoraDS mentioned by Sando. Probably several of these can be massaged / bullied to work with FreeIPA with varying degrees of effort / pain. There seem also to be several possible integration use-cases, ranging from full bidirectional replication of ldap users and groups down to simple "read-only* authentication only. In our case we want to take a simple approach: in fact we have tried 2 methods so far. 1) We first tried a one-way replication of FreeIPA users and groups to JIRA, as described here: https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP +Directory We used the "A generic LDAP directory server" standard config with some values changed for the FreeIPA equivalents. While we were successfully able to connect from JIRA to FreeIPA, and users replicated across, groups did not - it failed at the point of group membership. Also the users could not login (but that is maybe because - from a JIRA point of view - the users had no groups). We did not spend long on this approach, so it is possible that with a little more tweaking we could get it to work. 2) We next tried an even simpler approach - using LDAP only for authentication. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication Under this approach, when a user first tries to logon to JIRA the user is authenticated and replicated to JIRA. Groups remain local the JIRA directory (although a default group e.g. jira-users can be setup.) This approach is suitable when only a subset of LDAP users need JIRA access. Being one-way there should be no danger of JIRA screwing the LDAP. While we can successfully authenticate FreeIPA users (and thus login and work in JIRA) with this approach, so far we have not been able to get the email address to replicate from FreeIPA to JIRA (and without working email notifications JIRA is rendered as useful as a chocolate teapot) We will continue experimenting (we now have a suggested config from Sandor below as a further variant). Once we get something satisfactory working I would be pleased to contribute to a wiki-page on the topic. Cheers Chris From: Martin Kosek To: Brian Topping , Sandor Juhasz Cc: freeipa-users at redhat.com Date: 10.06.2015 12:13 Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Sent by: freeipa-users-bounces at redhat.com Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on "how to configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: > FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. > > Cheers, Brian > >> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: >> >> Hi, >> >> here are our working configurations. Might be useful. >> We use compat tree for auth. >> We use user in group matching. >> We use group filter for login authorization. >> We use FedoraDS as ldap connector on JIRA's side. >> We don't use pw change or user create in IPA from JIRA side. >> Watch out not to have matching local users/groups or you will suffer bigtime. >> Initially it was setup not to use ldap groups, but was changed afterwards by >> creating all new groups in ldap for this purpose and readding the users. >> We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA . >> >> Attributes: >> "autoAddGroups": "" >> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" >> "com.atlassian.crowd.directory.sync.issynchronising": "false" >> "com.atlassian.crowd.directory.sync.lastdurationms": "373" >> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" >> "crowd.sync.incremental.enabled": "false" >> "directory.cache.synchronise.interval": "3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(| (cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": ******** >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "120000" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "60000" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" >> "ldap.user.username": "uid" >> "ldap.user.username.rdn": "" >> "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" >> "ldap.usermembership.use": "false" >> "ldap.usermembership.use.for.groups": "false" >> "localUserStatusEnabled": "false" >> >> S?ndor Juh?sz >> System Administrator >> ChemAxon Ltd. >> Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> From: "Martin Kosek" >> To: "Christopher Lamb" , freeipa-users at redhat.com >> Sent: Wednesday, June 10, 2015 9:22:03 AM >> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA >> >> On 06/08/2015 06:44 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> we are interested to know if anybody has succeeded (or for that matter >>> failed) in using FreeIPA to provide user authentication for Atlassian >>> products such as JIRA or Confluence? >>> >>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially >>> supported, so I guess that should set our expectations ..... >>> >>> If anyone has succeeded, then of course any tips on how best to do so would >>> be fantastic! >> >> I saw reply in the threads, so it should be covered. >> >> BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. >> It would be really cool if Jira would know FreeIPA out of the box and could >> connect to it natively! >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From sjuhasz at chemaxon.com Wed Jun 10 12:19:09 2015 From: sjuhasz at chemaxon.com (Sandor Juhasz) Date: Wed, 10 Jun 2015 14:19:09 +0200 (CEST) Subject: [Freeipa-users] LDAP authentication for JIRA using FreeIPA In-Reply-To: References: <5577E59B.9010001@redhat.com> <822135548.25230.1433922466863.JavaMail.zimbra@chemaxon.com> <9BF9C8C4-B066-44C5-A5E5-9FFE56FC99B9@gmail.com> <55780D66.1070701@redhat.com> Message-ID: <521279538.85562.1433938749298.JavaMail.zimbra@chemaxon.com> Hi, i tried many linear combinations of setup options when i tied our JIRA to ldap. First it was tied to openldap with user auth only. Once we started to use IPA, i changed. Using the base config of FedoraDS was chosen becuase IPA is based on it as well. We don't want any of our service actively modifying ldap, so read-only posix schema was the choice. As for group matching. Accounts tree will not work, don't know why, it just did not work for us. Use compat tree, it is there for these occasions. On the membership schem settings: Group member attribute: memberUid User membership attribute: memberOf Use the user membership attribute: no tick For this setup you need a service user, because memberUid attributes of users are not visible for a single user in the ldap schema - don't remember why. We needed that for user filter as well, so we have chosen to use it this way. S?ndor Juh?sz System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 From: "Christopher Lamb" To: "Martin Kosek" , "Brian Topping" , "Sandor Juhasz" Cc: freeipa-users at redhat.com Sent: Wednesday, June 10, 2015 1:55:15 PM Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Hi All Thanks to Brian and Sandor for their input so far - this gives me another approach to try. >From my side this is a work-in-progress report: we have got something working, but are not quite happy with it. Stepping back a bit: I suspect there are a number of integration approaches that may (or may not) work. Atlassian offer several default ldap configurations inc. the FedoraDS mentioned by Sando. Probably several of these can be massaged / bullied to work with FreeIPA with varying degrees of effort / pain. There seem also to be several possible integration use-cases, ranging from full bidirectional replication of ldap users and groups down to simple "read-only* authentication only. In our case we want to take a simple approach: in fact we have tried 2 methods so far. 1) We first tried a one-way replication of FreeIPA users and groups to JIRA, as described here: https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP +Directory We used the "A generic LDAP directory server" standard config with some values changed for the FreeIPA equivalents. While we were successfully able to connect from JIRA to FreeIPA, and users replicated across, groups did not - it failed at the point of group membership. Also the users could not login (but that is maybe because - from a JIRA point of view - the users had no groups). We did not spend long on this approach, so it is possible that with a little more tweaking we could get it to work. 2) We next tried an even simpler approach - using LDAP only for authentication. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication Under this approach, when a user first tries to logon to JIRA the user is authenticated and replicated to JIRA. Groups remain local the JIRA directory (although a default group e.g. jira-users can be setup.) This approach is suitable when only a subset of LDAP users need JIRA access. Being one-way there should be no danger of JIRA screwing the LDAP. While we can successfully authenticate FreeIPA users (and thus login and work in JIRA) with this approach, so far we have not been able to get the email address to replicate from FreeIPA to JIRA (and without working email notifications JIRA is rendered as useful as a chocolate teapot) We will continue experimenting (we now have a suggested config from Sandor below as a further variant). Once we get something satisfactory working I would be pleased to contribute to a wiki-page on the topic. Cheers Chris From: Martin Kosek To: Brian Topping , Sandor Juhasz Cc: freeipa-users at redhat.com Date: 10.06.2015 12:13 Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Sent by: freeipa-users-bounces at redhat.com Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on "how to configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: > FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. > > Cheers, Brian > >> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: >> >> Hi, >> >> here are our working configurations. Might be useful. >> We use compat tree for auth. >> We use user in group matching. >> We use group filter for login authorization. >> We use FedoraDS as ldap connector on JIRA's side. >> We don't use pw change or user create in IPA from JIRA side. >> Watch out not to have matching local users/groups or you will suffer bigtime. >> Initially it was setup not to use ldap groups, but was changed afterwards by >> creating all new groups in ldap for this purpose and readding the users. >> We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA . >> >> Attributes: >> "autoAddGroups": "" >> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" >> "com.atlassian.crowd.directory.sync.issynchronising": "false" >> "com.atlassian.crowd.directory.sync.lastdurationms": "373" >> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" >> "crowd.sync.incremental.enabled": "false" >> "directory.cache.synchronise.interval": "3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(| (cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": ******** >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "120000" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "60000" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" >> "ldap.user.username": "uid" >> "ldap.user.username.rdn": "" >> "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" >> "ldap.usermembership.use": "false" >> "ldap.usermembership.use.for.groups": "false" >> "localUserStatusEnabled": "false" >> >> S?ndor Juh?sz >> System Administrator >> ChemAxon Ltd. >> Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> From: "Martin Kosek" >> To: "Christopher Lamb" , freeipa-users at redhat.com >> Sent: Wednesday, June 10, 2015 9:22:03 AM >> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA >> >> On 06/08/2015 06:44 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> we are interested to know if anybody has succeeded (or for that matter >>> failed) in using FreeIPA to provide user authentication for Atlassian >>> products such as JIRA or Confluence? >>> >>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially >>> supported, so I guess that should set our expectations ..... >>> >>> If anyone has succeeded, then of course any tips on how best to do so would >>> be fantastic! >> >> I saw reply in the threads, so it should be covered. >> >> BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. >> It would be really cool if Jira would know FreeIPA out of the box and could >> connect to it natively! >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From cory at pithoslabs.com Wed Jun 10 12:55:18 2015 From: cory at pithoslabs.com (Cory Carlton) Date: Wed, 10 Jun 2015 07:55:18 -0500 Subject: [Freeipa-users] ssh known hosts gets recreated on client In-Reply-To: <5578125E.4040001@jackland.demon.co.uk> References: <5578125E.4040001@jackland.demon.co.uk> Message-ID: I feel this is a User ssh file issue not a sssd when sshing. the client is seeing its a different key exchange with the same IP it once knew about, the known_hosts file on the client machine (and user) in the .ssh folder need to be updated or wiped clean. If you edit on the client machine /home/USER/.ssh/known_hosts delete the IP line. On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton wrote: > Hello, > > If I uninstall the ipa client with "ipa-client-install --uninstall" then > reinstall it to the same ipa master then most functions work fine. > However, if I attempt to ssh from the client to the master then I get. > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > It is also possible that the RSA host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. > Please contact your system administrator. > Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this > message. > Offending key in /var/lib/sss/pubconf/known_hosts:1 > RSA host key for ipa004.jackland.co.uk has changed and you have > requested strict checking. > Host key verification failed. > > I've tried stopping the sssd service on the client, removing > /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting > sssd, but /var/lib/sss/pubconf just gets recreated with the old contents > and I get the same error (it seems odd that it's reporting that the host > key of the master has changed when it's the client that has been > reinstalled). How do I clear-out the client's knowledge of the old host > keys? > > In this case I'm using ipa-client v3.0.0 on RHEL6.6 > > Thanks > > Bob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bob at jackland.demon.co.uk Wed Jun 10 13:11:06 2015 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 10 Jun 2015 14:11:06 +0100 Subject: [Freeipa-users] ssh known hosts gets recreated on client In-Reply-To: References: <5578125E.4040001@jackland.demon.co.uk> Message-ID: <5578376A.30200@jackland.demon.co.uk> The /home/USER/.ssh/known_hosts file doesn't exist. It's /var/lib/sss/pubconf/known_hosts that's the problem. If the offending line is deleted from this file or this file is deleted completely then it's automatically replaced and the same error occurs. On 10/06/2015 13:55, Cory Carlton wrote: > I feel this is a User ssh file issue not a sssd when sshing. > the client is seeing its a different key exchange with the same IP it > once knew about, the known_hosts file on the client machine (and user) > in the .ssh folder need to be updated or wiped clean. > > If you edit on the client machine /home/USER/.ssh/known_hosts delete > the IP line. > > On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton > wrote: > > Hello, > > If I uninstall the ipa client with "ipa-client-install > --uninstall" then > reinstall it to the same ipa master then most functions work fine. > However, if I attempt to ssh from the client to the master then I get. > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that the RSA host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. > Please contact your system administrator. > Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this > message. > Offending key in /var/lib/sss/pubconf/known_hosts:1 > RSA host key for ipa004.jackland.co.uk > has changed and you have > requested strict checking. > Host key verification failed. > > I've tried stopping the sssd service on the client, removing > /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting > sssd, but /var/lib/sss/pubconf just gets recreated with the old > contents > and I get the same error (it seems odd that it's reporting that > the host > key of the master has changed when it's the client that has been > reinstalled). How do I clear-out the client's knowledge of the old > host > keys? > > In this case I'm using ipa-client v3.0.0 on RHEL6.6 > > Thanks > > Bob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Wed Jun 10 13:18:09 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Wed, 10 Jun 2015 15:18:09 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? Message-ID: <55783911.5060608@martos.bme.hu> hi, Currently there are CentOS 6.5 servers and IPA 3.0. The goal is migrating users to CentOS 7.1 and IPA 4.1. This is the command I use: $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat < ~/.pw.manager Users are migrated successfully but password must be reset, otherwise they cannot logon. Any idea, what's going on? I also have a bonus question. How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to export/import it as ldif and that's all? Thanks, tamas From christopher.lamb at ch.ibm.com Wed Jun 10 13:32:46 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 10 Jun 2015 15:32:46 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: <55783911.5060608@martos.bme.hu> References: <55783911.5060608@martos.bme.hu> Message-ID: Hi Tamas I think the general advice is to replicate rather than to migrate. I am sure Martin K will jump in on this. However some weeks ago, when doing a very similar move to yours, we chose to migrate (we were misled by some very old FreeIPA docus that have since been archived). In our case passwords were successfully migrated, so the users were able to use the same user / password combo as before. I will see if I can dig out the migrate command we used at the time. Chris From: Tamas Papp To: freeipa-users at redhat.com Date: 10.06.2015 15:19 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? Sent by: freeipa-users-bounces at redhat.com hi, Currently there are CentOS 6.5 servers and IPA 3.0. The goal is migrating users to CentOS 7.1 and IPA 4.1. This is the command I use: $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat < ~/.pw.manager Users are migrated successfully but password must be reset, otherwise they cannot logon. Any idea, what's going on? I also have a bonus question. How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to export/import it as ldif and that's all? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From mkosek at redhat.com Wed Jun 10 13:33:08 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 15:33:08 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: <55783911.5060608@martos.bme.hu> References: <55783911.5060608@martos.bme.hu> Message-ID: <55783C94.9040109@redhat.com> On 06/10/2015 03:18 PM, Tamas Papp wrote: > hi, > > Currently there are CentOS 6.5 servers and IPA 3.0. > > The goal is migrating users to CentOS 7.1 and IPA 4.1. > > This is the command I use: > > > $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo > --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat < > ~/.pw.manager > > > Users are migrated successfully but password must be reset, otherwise they > cannot logon. Any idea, what's going on? My guess is that their Kerberos key is also migrated. The key is not valid on the new installation as also Kerberos master key is different. So I would suggest stripping the users from their Kerberos attributes first. Some advise here: https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA > I also have a bonus question. > How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to > export/import it as ldif and that's all? Hmm, this should be all. Except if the users were members of for examples roles or privileges, you would need to migrate that membership too as mere presence of memberOf attribute in the sys account will not be enough. From mkosek at redhat.com Wed Jun 10 13:35:27 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Jun 2015 15:35:27 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: References: <55783911.5060608@martos.bme.hu> Message-ID: <55783D1F.6040802@redhat.com> On 06/10/2015 03:32 PM, Christopher Lamb wrote: > Hi Tamas > > I think the general advice is to replicate rather than to migrate. I am > sure Martin K will jump in on this. Yes :-) > However some weeks ago, when doing a very similar move to yours, we chose > to migrate (we were misled by some very old FreeIPA docus that have since > been archived). > > In our case passwords were successfully migrated, so the users were able to > use the same user / password combo as before. > > > I will see if I can dig out the migrate command we used at the time. Did you use the migration command advised in https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA ? > > Chris > > > > From: Tamas Papp > To: freeipa-users at redhat.com > Date: 10.06.2015 15:19 > Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? > Sent by: freeipa-users-bounces at redhat.com > > > > hi, > > Currently there are CentOS 6.5 servers and IPA 3.0. > > The goal is migrating users to CentOS 7.1 and IPA 4.1. > > This is the command I use: > > > $ ipa migrate-ds ldap://ipa11 > --user-container=cn=users,cn=accounts,dc=foo > --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo > --with-compat < ~/.pw.manager > > > Users are migrated successfully but password must be reset, otherwise > they cannot logon. Any idea, what's going on? > > > > > I also have a bonus question. > How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to > export/import it as ldif and that's all? > > > Thanks, > tamas > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From lslebodn at redhat.com Wed Jun 10 13:37:44 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 10 Jun 2015 15:37:44 +0200 Subject: [Freeipa-users] ssh known hosts gets recreated on client In-Reply-To: <5578125E.4040001@jackland.demon.co.uk> References: <5578125E.4040001@jackland.demon.co.uk> Message-ID: <20150610133743.GB2862@mail.corp.redhat.com> On (10/06/15 11:33), Bob Hinton wrote: >Hello, > >If I uninstall the ipa client with "ipa-client-install --uninstall" then >reinstall it to the same ipa master then most functions work fine. >However, if I attempt to ssh from the client to the master then I get. > >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >Someone could be eavesdropping on you right now (man-in-the-middle attack)! >It is also possible that the RSA host key has just been changed. >The fingerprint for the RSA key sent by the remote host is >86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. >Please contact your system administrator. >Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this >message. >Offending key in /var/lib/sss/pubconf/known_hosts:1 >RSA host key for ipa004.jackland.co.uk has changed and you have >requested strict checking. >Host key verification failed. > >I've tried stopping the sssd service on the client, removing >/var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting >sssd, but /var/lib/sss/pubconf just gets recreated with the old contents >and I get the same error (it seems odd that it's reporting that the host >key of the master has changed when it's the client that has been >reinstalled). How do I clear-out the client's knowledge of the old host >keys? > >In this case I'm using ipa-client v3.0.0 on RHEL6.6 > You removed /var/lib/sss/pubconf/known_hosts and also sssd cache, but you still have problem after restarting sssd. So the only explanation is that wrong host public key is stored in FreeIPA. Could you try to check host public key with ldapsearch in FreeIPA. I think you wold need to do it as an admin. LS From christopher.lamb at ch.ibm.com Wed Jun 10 14:11:45 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 10 Jun 2015 16:11:45 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: <55783D1F.6040802@redhat.com> References: <55783911.5060608@martos.bme.hu> <55783D1F.6040802@redhat.com> Message-ID: Hi Martin and Tamas My source was a different one, i found a hint in a ipa python file! Luckily I documented what we did in our internal wiki. I have found the following section: Migration from FreeIPA 3.0.0 to FreeIPA 4.1.0 > kinit admin >?ipa config-mod --enable-migration=TRUE > ipa-compat-manage disable > ipactl restart The migration function uses the script /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py. This contains some useful comments, including the parameters for an IPA to IPA migration! >?ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://:389 > ipa-compat-manage enable > ipactl restart This copies all the users, and the groups - other than admin. This means that users that were members of the admins group on the old instance will not be added to admins group on the new instance. They must be readded, either via the Web UI, or CLI: > su - admin, > ipa group-add-member admins --users=bilbo Note that at the time we makng things up as we went along, so very possibly this was not the best way 8-) but it worked for us. Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, Tamas Papp Cc: freeipa-users at redhat.com Date: 10.06.2015 15:35 Subject: Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? On 06/10/2015 03:32 PM, Christopher Lamb wrote: > Hi Tamas > > I think the general advice is to replicate rather than to migrate. I am > sure Martin K will jump in on this. Yes :-) > However some weeks ago, when doing a very similar move to yours, we chose > to migrate (we were misled by some very old FreeIPA docus that have since > been archived). > > In our case passwords were successfully migrated, so the users were able to > use the same user / password combo as before. > > > I will see if I can dig out the migrate command we used at the time. Did you use the migration command advised in https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA ? > > Chris > > > > From: Tamas Papp > To: freeipa-users at redhat.com > Date: 10.06.2015 15:19 > Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? > Sent by: freeipa-users-bounces at redhat.com > > > > hi, > > Currently there are CentOS 6.5 servers and IPA 3.0. > > The goal is migrating users to CentOS 7.1 and IPA 4.1. > > This is the command I use: > > > $ ipa migrate-ds ldap://ipa11 > --user-container=cn=users,cn=accounts,dc=foo > --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo > --with-compat < ~/.pw.manager > > > Users are migrated successfully but password must be reset, otherwise > they cannot logon. Any idea, what's going on? > > > > > I also have a bonus question. > How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to > export/import it as ldif and that's all? > > > Thanks, > tamas > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From abokovoy at redhat.com Wed Jun 10 14:55:57 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Jun 2015 17:55:57 +0300 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: References: <55783911.5060608@martos.bme.hu> <55783D1F.6040802@redhat.com> Message-ID: <20150610145557.GQ4402@redhat.com> On Wed, 10 Jun 2015, Christopher Lamb wrote: >Hi Martin and Tamas > >My source was a different one, i found a hint in a ipa python file! > >Luckily I documented what we did in our internal wiki. I have found the >following section: > >Migration from FreeIPA 3.0.0 to FreeIPA 4.1.0 > > >> kinit admin > >>?ipa config-mod --enable-migration=TRUE > >> ipa-compat-manage disable > >> ipactl restart > >The migration function uses the script > >/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py. This contains > >some useful comments, including the parameters for an IPA to IPA migration! Yes, and you'll get the same information if you just run 'ipa migration'. In general, all IPA commands grouped in topics and we have extensive documentation for them. Do 'ipa help topics' to see all topics Do 'ipa help ' to see specific topic's documentation. -- / Alexander Bokovoy From dbischof at hrz.uni-kassel.de Wed Jun 10 15:24:21 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Wed, 10 Jun 2015 17:24:21 +0200 (CEST) Subject: [Freeipa-users] add suse 11 sp3 to ipa In-Reply-To: <5577298A.4050305@redhat.com> References: <20150609142117.GH26062@redhat.com> <1258707210.9754851.1433862682762.JavaMail.yahoo@mail.yahoo.com> <5577298A.4050305@redhat.com> Message-ID: Hi, On Tue, 9 Jun 2015, Rob Crittenden wrote: > mohammad sereshki wrote: >> >> Would you please let me know is it possible to add suse 11 sp3 to IPA? >> and how it is possible? > > I'm not sure if any version of SUSE has ipa-client or freeipa-client, > but I know that 12+ has sssd. If 11 also has sssd then you can configure > that part using this: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html > > Note that a bunch of the steps don't really apply to you, like getting a > host cert. Oddly enough, the docs don't include setting up krb5.conf, > but you can get the jist of that from an ipa-cleint enrolled client. > > If you don't have sssd then you'll need to go the nss_ldap route. I have a bunch of openSUSE 13.2 machines which work fine with sssd from standard repos (after manual installation as described in the above document - you can, however, make a powerful autoyast recipe that includes configuration files, certs and Kerberos host keys to automate the complete installation process). I recall that i had to use an extra repository for sssd and earlier versions of openSUSE Linux: http://download.opensuse.org/repositories/network:/ldap/ There seems to be indeed no sssd for SLE11 SP3, only nss_ldap. Mit freundlichen Gruessen/With best regards, --Daniel. From bob at jackland.demon.co.uk Wed Jun 10 16:09:06 2015 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 10 Jun 2015 17:09:06 +0100 Subject: [Freeipa-users] ssh known hosts gets recreated on client In-Reply-To: <20150610133743.GB2862@mail.corp.redhat.com> References: <5578125E.4040001@jackland.demon.co.uk> <20150610133743.GB2862@mail.corp.redhat.com> Message-ID: <55786122.7070909@jackland.demon.co.uk> On 10/06/2015 14:37, Lukas Slebodnik wrote: > On (10/06/15 11:33), Bob Hinton wrote: >> Hello, >> >> If I uninstall the ipa client with "ipa-client-install --uninstall" then >> reinstall it to the same ipa master then most functions work fine. >> However, if I attempt to ssh from the client to the master then I get. >> >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle attack)! >> It is also possible that the RSA host key has just been changed. >> The fingerprint for the RSA key sent by the remote host is >> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. >> Please contact your system administrator. >> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this >> message. >> Offending key in /var/lib/sss/pubconf/known_hosts:1 >> RSA host key for ipa004.jackland.co.uk has changed and you have >> requested strict checking. >> Host key verification failed. >> >> I've tried stopping the sssd service on the client, removing >> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting >> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents >> and I get the same error (it seems odd that it's reporting that the host >> key of the master has changed when it's the client that has been >> reinstalled). How do I clear-out the client's knowledge of the old host >> keys? >> >> In this case I'm using ipa-client v3.0.0 on RHEL6.6 >> > You removed /var/lib/sss/pubconf/known_hosts > and also sssd cache, but you still have problem after restarting sssd. > > So the only explanation is that wrong host public key is stored in FreeIPA. > Could you try to check host public key with ldapsearch in FreeIPA. > I think you wold need to do it as an admin. > > LS > . > The two rsa keys look like they're the same (see below) though the finger-prints are evidently different. I copied and pasted the two keys into files and ran diff over these to prove that they match. I can actually fix the problem by copying the ipa master host keys to a file, removing them with ipa host-mod ipa004.jackland.co.uk --sshpubkey='' then I can ssh from the client to the master without the error. I can finally restore the keys from the file using the ipa host-mod command again and all is well. So this looks like a long-winded way of clearing some sort of cache of the key finger-print on the client. It would just be nice to know if there's a more direct way of doing this. Also I know this works for one client, but it would be a pain to have to go through this procedure for lots of them. Thanks Bob -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all dn: fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk Host name: ipa004.jackland.co.uk Principal name: host/ipa004.jackland.co.uk at JACKLAND.CO.UK SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/, ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M= Requires pre-authentication: True Trusted for delegation: False Password: False Keytab: True Managed by: ipa004.jackland.co.uk Managing: ipa004.jackland.co.uk SSH public key fingerprint: DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa), 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519), 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256) cn: ipa004.jackland.co.uk ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817 krblastpwdchange: 20150518132324Z objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost, top, ipaservice, pkiuser, ipahost, krbticketpolicyaux, krbprincipalaux, ipasshhost serverhostname: ipa004 -sh-4.2$ -sh-4.1$ ssh ipa004.jackland.co.uk @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/adminuser/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. -sh-4.1$ head -1 /var/lib/sss/pubconf/known_hosts |1|SsQw9iAjhWz7sgcE9OwLuSC6hsM=|DgSaVQaJDU2dW6U4vN/quyySzvk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl -sh-4.1$ From brian.mathis+freeipa at betteradmin.com Wed Jun 10 17:26:55 2015 From: brian.mathis+freeipa at betteradmin.com (Brian Mathis) Date: Wed, 10 Jun 2015 19:26:55 +0200 Subject: [Freeipa-users] Installing a replica with alternate 'admin' username Message-ID: I have renamed the default 'admin' account to something else to avoid possible conflicts with other application accounts. However, when I try to install a replica with ipa-replica-install, it uses 'admin' as the username and I don't see a way to supply an alternate account name to use. I have been able to work-around this by using the --skip-conncheck option, but I would still like to have the script go through that process if possible to get the added verification that things are working. Is there any way to use a different account name than 'admin' with ipa-replica-install? I'm on CentOS 7 using ipa-server-4.1.0-18.el7. ? Brian Mathis @orev -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jun 10 17:56:09 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Jun 2015 13:56:09 -0400 Subject: [Freeipa-users] Installing a replica with alternate 'admin' username In-Reply-To: References: Message-ID: <55787A39.8030007@redhat.com> Brian Mathis wrote: > I have renamed the default 'admin' account to something else to avoid > possible conflicts with other application accounts. However, when I try > to install a replica with ipa-replica-install, it uses 'admin' as the > username and I don't see a way to supply an alternate account name to use. > > I have been able to work-around this by using the --skip-conncheck > option, but I would still like to have the script go through that > process if possible to get the added verification that things are working. > > Is there any way to use a different account name than 'admin' with > ipa-replica-install? I'm on CentOS 7 using ipa-server-4.1.0-18.el7. There isn't currently. I opened https://fedorahosted.org/freeipa/ticket/5060 The conn checker, ipa-replica-conncheck, actually takes the principal as an argument but this is hardcoded as "admin" in ipa-replica-install. rob From bob at jackland.demon.co.uk Wed Jun 10 18:57:36 2015 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 10 Jun 2015 19:57:36 +0100 Subject: [Freeipa-users] ssh known hosts gets recreated on client In-Reply-To: <55786122.7070909@jackland.demon.co.uk> References: <5578125E.4040001@jackland.demon.co.uk> <20150610133743.GB2862@mail.corp.redhat.com> <55786122.7070909@jackland.demon.co.uk> Message-ID: <557888A0.7010507@jackland.demon.co.uk> OK. I think the original problem wasn't what I thought it was. The keys in /etc/ssh/*.pub on the ipamaster didn't match the ones stored in IPA. I'm not sure how this happened, however the master is a test VM that's been used to test ipa-backup and ipa-restore (it's a V4.1.0 master even though the client is V3.0) Anyway, I repaired this by setting the keys in IPA to the ones in the files by doing the following on the ipa master :- echo "ipa host-mod ipa004.jackland.co.uk --sshpubkey='" > keyfix.sh sudo cat /etc/ssh/ssh_host_rsa_key.pub >> keyfix.sh echo -n ',' >> keyfix.sh sudo cat /etc/ssh/ssh_host_ecdsa_key.pub >> keyfix.sh echo -n ',' >> keyfix.sh sudo cat /etc/ssh/ssh_host_ed25519_key.pub >> keyfix.sh echo "'" >> keyfix.sh vi keyfix.sh (keep pressing J to join everything into one long line) sh keyfix.sh On 10/06/2015 17:09, Bob Hinton wrote: > On 10/06/2015 14:37, Lukas Slebodnik wrote: >> On (10/06/15 11:33), Bob Hinton wrote: >>> Hello, >>> >>> If I uninstall the ipa client with "ipa-client-install --uninstall" then >>> reinstall it to the same ipa master then most functions work fine. >>> However, if I attempt to ssh from the client to the master then I get. >>> >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >>> Someone could be eavesdropping on you right now (man-in-the-middle attack)! >>> It is also possible that the RSA host key has just been changed. >>> The fingerprint for the RSA key sent by the remote host is >>> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. >>> Please contact your system administrator. >>> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this >>> message. >>> Offending key in /var/lib/sss/pubconf/known_hosts:1 >>> RSA host key for ipa004.jackland.co.uk has changed and you have >>> requested strict checking. >>> Host key verification failed. >>> >>> I've tried stopping the sssd service on the client, removing >>> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting >>> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents >>> and I get the same error (it seems odd that it's reporting that the host >>> key of the master has changed when it's the client that has been >>> reinstalled). How do I clear-out the client's knowledge of the old host >>> keys? >>> >>> In this case I'm using ipa-client v3.0.0 on RHEL6.6 >>> >> You removed /var/lib/sss/pubconf/known_hosts >> and also sssd cache, but you still have problem after restarting sssd. >> >> So the only explanation is that wrong host public key is stored in FreeIPA. >> Could you try to check host public key with ldapsearch in FreeIPA. >> I think you wold need to do it as an admin. >> >> LS >> . >> > The two rsa keys look like they're the same (see below) though the > finger-prints are evidently different. I copied and pasted the two keys > into files and ran diff over these to prove that they match. > > I can actually fix the problem by copying the ipa master host keys to a > file, removing them with > > ipa host-mod ipa004.jackland.co.uk --sshpubkey='' > > then I can ssh from the client to the master without the error. I can > finally restore the keys from the file using the ipa host-mod command > again and all is well. So this looks like a long-winded way of clearing > some sort of cache of the key finger-print on the client. It would just > be nice to know if there's a more direct way of doing this. Also I know > this works for one client, but it would be a pain to have to go through > this procedure for lots of them. > > Thanks > > Bob > > -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all > dn: > fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk > Host name: ipa004.jackland.co.uk > Principal name: host/ipa004.jackland.co.uk at JACKLAND.CO.UK > SSH public key: ssh-rsa > > AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl, > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/, > ecdsa-sha2-nistp256 > > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M= > Requires pre-authentication: True > Trusted for delegation: False > Password: False > Keytab: True > Managed by: ipa004.jackland.co.uk > Managing: ipa004.jackland.co.uk > SSH public key fingerprint: > DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa), > > 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519), > > 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256) > cn: ipa004.jackland.co.uk > ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817 > krblastpwdchange: 20150518132324Z > objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost, > top, ipaservice, pkiuser, ipahost, > krbticketpolicyaux, krbprincipalaux, ipasshhost > serverhostname: ipa004 > -sh-4.2$ > > -sh-4.1$ ssh ipa004.jackland.co.uk > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > It is also possible that the RSA host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. > Please contact your system administrator. > Add correct host key in /home/adminuser/.ssh/known_hosts to get rid of > this message. > Offending key in /var/lib/sss/pubconf/known_hosts:1 > RSA host key for ipa004.jackland.co.uk has changed and you have > requested strict checking. > Host key verification failed. > > -sh-4.1$ head -1 /var/lib/sss/pubconf/known_hosts > |1|SsQw9iAjhWz7sgcE9OwLuSC6hsM=|DgSaVQaJDU2dW6U4vN/quyySzvk= ssh-rsa > AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl > -sh-4.1$ > > From mohammadsereshki at yahoo.com Wed Jun 10 19:43:56 2015 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Wed, 10 Jun 2015 19:43:56 +0000 (UTC) Subject: [Freeipa-users] add suse 11 sp3 to ipa In-Reply-To: <5577298A.4050305@redhat.com> References: <5577298A.4050305@redhat.com> Message-ID: <1505910201.599677.1433965436918.JavaMail.yahoo@mail.yahoo.com> hido you know where is the path of certification file and certification key file for clients? From: Rob Crittenden To: mohammad sereshki ; Freeipa-users Sent: Tuesday, June 9, 2015 10:29 PM Subject: Re: [Freeipa-users] add suse 11 sp3 to ipa mohammad sereshki wrote: > > > > > >? hi > Would you please let me know is it possible to add suse 11 sp3 to IPA? > and how it is possible? > Regards > > > > > I'm not sure if any version of SUSE has ipa-client or freeipa-client, but I know that 12+ has sssd. If 11 also has sssd then you can configure that part using this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html Note that a bunch of the steps don't really apply to you, like getting a host cert. Oddly enough, the docs don't include setting up krb5.conf, but you can get the jist of that from an ipa-cleint enrolled client. If you don't have sssd then you'll need to go the nss_ldap route. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Thu Jun 11 12:00:37 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Thu, 11 Jun 2015 14:00:37 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: <55783D1F.6040802@redhat.com> References: <55783911.5060608@martos.bme.hu> <55783D1F.6040802@redhat.com> Message-ID: <55797865.8030107@martos.bme.hu> On 06/10/2015 03:35 PM, Martin Kosek wrote: > On 06/10/2015 03:32 PM, Christopher Lamb wrote: >> Hi Tamas >> >> I think the general advice is to replicate rather than to migrate. I am >> sure Martin K will jump in on this. > Yes :-) > >> However some weeks ago, when doing a very similar move to yours, we chose >> to migrate (we were misled by some very old FreeIPA docus that have since >> been archived). >> >> In our case passwords were successfully migrated, so the users were able to >> use the same user / password combo as before. >> >> >> I will see if I can dig out the migrate command we used at the time. > Did you use the migration command advised in > https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA > ? hi Martin, https://www.freeipa.org/page/Howto/Migration#Upgrading_to_new_FreeIPA_release I would be satisfied with this procedure. However, earlier you (actually Dmitri) posted a different one: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Which is the right one? In my opinion the second one is too complicated, I would rather choose 'ipa migrate-ds' (we don't have machine accounts). Thanks, tamas From henry.hofmann at osthus.com Thu Jun 11 11:25:25 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Thu, 11 Jun 2015 11:25:25 +0000 Subject: [Freeipa-users] Grant IPA Users for AD resscources Message-ID: <74263835052DD843AEBD010BD87EE8DE1488C3@win10004.member.osthus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, I'm using CentOS7 with FreeIPA 4.1.4 and an Active Directory 2012 with an Bidirectional Domain Trust. The Forests are: IPA = devipa.local AD = intern.noc.local I can add AD users to IPA groups and have access to the Resources. How can I add IPA user to Active Directory resources like groups? I can't find an option and add the member with "user1 at devipa.local or DEVIPA\user1" does not work to add the user in a Active Directory group. - --- Henry Hofmann -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVXlwJ3Eu+nQzo7NUAQipGAgAt9C0qc59dOoAyut5ki4UGGE+JibkkizE dKkzAU1OSTgbHRhc2vIFjhcvuR7TMHs0jIymVw0bU+6aVtgnQe29u5gEBRVe+D9j 8FSSES/5WZiW+lyzoaNksX4MgTqwGhdQv2yOeV/VoD+aeMyFRxPcLbdm+vkdB/C0 QcTDevCstHYI+KbxRm4Dl48gt+dTLK19sZ2+Ku88JQ94yATkfgLf2rrgNodCw0wm QJn9WMOxBbqRCunW+01mmLB5IXIMZ0KY+Kexh7FPsj2aHXdAu77hLsug6mgy8Kte PjwqvFb5wvXNVWrQcnuvqHQvmRraFQv5FddTHMedjJMSA1fqEsacxQ== =qNCs -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Jun 11 12:32:28 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Jun 2015 08:32:28 -0400 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: <55797865.8030107@martos.bme.hu> References: <55783911.5060608@martos.bme.hu> <55783D1F.6040802@redhat.com> <55797865.8030107@martos.bme.hu> Message-ID: <55797FDC.1000409@redhat.com> Tamas Papp wrote: > > > On 06/10/2015 03:35 PM, Martin Kosek wrote: >> On 06/10/2015 03:32 PM, Christopher Lamb wrote: >>> Hi Tamas >>> >>> I think the general advice is to replicate rather than to migrate. I am >>> sure Martin K will jump in on this. >> Yes :-) >> >>> However some weeks ago, when doing a very similar move to yours, we >>> chose >>> to migrate (we were misled by some very old FreeIPA docus that have >>> since >>> been archived). >>> >>> In our case passwords were successfully migrated, so the users were >>> able to >>> use the same user / password combo as before. >>> >>> >>> I will see if I can dig out the migrate command we used at the time. >> Did you use the migration command advised in >> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA >> >> ? > > hi Martin, > > https://www.freeipa.org/page/Howto/Migration#Upgrading_to_new_FreeIPA_release > > > I would be satisfied with this procedure. > > However, earlier you (actually Dmitri) posted a different one: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > > > Which is the right one? > In my opinion the second one is too complicated, I would rather choose > 'ipa migrate-ds' (we don't have machine accounts). They are both right, in the right context. While there are a number of steps involved in creating an EL 7 master from an EL 6 install, you retain all current data and clients, assuming you are using DNS SRV records, probably won't notice at all. ipa-migrate-ds only migrates users and groups so you'll lose all sudo, HBAC, automount, automember and more rules, plus netgroups and hostgroups. You'd have to manually re-add all of these. You'll also end up with a new CA (with the same name) and have to re-enroll all your clients. Creating a new master is probably a lot easier and less disruptive. You'd want to leave both the EL 6 and 7 masters running for a bit (probably days, not months) to be sure everything is working ok. Be sure to add a new user or group on the EL 7 master before decommissionin gthe EL 6 one. And don't forget to use the --setup-ca option when creating the EL 7 master. rob From abokovoy at redhat.com Thu Jun 11 12:43:00 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 Jun 2015 15:43:00 +0300 Subject: [Freeipa-users] Grant IPA Users for AD resscources In-Reply-To: <74263835052DD843AEBD010BD87EE8DE1488C3@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE1488C3@win10004.member.osthus.de> Message-ID: <20150611124300.GT4402@redhat.com> On Thu, 11 Jun 2015, Henry Hofmann wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hello, > >I'm using CentOS7 with FreeIPA 4.1.4 and an Active Directory 2012 with an Bidirectional Domain Trust. > >The Forests are: >IPA = devipa.local >AD = intern.noc.local > >I can add AD users to IPA groups and have access to the Resources. How >can I add IPA user to Active Directory resources like groups? I can't >find an option and add the member with "user1 at devipa.local or >DEVIPA\user1" does not work to add the user in a Active Directory >group. Not supported yet as we don't have Global Catalog implementation. -- / Alexander Bokovoy From bobby.prins at proxy.nl Thu Jun 11 13:33:20 2015 From: bobby.prins at proxy.nl (Bobby Prins) Date: Thu, 11 Jun 2015 15:33:20 +0200 Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> <20150403122617.GN3878@redhat.com> <1912938263.42737.1428064838642.JavaMail.zimbra@proxy.nl> Message-ID: On Apr 7, 2015, at 13:41, Bobby Prins wrote: > > >> On Apr 3, 2015, at 14:40, Bobby Prins wrote: >> >>> ----- Oorspronkelijk bericht ----- >>> Van: "Alexander Bokovoy" >>> Aan: "Bobby Prins" >>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>> Verzonden: Vrijdag 3 april 2015 14:26:17 >>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>> >>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>> ----- Oorspronkelijk bericht ----- >>>>> Van: "Alexander Bokovoy" >>>>> Aan: "Bobby Prins" >>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>>>> Verzonden: Vrijdag 3 april 2015 12:45:07 >>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>>>> >>>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>> access: >>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>>>> Above there are two lookups: >>>>> >>>>> - successful lookup for user bprings at example.com >>>>> - unsuccessful lookup for user bprins >>>>> >>>>> What is causing to perform a lookup without @example.com? Compat tree >>>>> presents AD users fully qualified, it is the only way it knows to >>>>> trigger lookup via SSSD on IPA master for these users (because non-fully >>>>> qualified users are in IPA LDAP tree already and copied to compat tree >>>>> automatically). >>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>>> more tests with different accounts and always see the two lookups. I >>>> doubt if I can influence that.. >>> No, this is not standard -- I haven't seen such behavior when testing >>> FreeIPA with AIX last autumn. >>> -- >>> / Alexander Bokovoy >> OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though. > Did some tests with AIX5.3 and then I don?t run into any issues. There is no lookup to be seen after entering my username on AIX5.3 (as there was on AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later on.. AIX6.1 also worked without any problems. In the end my methods.cfg was causing the problems on AIX7.1. After deleting these lines authentication worked: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,kadmind=no KRB5LDAP: options = auth=KRB5,db=LDAP So my methods.cfg now looks like this: LDAP: program = /usr/lib/security/LDAP program_64 = /usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE I was not expecting this since I was not using KRB5 or KRB5LDAP in /etc/security/user. Well, I?m glad I got this sorted out now :) > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Thu Jun 11 13:37:06 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 Jun 2015 16:37:06 +0300 Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: References: <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> <20150403122617.GN3878@redhat.com> <1912938263.42737.1428064838642.JavaMail.zimbra@proxy.nl> Message-ID: <20150611133706.GV4402@redhat.com> On Thu, 11 Jun 2015, Bobby Prins wrote: >On Apr 7, 2015, at 13:41, Bobby Prins wrote: >> >> >>> On Apr 3, 2015, at 14:40, Bobby Prins wrote: >>> >>>> ----- Oorspronkelijk bericht ----- >>>> Van: "Alexander Bokovoy" >>>> Aan: "Bobby Prins" >>>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>>> Verzonden: Vrijdag 3 april 2015 14:26:17 >>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>>> >>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>> ----- Oorspronkelijk bericht ----- >>>>>> Van: "Alexander Bokovoy" >>>>>> Aan: "Bobby Prins" >>>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>>>>> Verzonden: Vrijdag 3 april 2015 12:45:07 >>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>>>>> >>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>>> access: >>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>>>>> Above there are two lookups: >>>>>> >>>>>> - successful lookup for user bprings at example.com >>>>>> - unsuccessful lookup for user bprins >>>>>> >>>>>> What is causing to perform a lookup without @example.com? Compat tree >>>>>> presents AD users fully qualified, it is the only way it knows to >>>>>> trigger lookup via SSSD on IPA master for these users (because non-fully >>>>>> qualified users are in IPA LDAP tree already and copied to compat tree >>>>>> automatically). >>>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>>>> more tests with different accounts and always see the two lookups. I >>>>> doubt if I can influence that.. >>>> No, this is not standard -- I haven't seen such behavior when testing >>>> FreeIPA with AIX last autumn. >>>> -- >>>> / Alexander Bokovoy >>> OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though. >> Did some tests with AIX5.3 and then I don?t run into any issues. There is no lookup to be seen after entering my username on AIX5.3 (as there was on AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later on.. > >AIX6.1 also worked without any problems. In the end my methods.cfg was causing the problems on AIX7.1. After deleting these lines authentication worked: > >KRB5: > program = /usr/lib/security/KRB5 > program_64 = /usr/lib/security/KRB5_64 > options = authonly,kadmind=no > >KRB5LDAP: > options = auth=KRB5,db=LDAP > >So my methods.cfg now looks like this: > >LDAP: > program = /usr/lib/security/LDAP > program_64 = /usr/lib/security/LDAP64 > >NIS: > program = /usr/lib/security/NIS > program_64 = /usr/lib/security/NIS_64 > >DCE: > program = /usr/lib/security/DCE > >I was not expecting this since I was not using KRB5 or KRB5LDAP in /etc/security/user. Well, I?m glad I got this sorted out now :) Great. Could you please write your configurations up somewhere so that we can have an article on freeipa.org detailing the configs for future users? -- / Alexander Bokovoy From mkosek at redhat.com Thu Jun 11 14:33:25 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Jun 2015 16:33:25 +0200 Subject: [Freeipa-users] Grant IPA Users for AD resscources In-Reply-To: <20150611124300.GT4402@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE1488C3@win10004.member.osthus.de> <20150611124300.GT4402@redhat.com> Message-ID: <55799C35.8090507@redhat.com> On 06/11/2015 02:43 PM, Alexander Bokovoy wrote: > On Thu, 11 Jun 2015, Henry Hofmann wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hello, >> >> I'm using CentOS7 with FreeIPA 4.1.4 and an Active Directory 2012 with an >> Bidirectional Domain Trust. >> >> The Forests are: >> IPA = devipa.local >> AD = intern.noc.local >> >> I can add AD users to IPA groups and have access to the Resources. How >> can I add IPA user to Active Directory resources like groups? I can't >> find an option and add the member with "user1 at devipa.local or >> DEVIPA\user1" does not work to add the user in a Active Directory >> group. > Not supported yet as we don't have Global Catalog implementation. ... aaand a ticket, in case you want to subscribe for updates: https://fedorahosted.org/freeipa/ticket/3125 From wgraboyes at cenic.org Thu Jun 11 23:22:01 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Thu, 11 Jun 2015 16:22:01 -0700 Subject: [Freeipa-users] IPA very very slow Message-ID: <557A1819.4060901@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVehgZAAoJEJFMz73A1+zrkxoP/1fVUB4yE5Cx1sNOVprMJmPQ BXTPcXElkDZPlmr+ThDwO+FwBRL+4BinYHJm6XnkxwEkRwqmUQW5WqCvww8PSzvF 3KqyIPYkhy8dCNQ+AP7dyxsKMKyjDwnWv5kbhHGbcWOBZkA7no2b2p7SuNRpF/sH cMOiZI1UddPG5JdHuJ7CwEzQ3wOf9TUeysltv6+/a0Ob1aT5iTRF/rsUI3m0BIG8 Cij9tFHtFTtT+8Mz/i3UPfqv6kGJgbuIwTn9krG/dvefH9NTLdOCyUqJi0nCGwRh XNBoN5ALTDjzGUsqb++eJYudpgO671LpOoGhsi7V35yixEs8rR3EV1xrlpAI32mR sM61e2BRRK85uUNgK9gTta+yW6JLdtzozEHJUhfySHwaYAeJqDSEiDPJajfkj/GZ Lrh4fi2Q3MlvHZEJ7BHDi2vpEH1mGnM0WQwHpXidNHlQeaSd8AdMBsdUWvFTsJ5B rGU99De1V2+U4zkarysRSLM4NnXaMK6tnwl2IQDY9AgcXYen6qZ5W2d5teHAOjtF CeIWQaG7VCWO+qsMLi0IgosOuVSV0CRtl0CyspDJHENUgTXrJ6DpvxE0d8WBM75n bKb7leNB4g3/ihLsKF6QRmJkce2ETeUw7+a3bqpOXO7afv2cuO6xSAqg4cfT/Tni j/vy7gY6hZy0puyURC3p =o6l3 -----END PGP SIGNATURE----- From mexigabacho at gmail.com Thu Jun 11 23:30:10 2015 From: mexigabacho at gmail.com (Christopher Young) Date: Thu, 11 Jun 2015 19:30:10 -0400 Subject: [Freeipa-users] Specific rights needed to enroll a new host Message-ID: I'm trying to develop a process in Ansible to enroll new hosts (as well as check beforehand to see if the host is already enrolled). I was wondering a couple of things: #1. Has anyone else worked out a process for doing this using a non 'admin' account? #2. Is there a simple mechanism (preferably something that could be automated and thus not require any interactivity), that could be used to check as to whether a system is enrolled? I would hope that some type of simple LDAP search or simple command that could be run to check with easy return codes. In particular, I'm trying to avoid using the 'admin' user to enroll hosts because I'd like to minimize the rights to just the enrollment of new hosts as well as checking for an existing enrollment. Any thoughts of feedback that could point me in the best direction would be greatly appreciated! Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Fri Jun 12 01:21:09 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 11 Jun 2015 18:21:09 -0700 Subject: [Freeipa-users] newer sssd on centos 5? Message-ID: <557A3405.3030007@gmail.com> Has anyone built a newer version of sssd for RHEL/centos 5.x?? Currently only 1.5.x Just wondering if maybe it is limited due to some library or compatibility issues? Thank you Janelle From christoph.kaminski at biotronik.com Fri Jun 12 05:38:07 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 12 Jun 2015 07:38:07 +0200 Subject: [Freeipa-users] WG: Re: Haunted servers? Message-ID: I've been too early pleased :/ After ipactl restart of our first master (where we re-initialize from) are the 'ghost' rids again there... I think there is something like a fs backup for dirsrv (changelog?) but where? > > we had the same problem (and some more) and yesterday we have > successfully cleaned the gohst rid's > > our fix: > > 1. stop all cleanallruv Tasks, if it works with ipa-replica-manage > abort-clean-ruv. It hasnt worked here. We have done it manually on > ALL replicas with: > a) replica stop > b) delete all nsds5ReplicaClean from /etc/dirsrv/slapd-HSO/dse.ldif > c) replica start > > 2. prepare on EACH ipa a cleanruv ldif file with ALL ghost rids > inside (really ALL from all ipa replicas, we has had some rids only > on some replicas...) > Example: > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task:CLEANRUV11 > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task:CLEANRUV22 > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task:CLEANRUV37 > ... > > 3. do a "ldapmodify -h 127.0.0.1 -D "cn=Directory Manager" -W -x -f > $your-cleanruv-file.ldif" on all replicas AT THE SAME TIME :) we > used terminator for it (https://launchpad.net/terminator). You can > open multiple shell windows inside one window and send to all at the > same time the same commands... > > 4. we have done a re-initialize of each IPA from our first master > > 5. restart of all replicas > > we are not sure about the point 3 and 4. Maybe they are not > necessary, but we have done it. > > If something fails look at defect LDAP entries in whole ldap, we > have had some entries with 'nsunique-$HASH' after the 'normal' name. > We have deleted them. > > MfG > Christoph Kaminski > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jun 12 07:11:07 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 12 Jun 2015 09:11:07 +0200 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557A1819.4060901@cenic.org> References: <557A1819.4060901@cenic.org> Message-ID: <557A860B.8060208@redhat.com> > Hi List, > > This is a problem that has surfaced after a reboot of this system in > particular. It is being really, really slow. In terms of hardware > usage issues, there are none. It is taking 3-5 minutes to list users > in the gui. Running commands like ipa-replica-manage list is taking > between 30seconds and 3 minutes. Memory usage is low, cpu usage is > low, iops are low. I really have no idea where to start here, there > is noting really damning in the logs. I have tried restarting IPA > (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl > start), and rebooting the entire server. > > The oddest thing is that there have been some krb errors saying that > they cannot contact the krb server.. logging into the gui saying your > session has timed out.. > > It is just general strangeness. > > ipa-server-4.1.0-18.el7.centos.3.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > krb5-server-1.12.2-14.el7.x86_64 > > Any help would be greatly appreciated. > > Thanks, > Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare "ldapsearch" against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - "host ipa.server.test" will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If Kerberos is also OK and "ipa-replica-manage list" is still slow, maybe we should just "strace" it to see what it waits on. HTH, Martin From mkosek at redhat.com Fri Jun 12 07:18:34 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 12 Jun 2015 09:18:34 +0200 Subject: [Freeipa-users] Specific rights needed to enroll a new host In-Reply-To: References: Message-ID: <557A87CA.7020308@redhat.com> On 06/12/2015 01:30 AM, Christopher Young wrote: > I'm trying to develop a process in Ansible to enroll new hosts (as well as > check beforehand to see if the host is already enrolled). I was wondering a > couple of things: > > #1. Has anyone else worked out a process for doing this using a non 'admin' > account? > > #2. Is there a simple mechanism (preferably something that could be automated > and thus not require any interactivity), that could be used to check as to > whether a system is enrolled? I would hope that some type of simple LDAP > search or simple command that could be run to check with easy return codes. > > In particular, I'm trying to avoid using the 'admin' user to enroll hosts > because I'd like to minimize the rights to just the enrollment of new hosts as > well as checking for an existing enrollment. You can do the same check that "ipa host-show" does - see if the host has a keytab generated or not. AFAIK, all authenticated users can do this check (not retrieve the key itself, but check if it is there). See my test as non-authenticated user/host: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1 Default principal: host/ipa.f22 at F22 Valid starting Expires Service principal 06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22 at F22 1. See all hosts [root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b "cn=computers,cn=accounts,dc=f22" fqdn SASL/GSSAPI authentication started SASL username: host/ipa.f22 at F22 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: fqdn # # computers, accounts, f22 dn: cn=computers,cn=accounts,dc=f22 # ipa.f22, computers, accounts, f22 dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22 fqdn: ipa.f22 # is.not.enrolled, computers, accounts, f22 dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 fqdn: is.not.enrolled # search result search: 4 result: 0 Success # numResponses: 4 # numEntries: 3 2. See just the unenrolled hosts [root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b "cn=computers,cn=accounts,dc=f22" "(!(krbprincipalkey=*))" fqdn SASL/GSSAPI authentication started SASL username: host/ipa.f22 at F22 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (!(krbprincipalkey=*)) # requesting: fqdn # # computers, accounts, f22 dn: cn=computers,cn=accounts,dc=f22 # is.not.enrolled, computers, accounts, f22 dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 fqdn: is.not.enrolled # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 HTH. > > Any thoughts of feedback that could point me in the best direction would be > greatly appreciated! > > Thanks, > > Chris > > From lslebodn at redhat.com Fri Jun 12 07:33:08 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 12 Jun 2015 09:33:08 +0200 Subject: [Freeipa-users] newer sssd on centos 5? In-Reply-To: <557A3405.3030007@gmail.com> References: <557A3405.3030007@gmail.com> Message-ID: <20150612073308.GB32542@mail.corp.redhat.com> On (11/06/15 18:21), Janelle wrote: >Has anyone built a newer version of sssd for RHEL/centos 5.x?? Currently only >1.5.x > There is also 1.9 in COPR repo[1] >Just wondering if maybe it is limited due to some library or compatibility >issues? It's possible to build sssd-1.11 on el5 as well but without samba libraries an thus without ipa and ad provider. LS [1] https://copr.fedoraproject.org/coprs/sgallagh/sssd-1.9-rhel5/ From rcritten at redhat.com Fri Jun 12 13:39:45 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Jun 2015 09:39:45 -0400 Subject: [Freeipa-users] Specific rights needed to enroll a new host In-Reply-To: <557A87CA.7020308@redhat.com> References: <557A87CA.7020308@redhat.com> Message-ID: <557AE121.5070001@redhat.com> Martin Kosek wrote: > On 06/12/2015 01:30 AM, Christopher Young wrote: >> I'm trying to develop a process in Ansible to enroll new hosts (as >> well as >> check beforehand to see if the host is already enrolled). I was >> wondering a >> couple of things: >> >> #1. Has anyone else worked out a process for doing this using a non >> 'admin' >> account? Create a role and add the privilege 'Host Enrollment'. >> >> #2. Is there a simple mechanism (preferably something that could be >> automated >> and thus not require any interactivity), that could be used to check >> as to >> whether a system is enrolled? I would hope that some type of simple LDAP >> search or simple command that could be run to check with easy return >> codes. >> >> In particular, I'm trying to avoid using the 'admin' user to enroll hosts >> because I'd like to minimize the rights to just the enrollment of new >> hosts as >> well as checking for an existing enrollment. > > You can do the same check that "ipa host-show" does - see if the host > has a keytab generated or not. AFAIK, all authenticated users can do > this check (not retrieve the key itself, but check if it is there). > > See my test as non-authenticated user/host: > > # klist > Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1 > Default principal: host/ipa.f22 at F22 > > Valid starting Expires Service principal > 06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22 at F22 > > > 1. See all hosts > > > [root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b > "cn=computers,cn=accounts,dc=f22" fqdn > SASL/GSSAPI authentication started > SASL username: host/ipa.f22 at F22 > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: fqdn > # > > # computers, accounts, f22 > dn: cn=computers,cn=accounts,dc=f22 > > # ipa.f22, computers, accounts, f22 > dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22 > fqdn: ipa.f22 > > # is.not.enrolled, computers, accounts, f22 > dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 > fqdn: is.not.enrolled > > # search result > search: 4 > result: 0 Success > > # numResponses: 4 > # numEntries: 3 > > > 2. See just the unenrolled hosts > > [root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b > "cn=computers,cn=accounts,dc=f22" "(!(krbprincipalkey=*))" fqdn > SASL/GSSAPI authentication started > SASL username: host/ipa.f22 at F22 > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (!(krbprincipalkey=*)) > # requesting: fqdn > # > > # computers, accounts, f22 > dn: cn=computers,cn=accounts,dc=f22 > > # is.not.enrolled, computers, accounts, f22 > dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 > fqdn: is.not.enrolled > > # search result > search: 4 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > > HTH. > >> >> Any thoughts of feedback that could point me in the best direction >> would be >> greatly appreciated! >> >> Thanks, >> >> Chris >> >> > From jhrozek at redhat.com Fri Jun 12 14:45:29 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 12 Jun 2015 16:45:29 +0200 Subject: [Freeipa-users] [SSSD] Announcing SSSD 1.12.5 Message-ID: <20150612144529.GI3497@hendrix> === SSSD 1.12.5 === The SSSD team is proud to announce the release of version 1.12.5 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 21, 22 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release adds several new enhancements and fixes many bugs * Notable new enhancements: * The background refresh tasks now supports refreshing users and groups as well. Please see the description of the `refresh_expired_interval` parameter in the `sssd.conf` man page. * A new option subdomain_inherit was added. Options included in the subdomain_inherit option also apply for trusted domains, if supported. This release supports inheriting ignore_group_members, ldap_purge_cache_timeout, ldap_use_tokengroups and ldap_user_principal. * When an expired account attempts to log in, a configurable error message can be displayed with sufficient pam_verbosity setting. Please see the description of the pam_account_expired_message option for more information. * OpenLDAP ppolicy can be honored even when an alternate login method (such as SSH key) is used. Please see the description of the new ppolicy value of the ldap_access_order option. * A new option krb5_map_user was added. This option allows the admin to map UNIX usernames to Kerberos principals. The option would be mostly useful for setups that wish to continue using UNIX file-based identities together with SSSD Kerberos authentication * The important bug fixes include: * Several AD-specific bugs that resulted in the incorrect set of groups being displayed after the initgroups operation were fixed * Many fixes related to the IPA ID views feature are included. Setups using the ID views feature should update the SSSD instance on both IPA servers and clients. * The AD provider now handles binary GUIDs correctly. This bug was manifested with an error message saying ldb_modify failed: Invalid attribute syntax. * The AD provider no longer downloads full group objects during initgroups request if POSIX attributes are used. This fix may speed up the login times significantly. * A bug that prevented the `ignore_group_members` parameter to be used with the AD provider was fixed * The fail over code now reads and honors TTL value for SRV queries as well. Previously, SRV queries used a hardcoded timeout * The SELinux context set up during login with an IPA provider is only called if the context had changed. This fixes a performance regression with the IPA provider. * Race condition between setting the timeout in the back ends and reading it in the front end during initgroup operation was fixed. This bug affected applications that perform the `initgroups(3)` operation in multiple processes simultaneously. * Setups that only want to use the domain SSSD is connected to, but not the autodiscovered trusted domains by setting `subdomains_provider=none` now work correctly as long as the domain SID is set manually in the config file * In case only allow rules are used, the simple access provider is now able to skip unresolvable groups. * The GPO access control code now handles situations where user and computer objects were in different domains. Previously, an attempt to log in as user from a different domain than computer always resulted in login failure. == Packaging Changes == * The cmocka unit tests now require cmocka version 1.0 or later * The libsss_krb5_common.so library had been moved to the sssd-common subpackage to avoid ordering issues between libsss_krb5_common and libsss_ldap_common * The proxy_child helper binary was marked as setuid in order for the proxy provider to work without root privileges. == Documentation Changes == * A new option subdomain_inherit was added. See the highlights section for more details. * A new option krb5_map_user was added. See the highlights section for more details. * The ldap_access_order option accepts new value ppolicy. * Account expiration message can be customized using a new option pam_account_expired_message == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1884 [RFE] Read and use the TTL value when resolving a SRV query https://fedorahosted.org/sssd/ticket/2050 ssh login reject is abrupt https://fedorahosted.org/sssd/ticket/2167 [RFE] Allow SSSD to issue shadow expiration warning even if alternate authentication method is used https://fedorahosted.org/sssd/ticket/2346 [RFE] Implement background refresh for users and groups https://fedorahosted.org/sssd/ticket/2444 extop request marks dp_req as failed when an entry is not found https://fedorahosted.org/sssd/ticket/2507 Cyclic dependencies between sssd-ldap and krb5-common https://fedorahosted.org/sssd/ticket/2509 RFE: Handle setups with id_provider=proxy and auth_provider=krb5 better https://fedorahosted.org/sssd/ticket/2513 Add a hint on using DEBUG levels to the troubleshooting page https://fedorahosted.org/sssd/ticket/2528 Document that that libkrb5 and sssd use different expansion templates for principals https://fedorahosted.org/sssd/ticket/2534 [RFE] Lock out ssh keys when account naturally expires https://fedorahosted.org/sssd/ticket/2587 With empty ipaselinuxusermapdefault security context on client is staff_u https://fedorahosted.org/sssd/ticket/2588 Properly handle AD's binary objectGUID https://fedorahosted.org/sssd/ticket/2591 sssd nss bug update vs create cache https://fedorahosted.org/sssd/ticket/2592 ccname_file_dummy is not unlinked on error https://fedorahosted.org/sssd/ticket/2598 sssd_nss segfaults if initgroups request is by UPN and doesn't find anything https://fedorahosted.org/sssd/ticket/2601 SSSD downloads too much information when fetching information about groups https://fedorahosted.org/sssd/ticket/2604 sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605 https://fedorahosted.org/sssd/ticket/2606 GPO access control looks for computer object in user's domain only https://fedorahosted.org/sssd/ticket/2608 sssd crashes intermittently https://fedorahosted.org/sssd/ticket/2611 sssd_be dumping core if enumeration times out https://fedorahosted.org/sssd/ticket/2612 ldap_access_order=ppolicy: Explicitly mention in manpage that unsupported time specification will lead to sssd denying access https://fedorahosted.org/sssd/ticket/2613 sysdb sudo search doesn't escape special characters https://fedorahosted.org/sssd/ticket/2614 id lookup resolves "Domain Local" group and errors appear in domain log https://fedorahosted.org/sssd/ticket/2624 Only set the selinux context if the context differs from the local one https://fedorahosted.org/sssd/ticket/2629 sssd_be segfault id_provider = ad src/providers/ad/ad_gpo.c:843 https://fedorahosted.org/sssd/ticket/2630 Overrides with --login work in second attempt https://fedorahosted.org/sssd/ticket/2631 idoverridegroup for ipa group with --group-name does not work https://fedorahosted.org/sssd/ticket/2632 Overridde with --login fails trusted adusers group membership resolution https://fedorahosted.org/sssd/ticket/2633 Group resolution is inconsistent with group overrides https://fedorahosted.org/sssd/ticket/2634 sssd nss responder gets wrong number of secondary groups https://fedorahosted.org/sssd/ticket/2635 ID mapping does not wotk with disabled subdomains https://fedorahosted.org/sssd/ticket/2642 Override for IPA users with login does not list user all groups https://fedorahosted.org/sssd/ticket/2643 autofs provider fails when default_domain_suffix and use_fully_qualified_names set https://fedorahosted.org/sssd/ticket/2644 ignore_group_members doesn't work for subdomains https://fedorahosted.org/sssd/ticket/2646 Disapeared groups with ad providers and enabled ignore_group_members https://fedorahosted.org/sssd/ticket/2647 external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf https://fedorahosted.org/sssd/ticket/2649 /usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh https://fedorahosted.org/sssd/ticket/2650 Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust https://fedorahosted.org/sssd/ticket/2654 sssd_be crashed if initialisation of proxy_child failed https://fedorahosted.org/sssd/ticket/2655 proxy provider does not work in non-root mode https://fedorahosted.org/sssd/ticket/2659 IPA enumeration provider crashes https://fedorahosted.org/sssd/ticket/2663 id lookup for non-root domain users doesn't return all groups on first attempt == Detailed changelog == Adam Tkac (1): * Option filter_users had no effect for retrieving sudo rules Aron Parsons (2): * IPA: fix segfault in ipa_s2n_exop * autofs: fix 'Cannot allocate memory' with FQDNs Daniel Hjorth (1): * LDAP: unlink ccname_file_dummy if there is an error Jakub Hrozek (34): * Updating the version for the 1.12.5 release * resolv: Use the same default timeout for SRV queries as previously * FO: Use SRV TTL in fail over code * selinux: Delete existing user mapping on empty default * NSS: Handle ENOENT when doing initgroups by UPN * selinux: Handle setup with empty default and no configured rules * tests: convert all unit tests to cmocka 1.0 or later * RPM: BuildRequire libcmocka >= 1.0 * build: Only run cmocka tests if cmocka 1.0 or newer is available * Resolv: re-read SRV query every time if its TTL is 0 * IPA: Use custom error codes when validating HBAC rules * IPA: Drop useless sysdb parameter * IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled * IPA: Deprecate the ipa_hbac_treat_deny_as option * selinux: Disconnect before closing the handle * selinux: Begin and end the transaction on the same nesting level * selinux: Only call semanage if the context actually changes * tests: Use cmocka-1.0+ API in test_sysdb_utils * sysdb: Add cache_expire to the default sysdb_search_object_by_str_attr set * SELINUX: Avoid disconnecting disconnected handle * LDAP: return after tevent_req_error * MAN: refresh_expired_interval also supports users and groups * tests: ncache_hit must be an int to test UPNs * tests: Add a getpwnam-by-UPN test * Add unit tests for initgroups * Download complete groups if ignore_group_members is set with tokengroups * DP: Set extra_value to NULL for enum requests * Skip enumeration requests in IPA and AD providers as well * confdb: Add new option subdomain_inherit * DP: Add a function to inherit DP options, if set * SDAP: Add sdap_copy_map_entry * UTIL: Inherit ignore_group_members * subdomains: Inherit cleanup period and tokengroup settings from parent domain * Updating translations for the 1.12.5 release Lukas Slebodnik (19): * Log reason in debug message why ldb_modify failed * ipa_selinux: Fix warning may be used uninitialized * memberof: Do not create request with 0 attribute values * CLIENT: Clear errno with enabled sss-default-nss-plugin * GPO: Check return value of ad_gpo_store_policy_settings * SDAP: Do not set gid 0 twice * SDAP: Extract filtering AD group to function * SDAP: Filter ad groups in initgroups * GPO: Do not ignore missing attrs for GPOs * sss_nss_idmap-tests: Use different prepared buffers for big endian * SDAP: Fix id mapping with disabled subdomains * SPEC: Fix cyclic dependencies between sssd-{krb5,}-common * negcache: Soften condition for expired entries * test_nss_srv: Use right function for storing time_t * nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE * SDAP: Set initgroups expire attribute at the end * SDAP: Remove unnecessary argument from sdap_save_user * PROXY: proxy_child should work in non-root mode * PROXY: Do not register signal with SA_SIGINFO Michal Zidek (2): * DEBUG: Add missing strings for error messages * test: Check ERR_LAST Pavel B?ezina (8): * be_refresh: refresh all domains in backend * sdap_handle_acct_req_send: remove be_req * be_refresh: refactor netgroups refresh * be_refresh: add sdap_refresh_init * be_refresh: support users * be_refresh: support groups * enumeration: fix talloc context * sudo: sanitize filter values Pavel Reichl (18): * PAM: do not reject abruptly * PAM: new option pam_account_expired_message * PAM: warn all services about account expiration * PAM: check return value of confdb_get_string * SDAP: refactor pwexpire policy * SDAP: enable change phase of pw expire policy check * UTIL: convert GeneralizedTime to unix time * SDAP: Lock out ssh keys when account naturally expires * SDAP: fix minor neglect in is_account_locked() * ldap_child: fix coverity warning * MAN: libkrb5 and SSSD use different expansions * IPA: set EINVAL if dn can't be linearized * LDAP: remove unused code * LDAP: fix a typo in debug message * MAN: Update ppolicy description * simple-access-provider: make user grp res more robust * LDAP: warn about lockout option being deprecated * krb5: new option krb5_map_user Stephen Gallagher (3): * AD: Clean up ad_access_gpo * AD: Always get domain-specific ID connection * AD GPO: Always look up GPOs from machine domain Sumit Bose (25): * ldap_child: initialized ccname_file_dummy * PAM: use the logon_name as the key for the PAM initgr cache * pam_initgr_check_timeout: add debug output * ipa: do not treat missing sub-domain users as error * ipa: make sure extdom expo data is available * LDAP/AD: do not resolve group members during tokenGroups request * IPA idviews: check if view name is set * IPA: make sure output variable is set * GPO: error out instead of leaving array element uninitialized * sdap: properly handle binary objectGuid attribute * IPA: do not try to save override data for the default view * IPA: use sysdb_attrs_add_string_safe to add group member * IPA: check ghosts in groups found by uuid as well * IPA: allow initgroups by SID for AD users * IPA: do initgroups if extdom exop supports it * IPA: update initgr expire timestamp conditionally * IPA: enhance ipa_initgr_get_overrides_send() * IPA: search for overrides during initgroups in sever mode * IPA: do not add domain name unconditionally * NSS: check for overrides before calling backend * IPA: allow initgroups by UUID for FreeIPA users * SDAP: use DN to update entry * IPA: do not fail if view name lookup failed on older versions * libwbclient-sssd: update interface to version 0.12 * ldap: use proper sysdb name in groups_by_user_done() _______________________________________________ sssd-devel mailing list sssd-devel at lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel From bobby.prins at proxy.nl Fri Jun 12 15:28:23 2015 From: bobby.prins at proxy.nl (Bobby Prins) Date: Fri, 12 Jun 2015 17:28:23 +0200 Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <20150611133706.GV4402@redhat.com> References: <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> <20150403122617.GN3878@redhat.com> <1912938263.42737.1428064838642.JavaMail.zimbra@proxy.nl> <20150611133706.GV4402@redhat.com> Message-ID: On Jun 11, 2015, at 15:37, Alexander Bokovoy wrote: > > On Thu, 11 Jun 2015, Bobby Prins wrote: >> On Apr 7, 2015, at 13:41, Bobby Prins wrote: >>> >>> >>>> On Apr 3, 2015, at 14:40, Bobby Prins wrote: >>>> >>>>> ----- Oorspronkelijk bericht ----- >>>>> Van: "Alexander Bokovoy" >>>>> Aan: "Bobby Prins" >>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>>>> Verzonden: Vrijdag 3 april 2015 14:26:17 >>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>>>> >>>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>>> ----- Oorspronkelijk bericht ----- >>>>>>> Van: "Alexander Bokovoy" >>>>>>> Aan: "Bobby Prins" >>>>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>>>>>> Verzonden: Vrijdag 3 april 2015 12:45:07 >>>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>>>>>> >>>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>>>> access: >>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>>>>>> Above there are two lookups: >>>>>>> >>>>>>> - successful lookup for user bprings at example.com >>>>>>> - unsuccessful lookup for user bprins >>>>>>> >>>>>>> What is causing to perform a lookup without @example.com? Compat tree >>>>>>> presents AD users fully qualified, it is the only way it knows to >>>>>>> trigger lookup via SSSD on IPA master for these users (because non-fully >>>>>>> qualified users are in IPA LDAP tree already and copied to compat tree >>>>>>> automatically). >>>>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>>>>> more tests with different accounts and always see the two lookups. I >>>>>> doubt if I can influence that.. >>>>> No, this is not standard -- I haven't seen such behavior when testing >>>>> FreeIPA with AIX last autumn. >>>>> -- >>>>> / Alexander Bokovoy >>>> OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though. >>> Did some tests with AIX5.3 and then I don?t run into any issues. There is no lookup to be seen after entering my username on AIX5.3 (as there was on AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later on.. >> >> AIX6.1 also worked without any problems. In the end my methods.cfg was causing the problems on AIX7.1. After deleting these lines authentication worked: >> >> KRB5: >> program = /usr/lib/security/KRB5 >> program_64 = /usr/lib/security/KRB5_64 >> options = authonly,kadmind=no >> >> KRB5LDAP: >> options = auth=KRB5,db=LDAP >> >> So my methods.cfg now looks like this: >> >> LDAP: >> program = /usr/lib/security/LDAP >> program_64 = /usr/lib/security/LDAP64 >> >> NIS: >> program = /usr/lib/security/NIS >> program_64 = /usr/lib/security/NIS_64 >> >> DCE: >> program = /usr/lib/security/DCE >> >> I was not expecting this since I was not using KRB5 or KRB5LDAP in /etc/security/user. Well, I?m glad I got this sorted out now :) > Great. Could you please write your configurations up somewhere so that > we can have an article on freeipa.org detailing the configs for future > users? Yes, I will do that Alexander. Hope to have some time for that next week. > -- > / Alexander Bokovoy From James.Benson at utsa.edu Fri Jun 12 15:40:12 2015 From: James.Benson at utsa.edu (James Benson) Date: Fri, 12 Jun 2015 10:40:12 -0500 Subject: [Freeipa-users] Is something.local hostname possible Message-ID: <557AFD5C.5000906@utsa.edu> Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: From tompos at martos.bme.hu Fri Jun 12 15:48:47 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Fri, 12 Jun 2015 17:48:47 +0200 Subject: [Freeipa-users] Is something.local hostname possible In-Reply-To: <557AFD5C.5000906@utsa.edu> References: <557AFD5C.5000906@utsa.edu> Message-ID: <14de8758b18.2774.b4c2854741c50caf28b8595b5e98fc2d@martos.bme.hu> I can't answer you, but don't use .local, it conflicts with avahi. -- Sent from mobile On June 12, 2015 17:45:52 James Benson wrote: > Hi all, > I'm trying to duplicate freeIPA on a local host but I keep on getting > errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). > Has anyone tried this before and succeeded or have suggestions? > Thanks > > James > > > > > ---------- > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From prashant at apigee.com Fri Jun 12 18:02:58 2015 From: prashant at apigee.com (Prashant Bapat) Date: Fri, 12 Jun 2015 23:32:58 +0530 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode Message-ID: Hi, Has anyone seen this ? When a user tries to scan the QR code he gets a message saying "invalid barcode". This happens only with iPhone + Google Authenticator. Thanks for your help. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From James.Benson at utsa.edu Fri Jun 12 18:09:14 2015 From: James.Benson at utsa.edu (James Benson) Date: Fri, 12 Jun 2015 13:09:14 -0500 Subject: [Freeipa-users] Freeipa-users Digest, Vol 83, Issue 65 In-Reply-To: References: Message-ID: <557B204A.4080003@utsa.edu> I've tried increasing the timeout limit but no dice (the exact number was 30 seconds I think for the error.). I'm not running avahi but just a straight up Ubuntu federa server with nothing else but this. Eventually we'll try to tie this into either a Hortonworks, MapR, Cloudera server as authentication, but I can't tie it to our domain since I'm not in charge of it and frankly I tried and just goes to oblivion since I'm inside the firewall and the domain is outside and not going to punch those holes. Anyone else have thoughts? James On 06/12/2015 11:00 AM, freeipa-users-request at redhat.com wrote: > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Is something.local hostname possible (James Benson) > 2. Re: Is something.local hostname possible (Tamas Papp) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 12 Jun 2015 10:40:12 -0500 > From: James Benson > To: > Subject: [Freeipa-users] Is something.local hostname possible > Message-ID: <557AFD5C.5000906 at utsa.edu> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi all, > I'm trying to duplicate freeIPA on a local host but I keep on getting > errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). > Has anyone tried this before and succeeded or have suggestions? > Thanks > > James > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 3706 bytes > Desc: S/MIME Cryptographic Signature > URL: > > ------------------------------ > > Message: 2 > Date: Fri, 12 Jun 2015 17:48:47 +0200 > From: Tamas Papp > To: James Benson , > Subject: Re: [Freeipa-users] Is something.local hostname possible > Message-ID: > <14de8758b18.2774.b4c2854741c50caf28b8595b5e98fc2d at martos.bme.hu> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > I can't answer you, but don't use .local, it conflicts with avahi. > -- > Sent from mobile > > > > On June 12, 2015 17:45:52 James Benson wrote: > >> Hi all, >> I'm trying to duplicate freeIPA on a local host but I keep on getting >> errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). >> Has anyone tried this before and succeeded or have suggestions? >> Thanks >> >> James >> >> >> >> >> ---------- >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 83, Issue 65 > ********************************************* > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: From wgraboyes at cenic.org Fri Jun 12 19:15:03 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Fri, 12 Jun 2015 12:15:03 -0700 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557A860B.8060208@redhat.com> References: <557A1819.4060901@cenic.org> <557A860B.8060208@redhat.com> Message-ID: <557B2FB7.2030307@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real 0m32.464s user 0m0.385s sys 0m0.052s time host ipa-server-2.foo.org <-- server with issues ipa-server-2.foo.org has address 10.0.0.2 real 0m0.070s user 0m0.010s sys 0m0.006s time host ipa-server-1.foo.org <-- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real 0m0.073s user 0m0.012s sys 0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real 0m27.049s user 0m0.013s sys 0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: >> Hi List, >> >> This is a problem that has surfaced after a reboot of this system >> in particular. It is being really, really slow. In terms of >> hardware usage issues, there are none. It is taking 3-5 minutes >> to list users in the gui. Running commands like >> ipa-replica-manage list is taking between 30seconds and 3 >> minutes. Memory usage is low, cpu usage is low, iops are low. I >> really have no idea where to start here, there is noting really >> damning in the logs. I have tried restarting IPA (ipactl >> restart) stopping and starting IPA (ipactl stop wait... ipactl >> start), and rebooting the entire server. >> >> The oddest thing is that there have been some krb errors saying >> that they cannot contact the krb server.. logging into the gui >> saying your session has timed out.. >> >> It is just general strangeness. >> >> ipa-server-4.1.0-18.el7.centos.3.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> krb5-server-1.12.2-14.el7.x86_64 >> >> Any help would be greatly appreciated. >> >> Thanks, Bill > > I would recommend starting with simple things, seeing the > performance and then following with more complex stuff: > > - Try bare "ldapsearch" against the FreeIPA LDAP server, see the > response rate. If it is also slow, we have the root cause. Before > ringing on DS people doors, see if for example DNS is not slow and > there are no DNS timeouts in play - "host ipa.server.test" will > tell you that > > - If DS is OK, try Kerberos - kinit, kvno commands > > - If Kerberos is also OK and "ipa-replica-manage list" is still > slow, maybe we should just "strace" it to see what it waits on. > > HTH, Martin > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 rYUBJPLWtHHVLigc6lW7 =R7vN -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jun 12 19:25:03 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 12 Jun 2015 21:25:03 +0200 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode In-Reply-To: References: Message-ID: <20150612192502.GC27022@Jakubs-MacBook-Pro.local> On Fri, Jun 12, 2015 at 11:32:58PM +0530, Prashant Bapat wrote: > Hi, > > Has anyone seen this ? When a user tries to scan the QR code he gets a > message saying "invalid barcode". This happens only with iPhone + Google > Authenticator. Google Authenticator or FreeOTP? This list might be a good place to ask about the latter, but not the former.. From mkosek at redhat.com Fri Jun 12 20:10:59 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 12 Jun 2015 22:10:59 +0200 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557B2FB7.2030307@cenic.org> References: <557A1819.4060901@cenic.org> <557A860B.8060208@redhat.com> <557B2FB7.2030307@cenic.org> Message-ID: <557B3CD3.106@redhat.com> On 06/12/2015 09:15 PM, William Graboyes wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi Martin, > > Here are the outputs of the various commands, cleaned of course: > > time ldapsearch > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > real 0m32.464s > user 0m0.385s > sys 0m0.052s This is quite long time. We should check respective dirsrv errors and access logs snippets. Also, the command above did not exit successfully, I would recommend doing at least # ldapsearch -x -h `hostname` "(uid=admin)" > > time host ipa-server-2.foo.org <-- server with issues > ipa-server-2.foo.org has address 10.0.0.2 > > real 0m0.070s > user 0m0.010s > sys 0m0.006s > > time host ipa-server-1.foo.org <-- replicant with no issues > ipa-server-1.foo.org has address 10.0.0.3 > > real 0m0.073s > user 0m0.012s > sys 0m0.006s > > time kinit > kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting > initial credentials > > real 0m27.049s > user 0m0.013s > sys 0m0.004s > > ^^^ has been something I have been seeing intermittently > > > > On 6/12/15 12:11 AM, Martin Kosek wrote: >>> Hi List, >>> >>> This is a problem that has surfaced after a reboot of this system >>> in particular. It is being really, really slow. In terms of >>> hardware usage issues, there are none. It is taking 3-5 minutes >>> to list users in the gui. Running commands like >>> ipa-replica-manage list is taking between 30seconds and 3 >>> minutes. Memory usage is low, cpu usage is low, iops are low. I >>> really have no idea where to start here, there is noting really >>> damning in the logs. I have tried restarting IPA (ipactl >>> restart) stopping and starting IPA (ipactl stop wait... ipactl >>> start), and rebooting the entire server. >>> >>> The oddest thing is that there have been some krb errors saying >>> that they cannot contact the krb server.. logging into the gui >>> saying your session has timed out.. >>> >>> It is just general strangeness. >>> >>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>> krb5-server-1.12.2-14.el7.x86_64 >>> >>> Any help would be greatly appreciated. >>> >>> Thanks, Bill >> >> I would recommend starting with simple things, seeing the >> performance and then following with more complex stuff: >> >> - Try bare "ldapsearch" against the FreeIPA LDAP server, see the >> response rate. If it is also slow, we have the root cause. Before >> ringing on DS people doors, see if for example DNS is not slow and >> there are no DNS timeouts in play - "host ipa.server.test" will >> tell you that >> >> - If DS is OK, try Kerberos - kinit, kvno commands >> >> - If Kerberos is also OK and "ipa-replica-manage list" is still >> slow, maybe we should just "strace" it to see what it waits on. >> >> HTH, Martin >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2 > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N > EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N > 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi > qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L > f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p > QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I > xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b > QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C > GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj > DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 > cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 > rYUBJPLWtHHVLigc6lW7 > =R7vN > -----END PGP SIGNATURE----- > From rmeggins at redhat.com Fri Jun 12 20:36:47 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Jun 2015 14:36:47 -0600 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557B3CD3.106@redhat.com> References: <557A1819.4060901@cenic.org> <557A860B.8060208@redhat.com> <557B2FB7.2030307@cenic.org> <557B3CD3.106@redhat.com> Message-ID: <557B42DF.4030108@redhat.com> On 06/12/2015 02:10 PM, Martin Kosek wrote: > On 06/12/2015 09:15 PM, William Graboyes wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Hi Martin, >> >> Here are the outputs of the various commands, cleaned of course: >> >> time ldapsearch >> SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> real 0m32.464s >> user 0m0.385s >> sys 0m0.052s > > This is quite long time. We should check respective dirsrv errors and > access logs snippets. > > Also, the command above did not exit successfully, I would recommend > doing at least > > # ldapsearch -x -h `hostname` "(uid=admin)" To eliminate DNS from the equation, use # time ldapsearch -x -h 127.0.0.1 "(uid=admin)" > >> >> time host ipa-server-2.foo.org <-- server with issues >> ipa-server-2.foo.org has address 10.0.0.2 >> >> real 0m0.070s >> user 0m0.010s >> sys 0m0.006s >> >> time host ipa-server-1.foo.org <-- replicant with no issues >> ipa-server-1.foo.org has address 10.0.0.3 >> >> real 0m0.073s >> user 0m0.012s >> sys 0m0.006s >> >> time kinit >> kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting >> initial credentials >> >> real 0m27.049s >> user 0m0.013s >> sys 0m0.004s >> >> ^^^ has been something I have been seeing intermittently >> >> >> >> On 6/12/15 12:11 AM, Martin Kosek wrote: >>>> Hi List, >>>> >>>> This is a problem that has surfaced after a reboot of this system >>>> in particular. It is being really, really slow. In terms of >>>> hardware usage issues, there are none. It is taking 3-5 minutes >>>> to list users in the gui. Running commands like >>>> ipa-replica-manage list is taking between 30seconds and 3 >>>> minutes. Memory usage is low, cpu usage is low, iops are low. I >>>> really have no idea where to start here, there is noting really >>>> damning in the logs. I have tried restarting IPA (ipactl >>>> restart) stopping and starting IPA (ipactl stop wait... ipactl >>>> start), and rebooting the entire server. >>>> >>>> The oddest thing is that there have been some krb errors saying >>>> that they cannot contact the krb server.. logging into the gui >>>> saying your session has timed out.. >>>> >>>> It is just general strangeness. >>>> >>>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>> krb5-server-1.12.2-14.el7.x86_64 >>>> >>>> Any help would be greatly appreciated. >>>> >>>> Thanks, Bill >>> >>> I would recommend starting with simple things, seeing the >>> performance and then following with more complex stuff: >>> >>> - Try bare "ldapsearch" against the FreeIPA LDAP server, see the >>> response rate. If it is also slow, we have the root cause. Before >>> ringing on DS people doors, see if for example DNS is not slow and >>> there are no DNS timeouts in play - "host ipa.server.test" will >>> tell you that >>> >>> - If DS is OK, try Kerberos - kinit, kvno commands >>> >>> - If Kerberos is also OK and "ipa-replica-manage list" is still >>> slow, maybe we should just "strace" it to see what it waits on. >>> >>> HTH, Martin >>> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2 >> Comment: GPGTools - https://gpgtools.org >> >> iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N >> EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N >> 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi >> qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L >> f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p >> QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I >> xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b >> QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C >> GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj >> DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 >> cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 >> rYUBJPLWtHHVLigc6lW7 >> =R7vN >> -----END PGP SIGNATURE----- >> > From wgraboyes at cenic.org Fri Jun 12 21:25:59 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Fri, 12 Jun 2015 14:25:59 -0700 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557B42DF.4030108@redhat.com> References: <557A1819.4060901@cenic.org> <557A860B.8060208@redhat.com> <557B2FB7.2030307@cenic.org> <557B3CD3.106@redhat.com> <557B42DF.4030108@redhat.com> Message-ID: <557B4E67.3030001@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Ken, I ran this command back to back, I am snipping some of the results. First time I ran the command: time ldapsearch -x -h 127.0.0.1 "(uid=admin)" # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (uid=admin) # requesting: ALL # - --snip-- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real 0m0.056s user 0m0.003s sys 0m0.004s Run on the same server not 5 seconds after the previous command: time ldapsearch -x -h 127.0.0.1 "(uid=admin)" # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (uid=admin) # requesting: ALL # - -- snip -- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real 0m31.756s user 0m0.003s sys 0m0.005s I am starting to see this error in the dirserv logs: [12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:11:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) Thanks, Bill Graboyes On 6/12/15 1:36 PM, Rich Megginson wrote: > On 06/12/2015 02:10 PM, Martin Kosek wrote: >> On 06/12/2015 09:15 PM, William Graboyes wrote: > Hi Martin, > > Here are the outputs of the various commands, cleaned of course: > > time ldapsearch SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > real 0m32.464s user 0m0.385s sys 0m0.052s >>> >>> This is quite long time. We should check respective dirsrv >>> errors and access logs snippets. >>> >>> Also, the command above did not exit successfully, I would >>> recommend doing at least >>> >>> # ldapsearch -x -h `hostname` "(uid=admin)" > >> To eliminate DNS from the equation, use > >> # time ldapsearch -x -h 127.0.0.1 "(uid=admin)" > >>> > > time host ipa-server-2.foo.org <-- server with issues > ipa-server-2.foo.org has address 10.0.0.2 > > real 0m0.070s user 0m0.010s sys 0m0.006s > > time host ipa-server-1.foo.org <-- replicant with no issues > ipa-server-1.foo.org has address 10.0.0.3 > > real 0m0.073s user 0m0.012s sys 0m0.006s > > time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while > getting initial credentials > > real 0m27.049s user 0m0.013s sys 0m0.004s > > ^^^ has been something I have been seeing intermittently > > > > On 6/12/15 12:11 AM, Martin Kosek wrote: >>>>>> Hi List, >>>>>> >>>>>> This is a problem that has surfaced after a reboot of >>>>>> this system in particular. It is being really, really >>>>>> slow. In terms of hardware usage issues, there are none. >>>>>> It is taking 3-5 minutes to list users in the gui. >>>>>> Running commands like ipa-replica-manage list is taking >>>>>> between 30seconds and 3 minutes. Memory usage is low, >>>>>> cpu usage is low, iops are low. I really have no idea >>>>>> where to start here, there is noting really damning in >>>>>> the logs. I have tried restarting IPA (ipactl restart) >>>>>> stopping and starting IPA (ipactl stop wait... ipactl >>>>>> start), and rebooting the entire server. >>>>>> >>>>>> The oddest thing is that there have been some krb errors >>>>>> saying that they cannot contact the krb server.. logging >>>>>> into the gui saying your session has timed out.. >>>>>> >>>>>> It is just general strangeness. >>>>>> >>>>>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>> krb5-server-1.12.2-14.el7.x86_64 >>>>>> >>>>>> Any help would be greatly appreciated. >>>>>> >>>>>> Thanks, Bill >>>>> >>>>> I would recommend starting with simple things, seeing the >>>>> performance and then following with more complex stuff: >>>>> >>>>> - Try bare "ldapsearch" against the FreeIPA LDAP server, >>>>> see the response rate. If it is also slow, we have the root >>>>> cause. Before ringing on DS people doors, see if for >>>>> example DNS is not slow and there are no DNS timeouts in >>>>> play - "host ipa.server.test" will tell you that >>>>> >>>>> - If DS is OK, try Kerberos - kinit, kvno commands >>>>> >>>>> - If Kerberos is also OK and "ipa-replica-manage list" is >>>>> still slow, maybe we should just "strace" it to see what it >>>>> waits on. >>>>> >>>>> HTH, Martin >>>>> >>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVe05nAAoJEJFMz73A1+zrg7QP/3s19crgzjSeic4KYZ3nYn80 9CWVLlm2/m7XU8Zeazm0nmlfMDTeBWJOLG0bXQKV3MYcGChSnX/vxQ9hqWJtzzvq 30MpgfyRKCNFOUcfAXB4YDINFd6/RrWl/lRii0eNksli+DXDlzarXsby+11G42kn XtRp/7EPmZixdy8G+CLYzY2mgzpyTheMWAk8+CQORjLJTi/hmMrkKxC5Ij8Q5Vtp qG2oUXgMeoBnCQyij+AQ1IqrlByt3iTtXsx5PdxB8eQ/kswOghFVokM83a1IqfOL yvspUpnCg5XgU9fN7+HDt45d/i2ZcXcM7gQjlAUmFtE2c0kcuu7LTiahD56ESyMc DkDQqI/MO/X/nb6JD7QNXy4bCjHiAPB2LyVbimqDepoyiW1QwuptdBuZmBZ6DXkj l2mbVUOma9ql61Cl/YTw4v7lsQS7Vf3Hc8Qua6o12fLJIYOwPL9FgDTznGh7S8F3 DhUA0m1kzaZFB+7Js52UoiV9Qh3sRCSx0RyZ5hfPX3LgZyw+XORvjNQvPTYhSQ7A SKAK7/TEwlLxSVWikWvwfpMankVdbSVo06BsgHEkGdM/O8ymbxbLqGZo1FwFaocA Uocf4p1K7JBz/FfNb5OtI4o3JTiWs7LLGEYGZwGtlHHFZV42VfWdyeA3V/v0GUuW UXKUprDG3PjvK5HG2rP1 =hr/W -----END PGP SIGNATURE----- From rmeggins at redhat.com Fri Jun 12 22:32:59 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Jun 2015 16:32:59 -0600 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557B4E67.3030001@cenic.org> References: <557A1819.4060901@cenic.org> <557A860B.8060208@redhat.com> <557B2FB7.2030307@cenic.org> <557B3CD3.106@redhat.com> <557B42DF.4030108@redhat.com> <557B4E67.3030001@cenic.org> Message-ID: <557B5E1B.4060906@redhat.com> On 06/12/2015 03:25 PM, William Graboyes wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi Ken, > > I ran this command back to back, I am snipping some of the results. > > First time I ran the command: > > time ldapsearch -x -h 127.0.0.1 "(uid=admin)" > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: (uid=admin) > # requesting: ALL > # > > - --snip-- > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > real 0m0.056s > user 0m0.003s > sys 0m0.004s > > > Run on the same server not 5 seconds after the previous command: > > time ldapsearch -x -h 127.0.0.1 "(uid=admin)" > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: (uid=admin) > # requesting: ALL > # > > - -- snip -- > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > real 0m31.756s > user 0m0.003s > sys 0m0.005s Ok. First, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes You'll also have to do # debuginfo-install ipa-server slapi-nis to get all of the ipa packages. Next, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs Reproduce the problem, and during the 30 seconds the directory server is processing the search request, run the gdb command several times to get stack traces during the search request. > > > I am starting to see this error in the dirserv logs: > > [12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [12/Jun/2015:14:11:51 -0700] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) I doubt this is related to the performance. This looks like the server is attempting to contact a replica which is down, and has backed off for the full 5 minute max backoff. > > Thanks, > Bill Graboyes > > > On 6/12/15 1:36 PM, Rich Megginson wrote: >> On 06/12/2015 02:10 PM, Martin Kosek wrote: >>> On 06/12/2015 09:15 PM, William Graboyes wrote: >> Hi Martin, >> >> Here are the outputs of the various commands, cleaned of course: >> >> time ldapsearch SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> real 0m32.464s user 0m0.385s sys 0m0.052s >>>> This is quite long time. We should check respective dirsrv >>>> errors and access logs snippets. >>>> >>>> Also, the command above did not exit successfully, I would >>>> recommend doing at least >>>> >>>> # ldapsearch -x -h `hostname` "(uid=admin)" >>> To eliminate DNS from the equation, use >>> # time ldapsearch -x -h 127.0.0.1 "(uid=admin)" >> time host ipa-server-2.foo.org <-- server with issues >> ipa-server-2.foo.org has address 10.0.0.2 >> >> real 0m0.070s user 0m0.010s sys 0m0.006s >> >> time host ipa-server-1.foo.org <-- replicant with no issues >> ipa-server-1.foo.org has address 10.0.0.3 >> >> real 0m0.073s user 0m0.012s sys 0m0.006s >> >> time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while >> getting initial credentials >> >> real 0m27.049s user 0m0.013s sys 0m0.004s >> >> ^^^ has been something I have been seeing intermittently >> >> >> >> On 6/12/15 12:11 AM, Martin Kosek wrote: >>>>>>> Hi List, >>>>>>> >>>>>>> This is a problem that has surfaced after a reboot of >>>>>>> this system in particular. It is being really, really >>>>>>> slow. In terms of hardware usage issues, there are none. >>>>>>> It is taking 3-5 minutes to list users in the gui. >>>>>>> Running commands like ipa-replica-manage list is taking >>>>>>> between 30seconds and 3 minutes. Memory usage is low, >>>>>>> cpu usage is low, iops are low. I really have no idea >>>>>>> where to start here, there is noting really damning in >>>>>>> the logs. I have tried restarting IPA (ipactl restart) >>>>>>> stopping and starting IPA (ipactl stop wait... ipactl >>>>>>> start), and rebooting the entire server. >>>>>>> >>>>>>> The oddest thing is that there have been some krb errors >>>>>>> saying that they cannot contact the krb server.. logging >>>>>>> into the gui saying your session has timed out.. >>>>>>> >>>>>>> It is just general strangeness. >>>>>>> >>>>>>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>>> krb5-server-1.12.2-14.el7.x86_64 >>>>>>> >>>>>>> Any help would be greatly appreciated. >>>>>>> >>>>>>> Thanks, Bill >>>>>> I would recommend starting with simple things, seeing the >>>>>> performance and then following with more complex stuff: >>>>>> >>>>>> - Try bare "ldapsearch" against the FreeIPA LDAP server, >>>>>> see the response rate. If it is also slow, we have the root >>>>>> cause. Before ringing on DS people doors, see if for >>>>>> example DNS is not slow and there are no DNS timeouts in >>>>>> play - "host ipa.server.test" will tell you that >>>>>> >>>>>> - If DS is OK, try Kerberos - kinit, kvno commands >>>>>> >>>>>> - If Kerberos is also OK and "ipa-replica-manage list" is >>>>>> still slow, maybe we should just "strace" it to see what it >>>>>> waits on. >>>>>> >>>>>> HTH, Martin >>>>>> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2 > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJVe05nAAoJEJFMz73A1+zrg7QP/3s19crgzjSeic4KYZ3nYn80 > 9CWVLlm2/m7XU8Zeazm0nmlfMDTeBWJOLG0bXQKV3MYcGChSnX/vxQ9hqWJtzzvq > 30MpgfyRKCNFOUcfAXB4YDINFd6/RrWl/lRii0eNksli+DXDlzarXsby+11G42kn > XtRp/7EPmZixdy8G+CLYzY2mgzpyTheMWAk8+CQORjLJTi/hmMrkKxC5Ij8Q5Vtp > qG2oUXgMeoBnCQyij+AQ1IqrlByt3iTtXsx5PdxB8eQ/kswOghFVokM83a1IqfOL > yvspUpnCg5XgU9fN7+HDt45d/i2ZcXcM7gQjlAUmFtE2c0kcuu7LTiahD56ESyMc > DkDQqI/MO/X/nb6JD7QNXy4bCjHiAPB2LyVbimqDepoyiW1QwuptdBuZmBZ6DXkj > l2mbVUOma9ql61Cl/YTw4v7lsQS7Vf3Hc8Qua6o12fLJIYOwPL9FgDTznGh7S8F3 > DhUA0m1kzaZFB+7Js52UoiV9Qh3sRCSx0RyZ5hfPX3LgZyw+XORvjNQvPTYhSQ7A > SKAK7/TEwlLxSVWikWvwfpMankVdbSVo06BsgHEkGdM/O8ymbxbLqGZo1FwFaocA > Uocf4p1K7JBz/FfNb5OtI4o3JTiWs7LLGEYGZwGtlHHFZV42VfWdyeA3V/v0GUuW > UXKUprDG3PjvK5HG2rP1 > =hr/W > -----END PGP SIGNATURE----- > From wgraboyes at cenic.org Fri Jun 12 23:07:52 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Fri, 12 Jun 2015 16:07:52 -0700 Subject: [Freeipa-users] IPA very very slow In-Reply-To: <557B5E1B.4060906@redhat.com> References: <557A1819.4060901@cenic.org> <557A860B.8060208@redhat.com> <557B2FB7.2030307@cenic.org> <557B3CD3.106@redhat.com> <557B42DF.4030108@redhat.com> <557B4E67.3030001@cenic.org> <557B5E1B.4060906@redhat.com> Message-ID: <557B6648.1070805@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Martin, Et al, Now that debugging is installed and running, I cannot duplicate. Isn't that always the way though? I'll let you know if it happens again. Thanks, Bill On 6/12/15 3:32 PM, Rich Megginson wrote: > On 06/12/2015 03:25 PM, William Graboyes wrote: Hi Ken, > > I ran this command back to back, I am snipping some of the > results. > > First time I ran the command: > > time ldapsearch -x -h 127.0.0.1 "(uid=admin)" # extended LDIF # # > LDAPv3 # base (default) with scope subtree # > filter: (uid=admin) # requesting: ALL # > > --snip-- > > # search result search: 2 result: 0 Success > > # numResponses: 3 # numEntries: 2 > > real 0m0.056s user 0m0.003s sys 0m0.004s > > > Run on the same server not 5 seconds after the previous command: > > time ldapsearch -x -h 127.0.0.1 "(uid=admin)" # extended LDIF # # > LDAPv3 # base (default) with scope subtree # > filter: (uid=admin) # requesting: ALL # > > -- snip -- > > # search result search: 2 result: 0 Success > > # numResponses: 3 # numEntries: 2 > > real 0m31.756s user 0m0.003s sys 0m0.005s > >> Ok. First, see >> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes > >> You'll also have to do # debuginfo-install ipa-server slapi-nis >> to get all of the ipa packages. > >> Next, see >> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs > >> Reproduce the problem, and during the 30 seconds the directory >> server is processing the search request, run the gdb command >> several times to get stack traces during the search request. > > > > I am starting to see this error in the dirserv logs: > > [12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not > send startTLS request: error -1 (Can't contact LDAP server) errno > 107 (Transport endpoint is not connected) [12/Jun/2015:14:11:51 > -0700] slapi_ldap_bind - Error: could not send startTLS request: > error -1 (Can't contact LDAP server) errno 107 (Transport endpoint > is not connected) [12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - > Error: could not send startTLS request: error -1 (Can't contact > LDAP server) errno 107 (Transport endpoint is not connected) > [12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not > send startTLS request: error -1 (Can't contact LDAP server) errno > 107 (Transport endpoint is not connected) > >> I doubt this is related to the performance. This looks like the >> server is attempting to contact a replica which is down, and has >> backed off for the full 5 minute max backoff. > > > Thanks, Bill Graboyes > > > On 6/12/15 1:36 PM, Rich Megginson wrote: >>>> On 06/12/2015 02:10 PM, Martin Kosek wrote: >>>>> On 06/12/2015 09:15 PM, William Graboyes wrote: >>>> Hi Martin, >>>> >>>> Here are the outputs of the various commands, cleaned of >>>> course: >>>> >>>> time ldapsearch SASL/EXTERNAL authentication started >>>> ldap_sasl_interactive_bind_s: Unknown authentication method >>>> (-6) additional info: SASL(-4): no mechanism available: >>>> >>>> real 0m32.464s user 0m0.385s sys 0m0.052s >>>>>> This is quite long time. We should check respective >>>>>> dirsrv errors and access logs snippets. >>>>>> >>>>>> Also, the command above did not exit successfully, I >>>>>> would recommend doing at least >>>>>> >>>>>> # ldapsearch -x -h `hostname` "(uid=admin)" >>>>> To eliminate DNS from the equation, use # time ldapsearch >>>>> -x -h 127.0.0.1 "(uid=admin)" >>>> time host ipa-server-2.foo.org <-- server with issues >>>> ipa-server-2.foo.org has address 10.0.0.2 >>>> >>>> real 0m0.070s user 0m0.010s sys 0m0.006s >>>> >>>> time host ipa-server-1.foo.org <-- replicant with no issues >>>> ipa-server-1.foo.org has address 10.0.0.3 >>>> >>>> real 0m0.073s user 0m0.012s sys 0m0.006s >>>> >>>> time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' >>>> while getting initial credentials >>>> >>>> real 0m27.049s user 0m0.013s sys 0m0.004s >>>> >>>> ^^^ has been something I have been seeing intermittently >>>> >>>> >>>> >>>> On 6/12/15 12:11 AM, Martin Kosek wrote: >>>>>>>>> Hi List, >>>>>>>>> >>>>>>>>> This is a problem that has surfaced after a reboot >>>>>>>>> of this system in particular. It is being really, >>>>>>>>> really slow. In terms of hardware usage issues, >>>>>>>>> there are none. It is taking 3-5 minutes to list >>>>>>>>> users in the gui. Running commands like >>>>>>>>> ipa-replica-manage list is taking between 30seconds >>>>>>>>> and 3 minutes. Memory usage is low, cpu usage is >>>>>>>>> low, iops are low. I really have no idea where to >>>>>>>>> start here, there is noting really damning in the >>>>>>>>> logs. I have tried restarting IPA (ipactl >>>>>>>>> restart) stopping and starting IPA (ipactl stop >>>>>>>>> wait... ipactl start), and rebooting the entire >>>>>>>>> server. >>>>>>>>> >>>>>>>>> The oddest thing is that there have been some krb >>>>>>>>> errors saying that they cannot contact the krb >>>>>>>>> server.. logging into the gui saying your session >>>>>>>>> has timed out.. >>>>>>>>> >>>>>>>>> It is just general strangeness. >>>>>>>>> >>>>>>>>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>>>>> krb5-server-1.12.2-14.el7.x86_64 >>>>>>>>> >>>>>>>>> Any help would be greatly appreciated. >>>>>>>>> >>>>>>>>> Thanks, Bill >>>>>>>> I would recommend starting with simple things, seeing >>>>>>>> the performance and then following with more complex >>>>>>>> stuff: >>>>>>>> >>>>>>>> - Try bare "ldapsearch" against the FreeIPA LDAP >>>>>>>> server, see the response rate. If it is also slow, we >>>>>>>> have the root cause. Before ringing on DS people >>>>>>>> doors, see if for example DNS is not slow and there >>>>>>>> are no DNS timeouts in play - "host ipa.server.test" >>>>>>>> will tell you that >>>>>>>> >>>>>>>> - If DS is OK, try Kerberos - kinit, kvno commands >>>>>>>> >>>>>>>> - If Kerberos is also OK and "ipa-replica-manage >>>>>>>> list" is still slow, maybe we should just "strace" it >>>>>>>> to see what it waits on. >>>>>>>> >>>>>>>> HTH, Martin >>>>>>>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVe2ZIAAoJEJFMz73A1+zr8qgP/jmKVGOwFMVZFowdB8rPBHOT //TQ11V5E0nhMz3r0zWoUDOEMYyQy5Oy9d4CmoMa5oWimnTHJUJanUMK5hWHlo/g d8lSyvEDmQbXpNCduwIeMwupI0C669X5/EYesvth3khebsHxlz7kov69XyknBcj2 8czY4eUAkS8jB60Ua4UOMa0ruuBtYU40FCdS8GiWFBYxjfnLLqUX4vsfyke+vJ0B AYPlzsf0ipKdPVPhjxaWmjHJmU/Y0tK5/a8CrDpkQH19UzYjFX8BSpyAJBGOQVYw 4ZlhZHXmiGhuDnyoIZIHFOeo0BmGugiN85zLf4G4mFxkn2TNOp28+w94EBZxb9kI rQ1vEE2eUF0f9n5usdXb+gHwm3yhnhOvOkV+MLhJXNTeTlEo9Kl/EEnWZamh4wRy hsMP2j6/XeDDzNFd4q1JaiScGVwfzIAizFGzxz6jkluA8B/aCz05pjMVDf/HmLPh 64OygyzhYtkLTe6DTH/WwoLV664IDlzs6LMxEDix37dI+9e8TsLfdp9ZexQV24sR qZEYqWcPqDfXPvjkXjsqmeU7mJMOaQsu7be1Ad9isoOocn1WorIx7eCFtHIT5xgF D58uhXk6hHj1tYA3fDQY2ybWgD0HhST52XbRezwQQ2Mw4F5QcUBt/WtqEPwMVlDU Pfp6LpG4V0Kph4zc3EF3 =IOQh -----END PGP SIGNATURE----- From simo at redhat.com Sat Jun 13 17:40:38 2015 From: simo at redhat.com (Simo Sorce) Date: Sat, 13 Jun 2015 13:40:38 -0400 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode In-Reply-To: <20150612192502.GC27022@Jakubs-MacBook-Pro.local> References: <20150612192502.GC27022@Jakubs-MacBook-Pro.local> Message-ID: <1434217238.19670.2.camel@willson.usersys.redhat.com> On Fri, 2015-06-12 at 21:25 +0200, Jakub Hrozek wrote: > On Fri, Jun 12, 2015 at 11:32:58PM +0530, Prashant Bapat wrote: > > Hi, > > > > Has anyone seen this ? When a user tries to scan the QR code he gets a > > message saying "invalid barcode". This happens only with iPhone + Google > > Authenticator. > > Google Authenticator or FreeOTP? This list might be a good place to ask > about the latter, but not the former.. Well FreeIPA generates the barcode so we need to check if there is a compatibility issue with google-authenticator too. I think we have a report about the "case" used to generate some algorithm names, that get embedded in the QR code: https://fedorahosted.org/freeipa/ticket/5047 It may be the same issue here. Simo. -- Simo Sorce * Red Hat, Inc * New York From janellenicole80 at gmail.com Sat Jun 13 23:04:19 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 13 Jun 2015 16:04:19 -0700 Subject: [Freeipa-users] 4.x on CentOS 6? Message-ID: <557CB6F3.1080808@gmail.com> Hi everyone, Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not the server - just the client) on a CentOS 6.6 system? My guess is this is really just based on sssd, or am I missing something? I would like to get OTP on 6.6 system, just not sure if that is possible. Thank you ~Janelle From richard at familjenklar.se Sun Jun 14 18:53:51 2015 From: richard at familjenklar.se (richard) Date: Sun, 14 Jun 2015 20:53:51 +0200 Subject: [Freeipa-users] stickybits and freeipa Message-ID: <0e1593d891ae5e97c536816431d36bf1@www.familjenklar.se> Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? // Richard From rcritten at redhat.com Sun Jun 14 21:22:09 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 14 Jun 2015 17:22:09 -0400 Subject: [Freeipa-users] 4.x on CentOS 6? In-Reply-To: <557CB6F3.1080808@gmail.com> References: <557CB6F3.1080808@gmail.com> Message-ID: <557DF081.5040504@redhat.com> Janelle wrote: > Hi everyone, > > Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not > the server - just the client) on a CentOS 6.6 system? My guess is this > is really just based on sssd, or am I missing something? > > I would like to get OTP on 6.6 system, just not sure if that is possible. Right, you really need a newer sssd and I don't know if that is possible. The ipa-client package is really just a small script to get the client system configured, sssd does all the heavy lifting after that. rob From abokovoy at redhat.com Mon Jun 15 06:00:28 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 15 Jun 2015 09:00:28 +0300 Subject: [Freeipa-users] 4.x on CentOS 6? In-Reply-To: <557DF081.5040504@redhat.com> References: <557CB6F3.1080808@gmail.com> <557DF081.5040504@redhat.com> Message-ID: <20150615060028.GH4402@redhat.com> On Sun, 14 Jun 2015, Rob Crittenden wrote: >Janelle wrote: >>Hi everyone, >> >>Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not >>the server - just the client) on a CentOS 6.6 system? My guess is this >>is really just based on sssd, or am I missing something? >> >>I would like to get OTP on 6.6 system, just not sure if that is possible. > >Right, you really need a newer sssd and I don't know if that is >possible. The ipa-client package is really just a small script to get >the client system configured, sssd does all the heavy lifting after >that. It is more than that, you have to have newer Kerberos libraries as well. -- / Alexander Bokovoy From mkosek at redhat.com Mon Jun 15 06:39:56 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 15 Jun 2015 08:39:56 +0200 Subject: [Freeipa-users] Is something.local hostname possible In-Reply-To: <557AFD5C.5000906@utsa.edu> References: <557AFD5C.5000906@utsa.edu> Message-ID: <557E733C.7030308@redhat.com> On 06/12/2015 05:40 PM, James Benson wrote: > Hi all, > I'm trying to duplicate freeIPA on a local host but I keep on getting errors, > primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried > this before and succeeded or have suggestions? > Thanks > > James What do you mean by "duplicate freeIPA on a local host"? Any way, when I do tests, I rather use hostnames like "ipa.f22.test", it is also local. From lslebodn at redhat.com Mon Jun 15 07:32:31 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 15 Jun 2015 09:32:31 +0200 Subject: [Freeipa-users] 4.x on CentOS 6? In-Reply-To: <557CB6F3.1080808@gmail.com> References: <557CB6F3.1080808@gmail.com> Message-ID: <20150615073230.GC24024@mail.corp.redhat.com> On (13/06/15 16:04), Janelle wrote: >Hi everyone, > >Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not the >server - just the client) on a CentOS 6.6 system? My guess is this is really >just based on sssd, or am I missing something? > If you want newer version of sssd you can test backported version from fedora. Here is a COPR repo [1]. It is a stable branch sssd-1.12, so it contains many fixes for bugs in el 6.6. >I would like to get OTP on 6.6 system, just not sure if that is possible. > IIRC you would need a support or OTP in kerberos as well. So you would need to backport it yourself or to find newer packages somewhere. LS [1] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ From pspacek at redhat.com Mon Jun 15 07:47:26 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 15 Jun 2015 09:47:26 +0200 Subject: [Freeipa-users] Is something.local hostname possible In-Reply-To: <557AFD5C.5000906@utsa.edu> References: <557AFD5C.5000906@utsa.edu> Message-ID: <557E830E.8070708@redhat.com> On 12.6.2015 17:40, James Benson wrote: > Hi all, > I'm trying to duplicate freeIPA on a local host but I keep on getting errors, > primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone > tried this before and succeeded or have suggestions? > Thanks Please do not use .local, it is reserved for multicast DNS. General rules are described in Deployment Considerations for FreeIPA: http://www.freeipa.org/page/Deployment_Recommendations#DNS This is in line with other popular recommendations like e.g. http://serverfault.com/questions/17255/top-level-domain-domain-suffix-for-private-network If you need an 'internal' name and you own e.g. 'mydomain.example' then use something like 'int.mydomain.example' and configure your DNS server to answer for domain 'int.mydomain.example' only if clients are in the internal network. -- Petr^2 Spacek From tompos at martos.bme.hu Mon Jun 15 13:21:02 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 15 Jun 2015 15:21:02 +0200 Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? In-Reply-To: <55783C94.9040109@redhat.com> References: <55783911.5060608@martos.bme.hu> <55783C94.9040109@redhat.com> Message-ID: <557ED13E.4010706@martos.bme.hu> On 06/10/2015 03:33 PM, Martin Kosek wrote: > On 06/10/2015 03:18 PM, Tamas Papp wrote: >> hi, >> >> Currently there are CentOS 6.5 servers and IPA 3.0. >> >> The goal is migrating users to CentOS 7.1 and IPA 4.1. >> >> This is the command I use: >> >> >> $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo >> --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat < >> ~/.pw.manager >> >> >> Users are migrated successfully but password must be reset, otherwise they >> cannot logon. Any idea, what's going on? > My guess is that their Kerberos key is also migrated. The key is not valid on > the new installation as also Kerberos master key is different. So I would > suggest stripping the users from their Kerberos attributes first. > > Some advise here: > https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA > >> I also have a bonus question. >> How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to >> export/import it as ldif and that's all? > Hmm, this should be all. Except if the users were members of for examples roles > or privileges, you would need to migrate that membership too as mere presence > of memberOf attribute in the sys account will not be enough. hi, Eventually this still doesn't work as expected. After migrating users they cannot login to the webui. However after logging successfully in without kerberos, in other words in a service bound to the ldap server they can login fine on the webui too. It's enough in our case, but normally it's not OK, I guess. 10x tamas From janellenicole80 at gmail.com Mon Jun 15 13:22:09 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 15 Jun 2015 06:22:09 -0700 Subject: [Freeipa-users] Migration error? Message-ID: <557ED181.4070103@gmail.com> Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The migration worked previously, but now, in order to try and update some missing accounts that were added, now it no longer works and generates this error. I can't find anyway to get verbose information to found out what it is finding "2" of? Any help is appreciated. ~Janelle From simo at redhat.com Mon Jun 15 13:34:41 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 15 Jun 2015 09:34:41 -0400 Subject: [Freeipa-users] stickybits and freeipa In-Reply-To: <0e1593d891ae5e97c536816431d36bf1@www.familjenklar.se> References: <0e1593d891ae5e97c536816431d36bf1@www.familjenklar.se> Message-ID: <1434375281.22266.5.camel@willson.usersys.redhat.com> On Sun, 2015-06-14 at 20:53 +0200, richard wrote: > Hi, > > We are about to implement freeipa in our environment. > During some test so have we discovered problems when we are trying to > run scripts with the suid bit set. > It looks like the system is trying to authenticate the suid user against > freeipa, but since suid user doesnt have a valid ticket, so will the > script not run. > I would need some help to get around this problem. > > Is it possible to configure a keytab for the suid user so that this user > always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jun 15 13:36:51 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Jun 2015 09:36:51 -0400 Subject: [Freeipa-users] Migration error? In-Reply-To: <557ED181.4070103@gmail.com> References: <557ED181.4070103@gmail.com> Message-ID: <557ED4F3.10603@redhat.com> Janelle wrote: > Good morning and happy Monday, > > I have a strange problem. Wondering if anyone has seen this before in > trying to run an ipa migrate-ds? > > ipa: ERROR: The search criteria was not specific enough. Expected 1 and > found 2. > > The migration worked previously, but now, in order to try and update > some missing accounts that were added, now it no longer works and > generates this error. I can't find anyway to get verbose information to > found out what it is finding "2" of? Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. rob From gjn at gjn.priv.at Mon Jun 15 16:55:20 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 15 Jun 2015 18:55:20 +0200 Subject: [Freeipa-users] direct ldap connect from dovecot Message-ID: <4197157.CVltobmD3u@techz> Hello, is it possible to connect direct to the ldap from a program like dovecot? I have big "auth" problems with my setup? with cn=admin,cn=users,cn=accounts,dc=xxxx,dc=xxxxx and password from admin this is not working I don't know the 386 server :-(, in the moment I have to learn much more ;-). When any can help, Thank you -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer From rcritten at redhat.com Mon Jun 15 17:20:32 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Jun 2015 13:20:32 -0400 Subject: [Freeipa-users] direct ldap connect from dovecot In-Reply-To: <4197157.CVltobmD3u@techz> References: <4197157.CVltobmD3u@techz> Message-ID: <557F0960.8020306@redhat.com> G?nther J. Niederwimmer wrote: > Hello, > > is it possible to connect direct to the ldap from a program like dovecot? > > I have big "auth" problems with my setup? > > with cn=admin,cn=users,cn=accounts,dc=xxxx,dc=xxxxx > and password from admin this is not working > > I don't know the 386 server :-(, in the moment I have to learn much more ;-). > > When any can help, Thank you > First, have you looked at http://www.freeipa.org/page/Dovecot_Integration ? If you've still having problems, a lot more information is necessary, like what does your dovecot configuration look like? What errors are you getting? What does the 389-ds access log say about the searches being done, etc. rob From janellenicole80 at gmail.com Mon Jun 15 19:26:57 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 15 Jun 2015 12:26:57 -0700 Subject: [Freeipa-users] Migration error? In-Reply-To: <557ED4F3.10603@redhat.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> Message-ID: <557F2701.20505@gmail.com> On 6/15/15 6:36 AM, Rob Crittenden wrote: > Janelle wrote: >> Good morning and happy Monday, >> >> I have a strange problem. Wondering if anyone has seen this before in >> trying to run an ipa migrate-ds? >> >> ipa: ERROR: The search criteria was not specific enough. Expected 1 and >> found 2. >> >> The migration worked previously, but now, in order to try and update >> some missing accounts that were added, now it no longer works and >> generates this error. I can't find anyway to get verbose information to >> found out what it is finding "2" of? > > Usually means there is a replication conflict entry. You may be able > to get more details on what failed by looking at the LDAP access log > of both LDAP servers, though I guess I'd expect this happened locally > on the IPA box. > > rob > I found the problem, but now when trying to re-init from a good server using ipa-replica-manage re-initialize, I get: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But how does THIS happen?? ~J From rcritten at redhat.com Mon Jun 15 20:12:13 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Jun 2015 16:12:13 -0400 Subject: [Freeipa-users] Migration error? In-Reply-To: <557F2701.20505@gmail.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> Message-ID: <557F319D.9010908@redhat.com> Janelle wrote: > On 6/15/15 6:36 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Good morning and happy Monday, >>> >>> I have a strange problem. Wondering if anyone has seen this before in >>> trying to run an ipa migrate-ds? >>> >>> ipa: ERROR: The search criteria was not specific enough. Expected 1 and >>> found 2. >>> >>> The migration worked previously, but now, in order to try and update >>> some missing accounts that were added, now it no longer works and >>> generates this error. I can't find anyway to get verbose information to >>> found out what it is finding "2" of? >> >> Usually means there is a replication conflict entry. You may be able >> to get more details on what failed by looking at the LDAP access log >> of both LDAP servers, though I guess I'd expect this happened locally >> on the IPA box. >> >> rob >> > I found the problem, but now when trying to re-init from a good server > using ipa-replica-manage re-initialize, I get: > > TLS error -8172:Peer's certificate issuer has been marked as not trusted > by the user. > > But how does THIS happen?? > ~J I don't know, I'd be curious to know if you can tell more context around where it failed (it may be opaque, or at least you'd have to dig carefully through both access logs to find it). The first thing that happens is the agreement is looked up on both sides, the both sides are enabled, then a force sync is done, then replication is reinitialized. It could blow up at any point. Given that it sounds like you are deploying multiple IPA installations, potentially with the same realm name, is it possible that you reinitialized from a master unknown to the server (e.g. in a different IPA install)? That or the 389-ds NSS database on one side or another was modified somehow. It must have worked at one time because TLS is used for replication during the installation. rob From janellenicole80 at gmail.com Tue Jun 16 03:07:36 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 15 Jun 2015 20:07:36 -0700 Subject: [Freeipa-users] Migration error? In-Reply-To: <557F319D.9010908@redhat.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> Message-ID: <557F92F8.5020108@gmail.com> On 6/15/15 1:12 PM, Rob Crittenden wrote: > Janelle wrote: >> On 6/15/15 6:36 AM, Rob Crittenden wrote: >>> >>> Usually means there is a replication conflict entry. You may be able >>> to get more details on what failed by looking at the LDAP access log >>> of both LDAP servers, though I guess I'd expect this happened locally >>> on the IPA box. >>> Hi again, I have been trying to follow this procedure for replication conflicts regarding "nsds5ReplConflict", where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry "nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com" ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: "uid") When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? ~J From lkrispen at redhat.com Tue Jun 16 07:02:55 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 16 Jun 2015 09:02:55 +0200 Subject: [Freeipa-users] Migration error? In-Reply-To: <557F92F8.5020108@gmail.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> Message-ID: <557FCA1F.5000605@redhat.com> On 06/16/2015 05:07 AM, Janelle wrote: > On 6/15/15 1:12 PM, Rob Crittenden wrote: >> Janelle wrote: >>> On 6/15/15 6:36 AM, Rob Crittenden wrote: >>>> >>>> Usually means there is a replication conflict entry. You may be able >>>> to get more details on what failed by looking at the LDAP access log >>>> of both LDAP servers, though I guess I'd expect this happened locally >>>> on the IPA box. >>>> > > Hi again, > > I have been trying to follow this procedure for replication conflicts > regarding "nsds5ReplConflict", where I had the two account duplicates, > but no matter what, I still get: > > modifying rdn of entry > "nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com" > ldap_rename: Constraint violation > additional info: Another entry with the same attribute value > already exists (attribute: "uid") > > When I am trying to run the modrdn (ldapmodify) command? Which simply > refuses to work. I have been at it for over a week now with no luck. > I think this is the last of my issues causing my replication problems. > What caused this is that I do have multiple helpdesk personnel that > had been updating user accounts. This process has been resolved, but > we can't seem to remove the last few duplicates. > > Any suggestions? Is there a missing step in conflict resolution perhaps? these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry uid=janelle,... and one nsuniqueid=nnnn+uid=janelle,.... you can delete the nsuniqeid=nnnn entry to get rid of it. There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 Ludwig > > ~J > > > > From henry.hofmann at osthus.com Tue Jun 16 07:34:47 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Tue, 16 Jun 2015 07:34:47 +0000 Subject: [Freeipa-users] Question for AD trust and Webservices Message-ID: <74263835052DD843AEBD010BD87EE8DE14954A@win10004.member.osthus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). === Henry Hofmann -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVX/RmXEu+nQzo7NUAQiEhwf/TTnwzqWoQY9VqfrxtJ0uDYyQhFd/hinv Bx6GZAGTHN3laughfXsdXMqDC8Dc51ZYsTf5SBYxuzu52dtkiG/vAs8q6tjNU/Cq LjFDoE7EwTLFOvpE1HTkGwDZZZBfEpwimhq6urvTMLDRyTS0cgZaCCn/Do+P0EnB kcv9QYmSLS/vB4yOSLAKheX7u+HXJ9mCX98bkXmwWO6ZLXmNKSjfDAXNKVWAjPJT EXjj9Mngdwx2vSAZNycqeNGGs80W14YrZWBMuXqbyf22IZ6oMHowdYuxUnE4YCfe 5fFr/XVNXq8Ap4mxhtp6S129pHb0JYcHem0Y1Jp7F+0uxlaS3N1jzg== =ePi1 -----END PGP SIGNATURE----- From pspacek at redhat.com Tue Jun 16 08:35:07 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 16 Jun 2015 10:35:07 +0200 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE14954A@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE14954A@win10004.member.osthus.de> Message-ID: <557FDFBB.70400@redhat.com> On 16.6.2015 09:34, Henry Hofmann wrote: > Hi, > > I have a question about using IPA (v.4) with an AD (2012) Trust. > Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? > > I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). Best solution is to use something like this: http://www.freeipa.org/page/Web_App_Authentication Alternatively you should be able to treat web application as 'legacy' LDAP client (which is not trust-aware) and use so-called compat tree. Please see presentation: "AD Trust for Legacy Clients" by Tomas Babej: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf -- Petr^2 Spacek From tbordaz at redhat.com Tue Jun 16 08:56:51 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 16 Jun 2015 10:56:51 +0200 Subject: [Freeipa-users] Migration error? In-Reply-To: <557FCA1F.5000605@redhat.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> Message-ID: <557FE4D3.9050502@redhat.com> On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: > > On 06/16/2015 05:07 AM, Janelle wrote: >> On 6/15/15 1:12 PM, Rob Crittenden wrote: >>> Janelle wrote: >>>> On 6/15/15 6:36 AM, Rob Crittenden wrote: >>>>> >>>>> Usually means there is a replication conflict entry. You may be able >>>>> to get more details on what failed by looking at the LDAP access log >>>>> of both LDAP servers, though I guess I'd expect this happened locally >>>>> on the IPA box. >>>>> >> >> Hi again, >> >> I have been trying to follow this procedure for replication conflicts >> regarding "nsds5ReplConflict", where I had the two account >> duplicates, but no matter what, I still get: >> >> modifying rdn of entry >> "nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com" >> ldap_rename: Constraint violation >> additional info: Another entry with the same attribute value >> already exists (attribute: "uid") >> >> When I am trying to run the modrdn (ldapmodify) command? Which >> simply refuses to work. I have been at it for over a week now with no >> luck. I think this is the last of my issues causing my replication >> problems. What caused this is that I do have multiple helpdesk >> personnel that had been updating user accounts. This process has been >> resolved, but we can't seem to remove the last few duplicates. >> >> Any suggestions? Is there a missing step in conflict resolution perhaps? > these entries are already a result of conflict resolution, If you add > the same entry simultaneously on two servers (meaning add it on A and > add it on B (before B has received the replicated add from A), there > exist two entries with the same dn, which is not possible. So conflict > resolution does not arbitrarily throw one away, but renames it and > leaves it to the admin, which on to keep. So you should have one entry > uid=janelle,... and one nsuniqueid=nnnn+uid=janelle,.... The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. > you can delete the nsuniqeid=nnnn entry to get rid of it. +1 thierry > > There is a request to hide these nsuniqueid+uid entries from regular > searches, it will be in a next release of 389 > > Ludwig >> >> ~J >> >> >> >> > From henry.hofmann at osthus.com Tue Jun 16 09:43:00 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Tue, 16 Jun 2015 09:43:00 +0000 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <557FDFBB.70400@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE14954A@win10004.member.osthus.de> <557FDFBB.70400@redhat.com> Message-ID: <74263835052DD843AEBD010BD87EE8DE1495ED@win10004.member.osthus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I understand this is for application which is using Kerberos. I have some web applications like "redmine" and "owncloud" which have a own user management. They needs to be configure to LDAP to grant authorizations without Kerberos. And not all of them used apache or tomcat as application server. Henry - -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: Dienstag, 16. Juni 2015 10:35 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Question for AD trust and Webservices On 16.6.2015 09:34, Henry Hofmann wrote: > Hi, > > I have a question about using IPA (v.4) with an AD (2012) Trust. > Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? > > I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). Best solution is to use something like this: http://www.freeipa.org/page/Web_App_Authentication Alternatively you should be able to treat web application as 'legacy' LDAP client (which is not trust-aware) and use so-called compat tree. Please see presentation: "AD Trust for Legacy Clients" by Tomas Babej: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf - -- Petr^2 Spacek - -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVX/vp3Eu+nQzo7NUAQiz7wgAk3a9f8IowhvYgqWZHB7WsKCYpoNOgnI8 OKeRdO7K2uJToZ+AnJfD8CzXgQUPM3avr3KINk7pSGN+Tjv3p9nOrrzNAZu4nLOT JNrkLxEXqMqv6BhE3LBdCc1mvgbPR4KKKLhwM5UrSEPNNwDBLZk5jc+FflG7PDf7 WxlmYcjpI+XTg3k6b1XXLcprpKRmhk3e9pPv/yRxs3vhxtgaxmZIIqnlcNHsTkI8 H1onvia75Py4PhFZsshX9HdK6dtyof0XJqNZ4flCVjboQR4nEe9ofUnwYjrelbpr iHzSzKCHZmZnp55Ey8Ox9D5N7TbvmWHVPOXUbjxbPMrKvajA7UfCxw== =+cZZ -----END PGP SIGNATURE----- From Alexander.Frolushkin at megafon.ru Tue Jun 16 09:42:55 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 16 Jun 2015 09:42:55 +0000 Subject: [Freeipa-users] replication conflicts Message-ID: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jun 16 09:50:12 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 16 Jun 2015 11:50:12 +0200 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE1495ED@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE14954A@win10004.member.osthus.de> <557FDFBB.70400@redhat.com> <74263835052DD843AEBD010BD87EE8DE1495ED@win10004.member.osthus.de> Message-ID: <557FF154.20402@redhat.com> On 16.6.2015 11:43, Henry Hofmann wrote: > I understand this is for application which is using Kerberos. > I have some web applications like "redmine" and "owncloud" which have a own user management. They needs to be configure to LDAP to grant authorizations without Kerberos. And not all of them used apache or tomcat as application server. Yes, use-cases with 'dumb' applications are covered by "AD Trust for Legacy Clients" presentation as mentioned below. It can be used for any standard-compliant LDAP client. I hope this helps. Petr^2 Spacek > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: Dienstag, 16. Juni 2015 10:35 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Question for AD trust and Webservices > > On 16.6.2015 09:34, Henry Hofmann wrote: >> Hi, >> >> I have a question about using IPA (v.4) with an AD (2012) Trust. >> Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? >> >> I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). > > Best solution is to use something like this: > http://www.freeipa.org/page/Web_App_Authentication > > Alternatively you should be able to treat web application as 'legacy' LDAP client (which is not trust-aware) and use so-called compat tree. > > Please see presentation: "AD Trust for Legacy Clients" by Tomas Babej: > http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > > -- > Petr^2 Spacek From lkrispen at redhat.com Tue Jun 16 09:51:54 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 16 Jun 2015 11:51:54 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> Message-ID: <557FF1BA.9040503@redhat.com> On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA installation J > > We currently have 18 IPA servers in domain, on 8 sites in different > regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some of our > servers, very often on servers from specific site. Usually it is > simply a doubles and we can remove the renamed change to get > everything back. But why do we have them at all? > > May be someone could explain, how we can detect the cause of this > replication conflicts? > if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it > > Sometime it is moderately harmful, because, for example HBAC stops > working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Tue Jun 16 10:44:18 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 16 Jun 2015 10:44:18 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <557FF1BA.9040503@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> Message-ID: <77ef38b1f40b4d619d233706cefa482b@sib-ums03.Megafon.ru> It looks like our duplicates have some "internal" source, it source is not a client system, but one of our IPA servers. Is it possible to get such duplicate records in combination of replication "multipath" and some clock skew (it is not ideally synchronized because of very big distances between sites)? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jun 16 11:30:27 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 16 Jun 2015 13:30:27 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <77ef38b1f40b4d619d233706cefa482b@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <77ef38b1f40b4d619d233706cefa482b@sib-ums03.Megafon.ru> Message-ID: <558008D3.2060408@redhat.com> On 06/16/2015 12:44 PM, Alexander Frolushkin wrote: > > It looks like our duplicates have some "internal" source, it source is > not a client system, but one of our IPA servers. > to get these kind of conflict two servers have to be involved if you say internal source, what kind of entries are affected ? do you mean these entries are created internally on server by a plugin ? > > Is it possible to get such duplicate records in combination of > replication "multipath" and some clock skew (it is not ideally > synchronized because of very big distances between sites)? > the clock skew should have no effect, the replication protocol additinally manages it own time used in genratio of CSNs and tries to synchronize time, it could affect the oreder changes are applied during replication, but for these conflicts there have to be two independent ADDs > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some of our > servers, very often on servers from specific site. Usually it is > simply a doubles and we can remove the renamed change to get > everything back. But why do we have them at all? > > May be someone could explain, how we can detect the cause of this > replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, simultaneously, > on two servers. I think this can happen if a client tries to add an > entry and if it doesn't get a response in some time retries on another > server. > to find out which client this is you need to check on which servers > the entries were originally added and then see which client was doing it > > Sometime it is moderately harmful, because, for example HBAC stops > working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Tue Jun 16 11:55:24 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 16 Jun 2015 11:55:24 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <558008D3.2060408@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <77ef38b1f40b4d619d233706cefa482b@sib-ums03.Megafon.ru> <558008D3.2060408@redhat.com> Message-ID: <064413537b2a4d1fb0948e1571460a7b@sib-ums03.Megafon.ru> One example of duplicate: krbprincipalname=HTTP/nw-rhidm02.unix.megafon.ru at UNIX.MEGAFON.RU+nsuniqueid=5a726d95-0e9611e5-8418a085-d3870578,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru the original one: krbprincipalname=HTTP/nw-rhidm02.unix.megafon.ru at UNIX.MEGAFON.RU,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru On three servers placed on one site we have such duplicates. On all other servers we have only record with normal name, with content of record, which have "+nsuniqueid=5a726d95-0e9611e5-8418a085-d3870578" on affected servers. Plus we have one record with no original one, only name with +nsuniqueid, and no such record on all other servers. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Tuesday, June 16, 2015 5:30 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 12:44 PM, Alexander Frolushkin wrote: It looks like our duplicates have some "internal" source, it source is not a client system, but one of our IPA servers. to get these kind of conflict two servers have to be involved if you say internal source, what kind of entries are affected ? do you mean these entries are created internally on server by a plugin ? Is it possible to get such duplicate records in combination of replication "multipath" and some clock skew (it is not ideally synchronized because of very big distances between sites)? the clock skew should have no effect, the replication protocol additinally manages it own time used in genratio of CSNs and tries to synchronize time, it could affect the oreder changes are applied during replication, but for these conflicts there have to be two independent ADDs WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Jun 16 12:08:35 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 16 Jun 2015 05:08:35 -0700 Subject: [Freeipa-users] Migration error? In-Reply-To: <557FE4D3.9050502@redhat.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> <557FE4D3.9050502@redhat.com> Message-ID: <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> On Jun 16, 2015, at 01:56, thierry bordaz wrote: > >> On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: >> >>> On 06/16/2015 05:07 AM, Janelle wrote: >>>> On 6/15/15 1:12 PM, Rob Crittenden wrote: >>>> Janelle wrote: >>>>>> On 6/15/15 6:36 AM, Rob Crittenden wrote: >>>>>> >>>>>> Usually means there is a replication conflict entry. You may be able >>>>>> to get more details on what failed by looking at the LDAP access log >>>>>> of both LDAP servers, though I guess I'd expect this happened locally >>>>>> on the IPA box. >>> >>> Hi again, >>> >>> I have been trying to follow this procedure for replication conflicts regarding "nsds5ReplConflict", where I had the two account duplicates, but no matter what, I still get: >>> >>> modifying rdn of entry "nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com" >>> ldap_rename: Constraint violation >>> additional info: Another entry with the same attribute value already exists (attribute: "uid") >>> >>> When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. >>> >>> Any suggestions? Is there a missing step in conflict resolution perhaps? >> these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry >> uid=janelle,... and one nsuniqueid=nnnn+uid=janelle,.... > > The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. > 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. >> you can delete the nsuniqeid=nnnn entry to get rid of it. > +1 > > thierry >> >> There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 >> >> Ludwig >>> >>> ~J > > -- But everything I try to delete fails. Is there a procedure in 389-DS I can read for this? Maybe I am missing an option in ldapmodify? I am happy to delete, if only it would let me. ~J From lkrispen at redhat.com Tue Jun 16 12:18:50 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 16 Jun 2015 14:18:50 +0200 Subject: [Freeipa-users] Migration error? In-Reply-To: <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> <557FE4D3.9050502@redhat.com> <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> Message-ID: <5580142A.2060705@redhat.com> On 06/16/2015 02:08 PM, Janelle wrote: > On Jun 16, 2015, at 01:56, thierry bordaz wrote: >>> On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: >>> >>>> On 06/16/2015 05:07 AM, Janelle wrote: >>>>> On 6/15/15 1:12 PM, Rob Crittenden wrote: >>>>> Janelle wrote: >>>>>>> On 6/15/15 6:36 AM, Rob Crittenden wrote: >>>>>>> >>>>>>> Usually means there is a replication conflict entry. You may be able >>>>>>> to get more details on what failed by looking at the LDAP access log >>>>>>> of both LDAP servers, though I guess I'd expect this happened locally >>>>>>> on the IPA box. >>>> Hi again, >>>> >>>> I have been trying to follow this procedure for replication conflicts regarding "nsds5ReplConflict", where I had the two account duplicates, but no matter what, I still get: >>>> >>>> modifying rdn of entry "nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com" >>>> ldap_rename: Constraint violation >>>> additional info: Another entry with the same attribute value already exists (attribute: "uid") >>>> >>>> When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. >>>> >>>> Any suggestions? Is there a missing step in conflict resolution perhaps? >>> these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry >>> uid=janelle,... and one nsuniqueid=nnnn+uid=janelle,.... >> The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. >> 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. >>> you can delete the nsuniqeid=nnnn entry to get rid of it. >> +1 >> >> thierry >>> There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 >>> >>> Ludwig >>>> ~J >> -- > But everything I try to delete fails. Is there a procedure in 389-DS I can read for this? Maybe I am missing an option in ldapmodify? I am happy to delete, if only it would let me. hm, it should be straightforwrd: ldpapmodify -D .. dn: nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com changetype: delete if it fails, what is the error you get ? > > ~J From henry.hofmann at osthus.com Mon Jun 15 12:19:34 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Mon, 15 Jun 2015 12:19:34 +0000 Subject: [Freeipa-users] Question for AD trust and Webservices Message-ID: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). === Henry Hofmann -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From richard at familjenklar.se Tue Jun 16 12:50:35 2015 From: richard at familjenklar.se (richard) Date: Tue, 16 Jun 2015 14:50:35 +0200 Subject: [Freeipa-users] stickybits and freeipa In-Reply-To: <1434375281.22266.5.camel@willson.usersys.redhat.com> References: <0e1593d891ae5e97c536816431d36bf1@www.familjenklar.se> <1434375281.22266.5.camel@willson.usersys.redhat.com> Message-ID: <95518f99deb608a356cf51bcf98dab3f@www.familjenklar.se> Hi, I have made a trace with gdb, and this is the output from that. So it looks like the suid user isnt found. Program received signal SIGSEGV, Segmentation fault. 0x08518f44 in utilcuti_GetUsrid(void) () Missing separate debuginfos, use: debuginfo-install atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 mesa-libEGL-10.3.3-1.20141110.fc20.i686 mesa-libGL-10.3.3-1.20141110.fc20.i686 mesa-libgbm-10.3.3-1.20141110.fc20.i686 mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 (gdb) bt #0 0x08518f44 in utilcuti_GetUsrid(void) () #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const *, char *, char const *) () #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char const *, char const *, char const *, char const *, char *, char const *, char *) () #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const &, int) () #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const &, int) () #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () #7 0x083b3854 in Document::Delete(void) () #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () #15 0x081b2aee in EXECUTECMD::File(PSTRING const &, PSTRING const &) () #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const &, PSTRING const &) () #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () #21 0x081af72b in KEY_T::Execute(void) () #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const &, PSTRING const &, int, JSTRING const &) () #23 0x08059106 in EXCO::Initiate(void) () #24 0x0805a355 in EXCO::Edit(void) () #25 0x080544f5 in main () // Richard 2015-06-15 15:34 skrev Simo Sorce: > On Sun, 2015-06-14 at 20:53 +0200, richard wrote: >> Hi, >> >> We are about to implement freeipa in our environment. >> During some test so have we discovered problems when we are trying to >> run scripts with the suid bit set. >> It looks like the system is trying to authenticate the suid user >> against >> freeipa, but since suid user doesnt have a valid ticket, so will the >> script not run. >> I would need some help to get around this problem. >> >> Is it possible to configure a keytab for the suid user so that this >> user >> always have a valid ticket? > > Hi Richard, > it is unclear to me what problem you are having. > > Can you provide some log or output you receive when running commands > that do not work as you expect ? > > The kernel doesn't really care (nor try) to authenticate users when the > suid bit is set, so there must be some other component involved that is > causing you trouble. > > Simo. From simo at redhat.com Tue Jun 16 13:01:02 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 16 Jun 2015 09:01:02 -0400 Subject: [Freeipa-users] stickybits and freeipa In-Reply-To: <95518f99deb608a356cf51bcf98dab3f@www.familjenklar.se> References: <0e1593d891ae5e97c536816431d36bf1@www.familjenklar.se> <1434375281.22266.5.camel@willson.usersys.redhat.com> <95518f99deb608a356cf51bcf98dab3f@www.familjenklar.se> Message-ID: <1434459662.2716.8.camel@willson.usersys.redhat.com> On Tue, 2015-06-16 at 14:50 +0200, richard wrote: > Hi, > > I have made a trace with gdb, and this is the output from that. > So it looks like the suid user isnt found. Hi Richard, this looks like a bug in the application you are using, as a failure to lookup a user (if that is the case), should never end up with a segfault. I would contact that application developer and file a bug with them. Simo. > Program received signal SIGSEGV, Segmentation fault. > 0x08518f44 in utilcuti_GetUsrid(void) () > Missing separate debuginfos, use: debuginfo-install > atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 > cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 > fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 > gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 > glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 > harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 > libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 > libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 > libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 > libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 > libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 > libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 > libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 > libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 > libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 > libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 > libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 > mesa-libEGL-10.3.3-1.20141110.fc20.i686 > mesa-libGL-10.3.3-1.20141110.fc20.i686 > mesa-libgbm-10.3.3-1.20141110.fc20.i686 > mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 > pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 > xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 > (gdb) bt > #0 0x08518f44 in utilcuti_GetUsrid(void) () > #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const > *, char *, char const *) () > #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char > const *, char const *, char const *, char const *, char *, char const *, > char *) () > #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const &, int) () > #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const &, int) () > #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () > #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () > #7 0x083b3854 in Document::Delete(void) () > #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () > #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () > #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () > #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () > #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () > #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () > #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () > #15 0x081b2aee in EXECUTECMD::File(PSTRING const &, PSTRING const &) () > #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const &, PSTRING const &) () > #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () > #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () > #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () > #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () > #21 0x081af72b in KEY_T::Execute(void) () > #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const &, PSTRING const &, > int, JSTRING const &) () > #23 0x08059106 in EXCO::Initiate(void) () > #24 0x0805a355 in EXCO::Edit(void) () > #25 0x080544f5 in main () > > // Richard > > 2015-06-15 15:34 skrev Simo Sorce: > > On Sun, 2015-06-14 at 20:53 +0200, richard wrote: > >> Hi, > >> > >> We are about to implement freeipa in our environment. > >> During some test so have we discovered problems when we are trying to > >> run scripts with the suid bit set. > >> It looks like the system is trying to authenticate the suid user > >> against > >> freeipa, but since suid user doesnt have a valid ticket, so will the > >> script not run. > >> I would need some help to get around this problem. > >> > >> Is it possible to configure a keytab for the suid user so that this > >> user > >> always have a valid ticket? > > > > Hi Richard, > > it is unclear to me what problem you are having. > > > > Can you provide some log or output you receive when running commands > > that do not work as you expect ? > > > > The kernel doesn't really care (nor try) to authenticate users when the > > suid bit is set, so there must be some other component involved that is > > causing you trouble. > > > > Simo. -- Simo Sorce * Red Hat, Inc * New York From esdras.laroque at gmail.com Tue Jun 16 13:32:20 2015 From: esdras.laroque at gmail.com (Esdras La-Roque) Date: Tue, 16 Jun 2015 10:32:20 -0300 Subject: [Freeipa-users] Host don't update DNS Message-ID: Hi guys, How do I force the host to update its own DNS record? -- *Esdras La-Roque* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 16 13:39:19 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Jun 2015 07:39:19 -0600 Subject: [Freeipa-users] Migration error? In-Reply-To: <5580142A.2060705@redhat.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> <557FE4D3.9050502@redhat.com> <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> <5580142A.2060705@redhat.com> Message-ID: <55802707.1080400@redhat.com> On 06/16/2015 06:18 AM, Ludwig Krispenz wrote: > > On 06/16/2015 02:08 PM, Janelle wrote: >> On Jun 16, 2015, at 01:56, thierry bordaz wrote: >>>> On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: >>>> >>>>> On 06/16/2015 05:07 AM, Janelle wrote: >>>>>> On 6/15/15 1:12 PM, Rob Crittenden wrote: >>>>>> Janelle wrote: >>>>>>>> On 6/15/15 6:36 AM, Rob Crittenden wrote: >>>>>>>> >>>>>>>> Usually means there is a replication conflict entry. You may be >>>>>>>> able >>>>>>>> to get more details on what failed by looking at the LDAP >>>>>>>> access log >>>>>>>> of both LDAP servers, though I guess I'd expect this happened >>>>>>>> locally >>>>>>>> on the IPA box. >>>>> Hi again, >>>>> >>>>> I have been trying to follow this procedure for replication >>>>> conflicts regarding "nsds5ReplConflict", where I had the two >>>>> account duplicates, but no matter what, I still get: >>>>> >>>>> modifying rdn of entry >>>>> "nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com" >>>>> ldap_rename: Constraint violation >>>>> additional info: Another entry with the same attribute value >>>>> already exists (attribute: "uid") >>>>> >>>>> When I am trying to run the modrdn (ldapmodify) command? Which >>>>> simply refuses to work. I have been at it for over a week now with >>>>> no luck. I think this is the last of my issues causing my >>>>> replication problems. What caused this is that I do have multiple >>>>> helpdesk personnel that had been updating user accounts. This >>>>> process has been resolved, but we can't seem to remove the last >>>>> few duplicates. >>>>> >>>>> Any suggestions? Is there a missing step in conflict resolution >>>>> perhaps? >>>> these entries are already a result of conflict resolution, If you >>>> add the same entry simultaneously on two servers (meaning add it on >>>> A and add it on B (before B has received the replicated add from >>>> A), there exist two entries with the same dn, which is not >>>> possible. So conflict resolution does not arbitrarily throw one >>>> away, but renames it and leaves it to the admin, which on to keep. >>>> So you should have one entry >>>> uid=janelle,... and one nsuniqueid=nnnn+uid=janelle,.... >>> The error you get is coming from 'uid uniqueness'. Like ludwig >>> mention, it exists duplicated entries with both of them >>> 'uid=janelle'. >>> 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of >>> them because, it finds duplicated 'uid=janelle'. >>>> you can delete the nsuniqeid=nnnn entry to get rid of it. >>> +1 >>> >>> thierry >>>> There is a request to hide these nsuniqueid+uid entries from >>>> regular searches, it will be in a next release of 389 >>>> >>>> Ludwig >>>>> ~J >>> -- >> But everything I try to delete fails. Is there a procedure in 389-DS >> I can read for this? Maybe I am missing an option in ldapmodify? I am >> happy to delete, if only it would let me. > hm, it should be straightforwrd: > ldpapmodify -D .. > dn: > nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com > changetype: delete > > if it fails, what is the error you get ? This is probably https://fedorahosted.org/389/ticket/48133 which is fixed in 389-ds-base-1.2.11.15-53.el6 >> >> ~J > From mbasti at redhat.com Tue Jun 16 13:51:30 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 16 Jun 2015 15:51:30 +0200 Subject: [Freeipa-users] Host don't update DNS In-Reply-To: References: Message-ID: <558029E2.2000409@redhat.com> On 16/06/15 15:32, Esdras La-Roque wrote: > Hi guys, > > > How do I force the host to update its own DNS record? > > -- > *Esdras La-Roque* > > > Hello, SSSD do synchronization automatically. (dyndns_update=true in sssd.conf) We need more info: Do you have integrated DNS? If yes, do you have enabled "dynamic updates" for the particular zone? What is your IPA version? Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Jun 16 13:54:55 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 16 Jun 2015 06:54:55 -0700 Subject: [Freeipa-users] Migration error? In-Reply-To: <55802707.1080400@redhat.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> <557FE4D3.9050502@redhat.com> <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> <5580142A.2060705@redhat.com> <55802707.1080400@redhat.com> Message-ID: <55802AAF.2070801@gmail.com> Good morning, Just a quick note. I hope that all my questions do not make any one the DEV Team think that I do not support FreeIPA wholly and completely. I am a huge fan of this package and have in fact discussed with several of my clients (I'm a consultant of course) who have purchased RH support contracts just because of this. The product is wonderful and has potential of being even better as you continue to add new features. Thank you so much for all the support you have provided. I hope RH understands too that many new customers come from recommendations from us consultant-types :-) Ok, so I just wanted to throw that in this thread -- a big THANK YOU to the IPA Team and all the work accomplished so far. You are the best! ~Janelle From lkrispen at redhat.com Tue Jun 16 14:03:07 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 16 Jun 2015 16:03:07 +0200 Subject: [Freeipa-users] Migration error? In-Reply-To: <55802AAF.2070801@gmail.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> <557FE4D3.9050502@redhat.com> <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> <5580142A.2060705@redhat.com> <55802707.1080400@redhat.com> <55802AAF.2070801@gmail.com> Message-ID: <55802C9B.6060507@redhat.com> On 06/16/2015 03:54 PM, Janelle wrote: > Good morning, > > Just a quick note. I hope that all my questions do not make any one > the DEV Team think that I do not support FreeIPA wholly and > completely. I am a huge fan of this package and have in fact discussed > with several of my clients (I'm a consultant of course) who have > purchased RH support contracts just because of this. The product is > wonderful and has potential of being even better as you continue to > add new features. Thank you so much for all the support you have > provided. I hope RH understands too that many new customers come from > recommendations from us consultant-types :-) > > Ok, so I just wanted to throw that in this thread -- a big THANK YOU > to the IPA Team and all the work accomplished so far. You are the best! thanks, and don't worry. we need people like you, consistently, patiently pushing us to resolve things. And believe me, the corrupted ruvs haunt me as much as you Ludwig > > ~Janelle > From esdras.laroque at gmail.com Tue Jun 16 14:11:17 2015 From: esdras.laroque at gmail.com (Esdras La-Roque) Date: Tue, 16 Jun 2015 11:11:17 -0300 Subject: [Freeipa-users] Host don't update DNS In-Reply-To: <558029E2.2000409@redhat.com> References: <558029E2.2000409@redhat.com> Message-ID: Thanks! I put "dyndns_update=true" in sssd.conf only and that's works fine! 2015-06-16 10:51 GMT-03:00 Martin Basti : > On 16/06/15 15:32, Esdras La-Roque wrote: > > Hi guys, > > > How do I force the host to update its own DNS record? > > -- > *Esdras La-Roque* > > > > Hello, > > SSSD do synchronization automatically. (dyndns_update=true in sssd.conf) > > We need more info: > Do you have integrated DNS? > If yes, do you have enabled "dynamic updates" for the particular zone? > What is your IPA version? > > Martin > > -- > Martin Basti > > -- *Esdras La-Roque* Analista e Desenvolvedor de Sistemas Mestrando em Ci?ncia da Computa??o LPI-1 | Linux Professional Institute - N?vel 1 MCITP | Microsoft Virtualization Administrator NCLA | Novell Certified Linux Administrator DCTS | Data Center Technical Specialist -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Tue Jun 16 15:42:44 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Tue, 16 Jun 2015 15:42:44 +0000 Subject: [Freeipa-users] Migration error? In-Reply-To: <55802AAF.2070801@gmail.com> References: <557ED181.4070103@gmail.com> <557ED4F3.10603@redhat.com> <557F2701.20505@gmail.com> <557F319D.9010908@redhat.com> <557F92F8.5020108@gmail.com> <557FCA1F.5000605@redhat.com> <557FE4D3.9050502@redhat.com> <039811AC-340E-4F8A-902F-D8F3C435781B@gmail.com> <5580142A.2060705@redhat.com> <55802707.1080400@redhat.com> <55802AAF.2070801@gmail.com> Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Janelle Sent: Tuesday, June 16, 2015 6:55 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Migration error? Good morning, Just a quick note. I hope that all my questions do not make any one the DEV Team think that I do not support FreeIPA wholly and completely. I am a huge fan of this package and have in fact discussed with several of my clients (I'm a consultant of course) who have purchased RH support contracts just because of this. The product is wonderful and has potential of being even better as you continue to add new features. Thank you so much for all the support you have provided. I hope RH understands too that many new customers come from recommendations from us consultant-types :-) Ok, so I just wanted to throw that in this thread -- a big THANK YOU to the IPA Team and all the work accomplished so far. You are the best! ---- Seconded! From randall.harrison91 at gmail.com Tue Jun 16 17:15:27 2015 From: randall.harrison91 at gmail.com (Randall Harrison) Date: Tue, 16 Jun 2015 10:15:27 -0700 Subject: [Freeipa-users] CentOS 6.6 Installation Issues Message-ID: Hello freeipa! I am having difficulty installing freeipa on a freshly installed CentOS6.6 box. I have not had this problem on previous CentOS releases, and it installed with no problems on a CentOS7.1 box. Here is a list of steps I took to install: 1.) Disable SElinux and IPtables (for testing purposes only) 2.) reboot 3.) yum update 4.) reboot 5.) yum install ipa-server bind bind-dyndb-ldap 6.) ipa-server-install --setup-dns 7.) the install scrip errors out I have attached the ipa-server install log and pki-ca log. All help is appreciated! Randy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-install.log Type: application/octet-stream Size: 41867 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-ca-install.log Type: application/octet-stream Size: 213321 bytes Desc: not available URL: From pspacek at redhat.com Tue Jun 16 17:30:43 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 16 Jun 2015 19:30:43 +0200 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: References: Message-ID: <55805D43.7040005@redhat.com> On 16.6.2015 19:15, Randall Harrison wrote: > Hello freeipa! > > I am having difficulty installing freeipa on a freshly installed CentOS6.6 > box. I have not had this problem on previous CentOS releases, and it > installed with no problems on a CentOS7.1 box. > > Here is a list of steps I took to install: > > 1.) Disable SElinux and IPtables (for testing purposes only) > 2.) reboot > 3.) yum update > 4.) reboot > 5.) yum install ipa-server bind bind-dyndb-ldap > 6.) ipa-server-install --setup-dns > 7.) the install scrip errors out > > I have attached the ipa-server install log and pki-ca log. > > All help is appreciated! We never tests with SELinux disabled - and the logs show some errors related to SEmanage. It might be an innocent error but it also might a real problem. Please retest it with SELinux enabled for and let us know if it makes any difference or not. -- Petr^2 Spacek From pspacek at redhat.com Tue Jun 16 18:18:37 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 16 Jun 2015 20:18:37 +0200 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: References: <55805D43.7040005@redhat.com> Message-ID: <5580687D.4010806@redhat.com> (First of all, always Cc the list. I'm adding it back to the loop.) Interesting. Which versions of packages do you have installed? $ rpm -qa 'ipa*' 'java-*' 'pki*' Dogtag might not work if you have java-1.8.0 installed. To eliminate this problem I would recommend you to let only java-1.7.0 installed on the system. (Again - I'm not sure because I'm not a Dogtag expert.) Petr^2 Spacek On 16.6.2015 19:56, Randall Harrison wrote: > It errored out the same on this install. Here are the updated log files. > > On Tue, Jun 16, 2015 at 10:34 AM, Randall Harrison < > randall.harrison91 at gmail.com> wrote: > >> Ok, I will test that and let you know! >> >> On Tue, Jun 16, 2015 at 10:30 AM, Petr Spacek wrote: >> >>> On 16.6.2015 19:15, Randall Harrison wrote: >>>> Hello freeipa! >>>> >>>> I am having difficulty installing freeipa on a freshly installed >>> CentOS6.6 >>>> box. I have not had this problem on previous CentOS releases, and it >>>> installed with no problems on a CentOS7.1 box. >>>> >>>> Here is a list of steps I took to install: >>>> >>>> 1.) Disable SElinux and IPtables (for testing purposes only) >>>> 2.) reboot >>>> 3.) yum update >>>> 4.) reboot >>>> 5.) yum install ipa-server bind bind-dyndb-ldap >>>> 6.) ipa-server-install --setup-dns >>>> 7.) the install scrip errors out >>>> >>>> I have attached the ipa-server install log and pki-ca log. >>>> >>>> All help is appreciated! >>> >>> We never tests with SELinux disabled - and the logs show some errors >>> related >>> to SEmanage. It might be an innocent error but it also might a real >>> problem. >>> >>> Please retest it with SELinux enabled for and let us know if it makes any >>> difference or not. >>> >>> -- >>> Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek From randall.harrison91 at gmail.com Tue Jun 16 19:07:45 2015 From: randall.harrison91 at gmail.com (Randall Harrison) Date: Tue, 16 Jun 2015 12:07:45 -0700 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: <5580687D.4010806@redhat.com> References: <55805D43.7040005@redhat.com> <5580687D.4010806@redhat.com> Message-ID: Ok, Here are the versions you requested: IPA ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 JAVA: java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64 java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64 PKI: pki-ca-9.0.3-38.el6_6.noarch pki-common-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-util-9.0.3-38.el6_6.noarch pki-symkey-9.0.3-38.el6_6.x86_64 pki-silent-9.0.3-38.el6_6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-selinux-9.0.3-38.el6_6.noarch On Tue, Jun 16, 2015 at 11:18 AM, Petr Spacek wrote: > (First of all, always Cc the list. I'm adding it back to the loop.) > > Interesting. > > Which versions of packages do you have installed? > > $ rpm -qa 'ipa*' 'java-*' 'pki*' > > Dogtag might not work if you have java-1.8.0 installed. To eliminate this > problem I would recommend you to let only java-1.7.0 installed on the > system. > > (Again - I'm not sure because I'm not a Dogtag expert.) > > Petr^2 Spacek > > On 16.6.2015 19:56, Randall Harrison wrote: > > It errored out the same on this install. Here are the updated log files. > > > > On Tue, Jun 16, 2015 at 10:34 AM, Randall Harrison < > > randall.harrison91 at gmail.com> wrote: > > > >> Ok, I will test that and let you know! > >> > >> On Tue, Jun 16, 2015 at 10:30 AM, Petr Spacek > wrote: > >> > >>> On 16.6.2015 19:15, Randall Harrison wrote: > >>>> Hello freeipa! > >>>> > >>>> I am having difficulty installing freeipa on a freshly installed > >>> CentOS6.6 > >>>> box. I have not had this problem on previous CentOS releases, and it > >>>> installed with no problems on a CentOS7.1 box. > >>>> > >>>> Here is a list of steps I took to install: > >>>> > >>>> 1.) Disable SElinux and IPtables (for testing purposes only) > >>>> 2.) reboot > >>>> 3.) yum update > >>>> 4.) reboot > >>>> 5.) yum install ipa-server bind bind-dyndb-ldap > >>>> 6.) ipa-server-install --setup-dns > >>>> 7.) the install scrip errors out > >>>> > >>>> I have attached the ipa-server install log and pki-ca log. > >>>> > >>>> All help is appreciated! > >>> > >>> We never tests with SELinux disabled - and the logs show some errors > >>> related > >>> to SEmanage. It might be an innocent error but it also might a real > >>> problem. > >>> > >>> Please retest it with SELinux enabled for and let us know if it makes > any > >>> difference or not. > >>> > >>> -- > >>> Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Jun 16 21:17:28 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 16 Jun 2015 14:17:28 -0700 Subject: [Freeipa-users] Crazy Cert problem? Message-ID: <55809268.5090608@gmail.com> Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However, prior to the re-install it was saying the wonderful: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a replica or trying to join it back in to the existing ring of servers) and at the end of the ipa-server-install - it gives: Done. Restarting the directory server Restarting the KDC Restarting the certificate server Restarting the web server Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero exit status 1 Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'example.com' '--server' 'ipa001.example.com' '--realm' 'example.com' '--hostname' 'ipa001.example.com'' returned non-zero exit status 1 and checking /var/log/ipaclient-install.log - the exact same TLS error???? But this is a brand new system, with brand new OS and the install was ipa-server-install to install a clean server. I don't understand how this is happening. There is no "peer" to be not trusted? ~J From abokovoy at redhat.com Tue Jun 16 21:25:02 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 16 Jun 2015 17:25:02 -0400 (EDT) Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: References: <55805D43.7040005@redhat.com> <5580687D.4010806@redhat.com> Message-ID: <994252180.3418252.1434489902745.JavaMail.zimbra@redhat.com> Yes, please remove java 1.8.0* This is unfortunate and known issue caused by over-enthusiastic people doing Software Collections project who released 1.8 Java directly into the release tree. We have a bug for it where dogtag does introduce some dependency requirements to weed out java-1.8.0 on RHEL 6.x but this fix is not yet released. ----- Original Message ----- > Ok, > > Here are the versions you requested: > > IPA > ipa-admintools-3.0.0-42.el6.centos.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-python-3.0.0-42.el6.centos.x86_64 > ipa-client-3.0.0-42.el6.centos.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > ipa-server-3.0.0-42.el6.centos.x86_64 > > JAVA: > java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64 > java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64 > java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64 > > PKI: > pki-ca-9.0.3-38.el6_6.noarch > pki-common-9.0.3-38.el6_6.noarch > pki-java-tools-9.0.3-38.el6_6.noarch > pki-setup-9.0.3-38.el6_6.noarch > pki-util-9.0.3-38.el6_6.noarch > pki-symkey-9.0.3-38.el6_6.x86_64 > pki-silent-9.0.3-38.el6_6.noarch > pki-native-tools-9.0.3-38.el6_6.x86_64 > pki-selinux-9.0.3-38.el6_6.noarch > > > > > On Tue, Jun 16, 2015 at 11:18 AM, Petr Spacek < pspacek at redhat.com > wrote: > > > (First of all, always Cc the list. I'm adding it back to the loop.) > > Interesting. > > Which versions of packages do you have installed? > > $ rpm -qa 'ipa*' 'java-*' 'pki*' > > Dogtag might not work if you have java-1.8.0 installed. To eliminate this > problem I would recommend you to let only java-1.7.0 installed on the system. > > (Again - I'm not sure because I'm not a Dogtag expert.) > > Petr^2 Spacek > > On 16.6.2015 19:56, Randall Harrison wrote: > > It errored out the same on this install. Here are the updated log files. > > > > On Tue, Jun 16, 2015 at 10:34 AM, Randall Harrison < > > randall.harrison91 at gmail.com > wrote: > > > >> Ok, I will test that and let you know! > >> > >> On Tue, Jun 16, 2015 at 10:30 AM, Petr Spacek < pspacek at redhat.com > > >> wrote: > >> > >>> On 16.6.2015 19:15, Randall Harrison wrote: > >>>> Hello freeipa! > >>>> > >>>> I am having difficulty installing freeipa on a freshly installed > >>> CentOS6.6 > >>>> box. I have not had this problem on previous CentOS releases, and it > >>>> installed with no problems on a CentOS7.1 box. > >>>> > >>>> Here is a list of steps I took to install: > >>>> > >>>> 1.) Disable SElinux and IPtables (for testing purposes only) > >>>> 2.) reboot > >>>> 3.) yum update > >>>> 4.) reboot > >>>> 5.) yum install ipa-server bind bind-dyndb-ldap > >>>> 6.) ipa-server-install --setup-dns > >>>> 7.) the install scrip errors out > >>>> > >>>> I have attached the ipa-server install log and pki-ca log. > >>>> > >>>> All help is appreciated! > >>> > >>> We never tests with SELinux disabled - and the logs show some errors > >>> related > >>> to SEmanage. It might be an innocent error but it also might a real > >>> problem. > >>> > >>> Please retest it with SELinux enabled for and let us know if it makes any > >>> difference or not. > >>> > >>> -- > >>> Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > -- > Petr^2 Spacek > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From Steven.Jones at vuw.ac.nz Tue Jun 16 22:51:58 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 16 Jun 2015 22:51:58 +0000 Subject: [Freeipa-users] ssh key issues with IPA enabled servers In-Reply-To: <994252180.3418252.1434489902745.JavaMail.zimbra@redhat.com> References: <55805D43.7040005@redhat.com> <5580687D.4010806@redhat.com> , <994252180.3418252.1434489902745.JavaMail.zimbra@redhat.com> Message-ID: Hi, I am trying to setup ssh keys into an IPA enabled server. This refuses to work asking for a password each time. If I drop the server out of IPA the ssh keys then work. I can ssh from a non-IPA RHEL7 server to an IPA enabled server but non-IPA user fine, but when I try to go to a IPA user it asks for the password. Am I missing a setting in IPA? or do I have a bug or ssh setting I am missing? regards Steven From nathan at nathanpeters.com Tue Jun 16 23:32:31 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Tue, 16 Jun 2015 16:32:31 -0700 Subject: [Freeipa-users] Cannot login with GSSAPI to IPA client Message-ID: <679b622289ae76684f6920ee8d01f8a5.squirrel@webmail.nathanpeters.com> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 When I try to log in using MIT kerberos and a valid ticket it works on one client, and fails on the other. I have compared the /etc/krb5.conf, /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients and they are identical (other than the hostnames). I can't seem to find any other difference between the clients. Password authentication works on both machines. Here is the dub log of the failed login machine (sshd) I think the relevant line is the very last one where it postpones the login for some reason Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 =========================================== [root at fe1 pam.d]# /usr/sbin/sshd -p 22 -D -ddd -e debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 687 debug2: parse_server_config: config /etc/ssh/sshd_config len 687 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes debug3: /etc/ssh/sshd_config:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:101 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:107 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:120 setting UseDNS no debug3: /etc/ssh/sshd_config:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:137 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:138 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:139 setting UsePAM yes debug3: /etc/ssh/sshd_config:140 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config:141 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='22' debug1: rexec_argv[3]='-D' debug1: rexec_argv[4]='-ddd' debug1: rexec_argv[5]='-e' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 687 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config: config rexec len 687 debug3: rexec:21 setting Protocol 2 debug3: rexec:36 setting SyslogFacility AUTHPRIV debug3: rexec:66 setting PasswordAuthentication yes debug3: rexec:70 setting ChallengeResponseAuthentication no debug3: rexec:82 setting GSSAPICleanupCredentials yes debug3: rexec:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: rexec:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: rexec:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: rexec:101 setting AcceptEnv XMODIFIERS debug3: rexec:107 setting X11Forwarding yes debug3: rexec:120 setting UseDNS no debug3: rexec:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: rexec:137 setting KerberosAuthentication no debug3: rexec:138 setting PubkeyAuthentication yes debug3: rexec:139 setting UsePAM yes debug3: rexec:140 setting GSSAPIAuthentication yes debug3: rexec:141 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: inetd sockets after dupping: 3, 3 Connection from 10.5.5.57 port 15076 debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 debug1: no match: PuTTY_Release_0.63 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 554 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-sha2-256 debug1: kex: client->server aes256-ctr hmac-sha2-256 none debug3: mm_request_send entering: type 78 debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-sha2-256 debug1: kex: server->client aes256-ctr hmac-sha2-256 none debug3: mm_request_send entering: type 78 debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: monitor_read: checking request 0 debug3: mm_request_receive entering debug3: mm_answer_moduli: got parameters: 1024 4096 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 536 bytes for a total of 1397 debug2: dh_gen_key: priv key bits set: 267/512 debug2: bits set: 2090/4096 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 2058/4096 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7fb4d9b67ba0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug2: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 1104 bytes for a total of 2501 debug2: set_newkeys: mode 0 debug2: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 64 bytes for a total of 2565 debug1: userauth-request for user username service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 687 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for username debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: monitor_read: checking request 50 debug3: mm_request_send entering: type 3 debug1: PAM: initializing for "username" debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 96 bytes for a total of 2661 debug1: PAM: setting PAM_RHOST to "10.5.5.57" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user username service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 0 debug2: input_userauth_request: try method gssapi-with-mic debug3: mm_request_send entering: type 38 debug3: mm_request_receive_expect entering: type 39 debug3: mm_request_receive entering debug3: monitor_read: checking request 38 debug3: mm_request_send entering: type 39 debug3: mm_request_receive entering Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 debug3: Wrote 64 bytes for a total of 2725 Here is the dub log of the successful login machine (sshd) =========================================== [root at collector1 ~]# /usr/sbin/sshd -p 22 -D -ddd -e debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 687 debug2: parse_server_config: config /etc/ssh/sshd_config len 687 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes debug3: /etc/ssh/sshd_config:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:101 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:107 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:120 setting UseDNS no debug3: /etc/ssh/sshd_config:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:137 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:138 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:139 setting UsePAM yes debug3: /etc/ssh/sshd_config:140 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config:141 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='22' debug1: rexec_argv[3]='-D' debug1: rexec_argv[4]='-ddd' debug1: rexec_argv[5]='-e' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 687 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config: config rexec len 687 debug3: rexec:21 setting Protocol 2 debug3: rexec:36 setting SyslogFacility AUTHPRIV debug3: rexec:66 setting PasswordAuthentication yes debug3: rexec:70 setting ChallengeResponseAuthentication no debug3: rexec:82 setting GSSAPICleanupCredentials yes debug3: rexec:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: rexec:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: rexec:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: rexec:101 setting AcceptEnv XMODIFIERS debug3: rexec:107 setting X11Forwarding yes debug3: rexec:120 setting UseDNS no debug3: rexec:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: rexec:137 setting KerberosAuthentication no debug3: rexec:138 setting PubkeyAuthentication yes debug3: rexec:139 setting UsePAM yes debug3: rexec:140 setting GSSAPIAuthentication yes debug3: rexec:141 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: inetd sockets after dupping: 3, 3 Connection from 10.5.5.57 port 15110 debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 debug1: no match: PuTTY_Release_0.63 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 7346 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-sha2-256 debug1: kex: client->server aes256-ctr hmac-sha2-256 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-sha2-256 debug1: kex: server->client aes256-ctr hmac-sha2-256 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 4096 8192 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 536 bytes for a total of 1397 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug2: dh_gen_key: priv key bits set: 283/512 debug2: bits set: 2035/4096 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 2100/4096 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f9e4e6c8010(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug2: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 1104 bytes for a total of 2501 debug2: set_newkeys: mode 0 debug2: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 64 bytes for a total of 2565 debug1: userauth-request for user username service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 687 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for username debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 96 bytes for a total of 2661 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "username" debug1: userauth-request for user username service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 0 debug2: input_userauth_request: try method gssapi-with-mic debug3: mm_request_send entering: type 38 debug3: mm_request_receive_expect entering: type 39 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to "10.5.5.57" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 38 debug3: mm_request_send entering: type 39 Postponed gssapi-with-mic for username from 10.5.5.57 port 15110 ssh2 debug3: Wrote 64 bytes for a total of 2725 debug3: mm_request_receive entering debug3: mm_request_send entering: type 40 debug3: mm_request_receive_expect entering: type 41 debug3: mm_request_receive entering debug3: monitor_read: checking request 40 debug1: Got no client credentials debug3: mm_request_send entering: type 41 debug3: Wrote 208 bytes for a total of 2933 debug3: mm_request_receive entering debug3: mm_request_send entering: type 44 debug3: mm_request_receive_expect entering: type 45 debug3: mm_request_receive entering debug3: monitor_read: checking request 44 debug3: mm_request_send entering: type 45 debug3: mm_request_send entering: type 42 debug3: mm_request_receive_expect entering: type 43 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 42 Authorized to username, krb5 principal username at IPADOMAIN.NET (krb5_kuserok) debug3: mm_answer_gss_userok: sending result 1 debug3: mm_request_send entering: type 43 debug3: mm_ssh_gssapi_userok: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) debug3: mm_request_send entering: type 52 Accepted gssapi-with-mic for username from 10.5.5.57 port 15110 ssh2 debug1: monitor_child_preauth: username has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 25 debug3: mm_request_receive entering debug3: mm_do_pam_account returning 1 debug3: Wrote 48 bytes for a total of 2981 debug3: mm_send_keystate: Sending new keys: 0x7f9e4e6c6a20 0x7f9e4e6c8840 debug3: mm_newkeys_to_blob: converting 0x7f9e4e6c6a20 debug3: mm_newkeys_to_blob: converting 0x7f9e4e6c8840 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 25 debug3: mm_send_keystate: Finished sending state debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 0x7f9e4e6e5ec0(159) debug2: mac_setup: found hmac-sha2-256 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x7f9e4e6e5ec0(159) debug2: mac_setup: found hmac-sha2-256 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_request_receive_expect entering: type 80 debug3: mm_request_receive entering debug3: mm_request_send entering: type 81 debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug1: temporarily_use_uid: 756600344/756600344 (e=0/0) debug1: No credentials stored debug1: restore_uid: 0/0 debug1: SELinux support disabled debug1: PAM: establishing credentials debug3: PAM: opening session debug1: temporarily_use_uid: 756600344/756600344 (e=0/0) debug1: No credentials stored debug1: restore_uid: 0/0 User child is on pid 7359 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug1: permanently_set_uid: 756600344/756600344 debug2: set_newkeys: mode 0 debug2: cipher_init: set keylen (16 -> 32) debug2: set_newkeys: mode 1 debug2: cipher_init: set keylen (16 -> 32) debug1: Entering interactive session for SSH2. debug2: fd 10 setting O_NONBLOCK debug2: fd 11 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug3: Wrote 64 bytes for a total of 3045 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 26 debug3: monitor_read: checking request 26 debug3: mm_answer_pty entering debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug3: mm_request_send entering: type 27 debug3: mm_answer_pty: tty /dev/pts/1 ptyfd 9 debug3: mm_request_receive entering debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 27 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/1 debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug2: fd 3 setting TCP_NODELAY debug2: channel 0: rfd 14 isatty debug2: fd 14 setting O_NONBLOCK debug3: fd 12 is O_NONBLOCK debug3: Wrote 160 bytes for a total of 3205 debug1: Setting controlling tty using TIOCSCTTY. debug3: Wrote 112 bytes for a total of 3317 debug3: Wrote 400 bytes for a total of 3717 debug3: Wrote 160 bytes for a total of 3877 From abokovoy at redhat.com Wed Jun 17 05:37:49 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 08:37:49 +0300 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE1495ED@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE14954A@win10004.member.osthus.de> <557FDFBB.70400@redhat.com> <74263835052DD843AEBD010BD87EE8DE1495ED@win10004.member.osthus.de> Message-ID: <20150617053749.GQ4402@redhat.com> On Tue, 16 Jun 2015, Henry Hofmann wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >I understand this is for application which is using Kerberos. No, it is not only for that. >I have some web applications like "redmine" and "owncloud" which have a >own user management. They needs to be configure to LDAP to grant >authorizations without Kerberos. And not all of them used apache or >tomcat as application server. For OwnCloud use https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406 and read a backstory in https://github.com/owncloud/core/issues/10130 For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in /etc/shadow for FreeIPA so you don't need that access. Both these methods rely on PAM authentication which is powered by SSSD. -- / Alexander Bokovoy From mkosek at redhat.com Wed Jun 17 06:07:58 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 17 Jun 2015 08:07:58 +0200 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> Message-ID: <55810EBE.3050906@redhat.com> On 06/15/2015 02:19 PM, Henry Hofmann wrote: > Hi, > > I have a question about using IPA (v.4) with an AD (2012) Trust. > > Is it possible to login with a user from the Active Directory Domain to an > Web-Service (like redmine) which is configured to the IPA LDAP? > > I have understand this by read this article > (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). > > === > > Henry Hofmann > > > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration: http://www.freeipa.org/page/HowTo/vsphere5_integration BTW, if Redmine is run by Apache, you can also leverage native Web<->SSSD<->FreeIPA/AD integration, following http://www.freeipa.org/page/Web_App_Authentication Martin From Alexander.Frolushkin at megafon.ru Wed Jun 17 06:13:39 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 06:13:39 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <557FF1BA.9040503@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> Message-ID: <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Wed Jun 17 07:05:35 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 17 Jun 2015 12:35:35 +0530 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode In-Reply-To: References: Message-ID: Simo is right! This issue is same as https://fedorahosted.org/freeipa/ticket/5047 If I change the algorithm in the otp url to uppercase it scans in Google authenticator/iPhone. Further more I manually edited the /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to 'SHA' in a test VM and it works as expected. I hate to do this in the production server though. On 12 June 2015 at 23:32, Prashant Bapat wrote: > Hi, > > Has anyone seen this ? When a user tries to scan the QR code he gets a > message saying "invalid barcode". This happens only with iPhone + Google > Authenticator. > > Thanks for your help. > > --Prashant > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Wed Jun 17 07:10:37 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 17 Jun 2015 12:40:37 +0530 Subject: [Freeipa-users] Firefox issue with web ui certificate Message-ID: Hi, I have gotten into a strange situation. I'm running FreeIPA for 2 different environments, dev/production. By mistake, the domain for both are configured same. Say EXAMPLE.COM. Now the problem users are facing when using the web UI using Firefox. It complains that the "secure connection failed" and "(Error code: sec_error_reused_issuer_and_serial)". This I understand is happening because the certificate authority for both my environments is under the same name. Users can only access 1 environment. The other environment will throw this error. This happens only with Firefox. Chrome and Safari work fine. What are my options to fix this ? Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Jun 17 07:42:47 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 17 Jun 2015 09:42:47 +0200 Subject: [Freeipa-users] Cannot login with GSSAPI to IPA client In-Reply-To: <679b622289ae76684f6920ee8d01f8a5.squirrel@webmail.nathanpeters.com> References: <679b622289ae76684f6920ee8d01f8a5.squirrel@webmail.nathanpeters.com> Message-ID: <20150617074247.GN3616@p.redhat.com> On Tue, Jun 16, 2015 at 04:32:31PM -0700, nathan at nathanpeters.com wrote: > I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd > 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 > > When I try to log in using MIT kerberos and a valid ticket it works on one > client, and fails on the other. I have compared the /etc/krb5.conf, > /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients and > they are identical (other than the hostnames). I can't seem to find any > other difference between the clients. > > Password authentication works on both machines. > > Here is the dub log of the failed login machine (sshd) > > I think the relevant line is the very last one where it postpones the > login for some reason > > Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 This message is in the other log as well and I think this is ok. Have you check if the keytab on the host with issue has the latest key version? To check the call 'klist -k' as root on the server and then call 'kvno host/...' with the principal shown in the klist output. Both kvno numbers should be the same. If they differ call ipa-getkeytab on the server to get a fresh keytab. Please note that you have to call kdestory and kinit on the client to remove the old now invalid ticket from the client's credential cache. HTH bye, Sumit > =========================================== > [root at fe1 pam.d]# /usr/sbin/sshd -p 22 -D -ddd -e > debug2: load_server_config: filename /etc/ssh/sshd_config > debug2: load_server_config: done config len = 687 > debug2: parse_server_config: config /etc/ssh/sshd_config len 687 > debug3: /etc/ssh/sshd_config:21 setting Protocol 2 > debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV > debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes > debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no > debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes > debug3: /etc/ssh/sshd_config:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC > LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LC_PAPER LC_NAME > LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_IDENTIFICATION > LC_ALL LANGUAGE > debug3: /etc/ssh/sshd_config:101 setting AcceptEnv XMODIFIERS > debug3: /etc/ssh/sshd_config:107 setting X11Forwarding yes > debug3: /etc/ssh/sshd_config:120 setting UseDNS no > debug3: /etc/ssh/sshd_config:130 setting Subsystem sftp > /usr/libexec/openssh/sftp-server > debug3: /etc/ssh/sshd_config:137 setting KerberosAuthentication no > debug3: /etc/ssh/sshd_config:138 setting PubkeyAuthentication yes > debug3: /etc/ssh/sshd_config:139 setting UsePAM yes > debug3: /etc/ssh/sshd_config:140 setting GSSAPIAuthentication yes > debug3: /etc/ssh/sshd_config:141 setting AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys > debug1: sshd version OpenSSH_5.3p1 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-p' > debug1: rexec_argv[2]='22' > debug1: rexec_argv[3]='-D' > debug1: rexec_argv[4]='-ddd' > debug1: rexec_argv[5]='-e' > debug3: oom_adjust_setup > Set /proc/self/oom_score_adj from 0 to -1000 > debug2: fd 3 setting O_NONBLOCK > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug2: fd 4 setting O_NONBLOCK > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug3: fd 5 is not O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug3: send_rexec_state: entering fd = 8 config len 687 > debug3: ssh_msg_send: type 0 > debug3: send_rexec_state: done > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug3: recv_rexec_state: entering fd = 5 > debug3: ssh_msg_recv entering > debug3: recv_rexec_state: done > debug2: parse_server_config: config rexec len 687 > debug3: rexec:21 setting Protocol 2 > debug3: rexec:36 setting SyslogFacility AUTHPRIV > debug3: rexec:66 setting PasswordAuthentication yes > debug3: rexec:70 setting ChallengeResponseAuthentication no > debug3: rexec:82 setting GSSAPICleanupCredentials yes > debug3: rexec:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME > LC_COLLATE LC_MONETARY LC_MESSAGES > debug3: rexec:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS > LC_TELEPHONE LC_MEASUREMENT > debug3: rexec:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE > debug3: rexec:101 setting AcceptEnv XMODIFIERS > debug3: rexec:107 setting X11Forwarding yes > debug3: rexec:120 setting UseDNS no > debug3: rexec:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server > debug3: rexec:137 setting KerberosAuthentication no > debug3: rexec:138 setting PubkeyAuthentication yes > debug3: rexec:139 setting UsePAM yes > debug3: rexec:140 setting GSSAPIAuthentication yes > debug3: rexec:141 setting AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys > debug1: sshd version OpenSSH_5.3p1 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: inetd sockets after dupping: 3, 3 > Connection from 10.5.5.57 port 15076 > debug1: Client protocol version 2.0; client software version > PuTTY_Release_0.63 > debug1: no match: PuTTY_Release_0.63 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.3 > debug2: fd 3 setting O_NONBLOCK > debug2: Network child is on pid 554 > debug3: preauth child monitor started > debug3: mm_request_receive entering > debug3: privsep user:group 74:74 > debug1: permanently_set_uid: 74/74 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug3: Wrote 840 bytes for a total of 861 > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 > debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-sha2-256 > debug1: kex: client->server aes256-ctr hmac-sha2-256 none > debug3: mm_request_send entering: type 78 > debug3: mm_request_receive_expect entering: type 79 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 78 > debug3: mm_request_send entering: type 79 > debug3: mm_request_receive entering > debug2: mac_setup: found hmac-sha2-256 > debug1: kex: server->client aes256-ctr hmac-sha2-256 none > debug3: mm_request_send entering: type 78 > debug3: mm_request_receive_expect entering: type 79 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 78 > debug3: mm_request_send entering: type 79 > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received > debug3: mm_request_send entering: type 0 > debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI > debug3: mm_request_receive_expect entering: type 1 > debug3: monitor_read: checking request 0 > debug3: mm_request_receive entering > debug3: mm_answer_moduli: got parameters: 1024 4096 8192 > debug3: mm_request_send entering: type 1 > debug2: monitor_read: 0 used once, disabling now > debug3: mm_request_receive entering > debug3: mm_choose_dh: remaining 0 > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug3: Wrote 536 bytes for a total of 1397 > debug2: dh_gen_key: priv key bits set: 267/512 > debug2: bits set: 2090/4096 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug2: bits set: 2058/4096 > debug3: mm_key_sign entering > debug3: mm_request_send entering: type 5 > debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN > debug3: mm_request_receive_expect entering: type 6 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 5 > debug3: mm_answer_sign > debug3: mm_answer_sign: signature 0x7fb4d9b67ba0(271) > debug3: mm_request_send entering: type 6 > debug2: monitor_read: 5 used once, disabling now > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug2: cipher_init: set keylen (16 -> 32) > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: Wrote 1104 bytes for a total of 2501 > debug2: set_newkeys: mode 0 > debug2: cipher_init: set keylen (16 -> 32) > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug3: Wrote 64 bytes for a total of 2565 > debug1: userauth-request for user username service ssh-connection method none > debug1: attempt 0 failures 0 > debug3: mm_getpwnamallow entering > debug3: mm_request_send entering: type 7 > debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM > debug3: mm_request_receive_expect entering: type 8 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 7 > debug3: mm_answer_pwnamallow > debug2: parse_server_config: config reprocess config len 687 > debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 > debug3: mm_request_send entering: type 8 > debug2: monitor_read: 7 used once, disabling now > debug3: mm_request_receive entering > debug2: input_userauth_request: setting up authctxt for username > debug3: mm_start_pam entering > debug3: mm_request_send entering: type 50 > debug3: mm_inform_authserv entering > debug3: monitor_read: checking request 50 > debug3: mm_request_send entering: type 3 > debug1: PAM: initializing for "username" > debug3: mm_inform_authrole entering > debug3: mm_request_send entering: type 4 > debug2: input_userauth_request: try method none > debug3: Wrote 96 bytes for a total of 2661 > debug1: PAM: setting PAM_RHOST to "10.5.5.57" > debug1: PAM: setting PAM_TTY to "ssh" > debug2: monitor_read: 50 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 3 > debug3: mm_answer_authserv: service=ssh-connection, style= > debug2: monitor_read: 3 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 4 > debug3: mm_answer_authrole: role= > debug2: monitor_read: 4 used once, disabling now > debug3: mm_request_receive entering > debug1: userauth-request for user username service ssh-connection method > gssapi-with-mic > debug1: attempt 1 failures 0 > debug2: input_userauth_request: try method gssapi-with-mic > debug3: mm_request_send entering: type 38 > debug3: mm_request_receive_expect entering: type 39 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 38 > debug3: mm_request_send entering: type 39 > debug3: mm_request_receive entering > Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 > debug3: Wrote 64 bytes for a total of 2725 > > > Here is the dub log of the successful login machine (sshd) > =========================================== > [root at collector1 ~]# /usr/sbin/sshd -p 22 -D -ddd -e > debug2: load_server_config: filename /etc/ssh/sshd_config > debug2: load_server_config: done config len = 687 > debug2: parse_server_config: config /etc/ssh/sshd_config len 687 > debug3: /etc/ssh/sshd_config:21 setting Protocol 2 > debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV > debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes > debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no > debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes > debug3: /etc/ssh/sshd_config:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC > LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LC_PAPER LC_NAME > LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_IDENTIFICATION > LC_ALL LANGUAGE > debug3: /etc/ssh/sshd_config:101 setting AcceptEnv XMODIFIERS > debug3: /etc/ssh/sshd_config:107 setting X11Forwarding yes > debug3: /etc/ssh/sshd_config:120 setting UseDNS no > debug3: /etc/ssh/sshd_config:130 setting Subsystem sftp > /usr/libexec/openssh/sftp-server > debug3: /etc/ssh/sshd_config:137 setting KerberosAuthentication no > debug3: /etc/ssh/sshd_config:138 setting PubkeyAuthentication yes > debug3: /etc/ssh/sshd_config:139 setting UsePAM yes > debug3: /etc/ssh/sshd_config:140 setting GSSAPIAuthentication yes > debug3: /etc/ssh/sshd_config:141 setting AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys > debug1: sshd version OpenSSH_5.3p1 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-p' > debug1: rexec_argv[2]='22' > debug1: rexec_argv[3]='-D' > debug1: rexec_argv[4]='-ddd' > debug1: rexec_argv[5]='-e' > debug3: oom_adjust_setup > Set /proc/self/oom_score_adj from 0 to -1000 > debug2: fd 3 setting O_NONBLOCK > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug2: fd 4 setting O_NONBLOCK > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug3: fd 5 is not O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug3: send_rexec_state: entering fd = 8 config len 687 > debug3: ssh_msg_send: type 0 > debug3: send_rexec_state: done > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug3: recv_rexec_state: entering fd = 5 > debug3: ssh_msg_recv entering > debug3: recv_rexec_state: done > debug2: parse_server_config: config rexec len 687 > debug3: rexec:21 setting Protocol 2 > debug3: rexec:36 setting SyslogFacility AUTHPRIV > debug3: rexec:66 setting PasswordAuthentication yes > debug3: rexec:70 setting ChallengeResponseAuthentication no > debug3: rexec:82 setting GSSAPICleanupCredentials yes > debug3: rexec:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME > LC_COLLATE LC_MONETARY LC_MESSAGES > debug3: rexec:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS > LC_TELEPHONE LC_MEASUREMENT > debug3: rexec:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE > debug3: rexec:101 setting AcceptEnv XMODIFIERS > debug3: rexec:107 setting X11Forwarding yes > debug3: rexec:120 setting UseDNS no > debug3: rexec:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server > debug3: rexec:137 setting KerberosAuthentication no > debug3: rexec:138 setting PubkeyAuthentication yes > debug3: rexec:139 setting UsePAM yes > debug3: rexec:140 setting GSSAPIAuthentication yes > debug3: rexec:141 setting AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys > debug1: sshd version OpenSSH_5.3p1 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: inetd sockets after dupping: 3, 3 > Connection from 10.5.5.57 port 15110 > debug1: Client protocol version 2.0; client software version > PuTTY_Release_0.63 > debug1: no match: PuTTY_Release_0.63 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.3 > debug2: fd 3 setting O_NONBLOCK > debug2: Network child is on pid 7346 > debug3: preauth child monitor started > debug3: mm_request_receive entering > debug3: privsep user:group 74:74 > debug1: permanently_set_uid: 74/74 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug3: Wrote 840 bytes for a total of 861 > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 > debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-sha2-256 > debug1: kex: client->server aes256-ctr hmac-sha2-256 none > debug3: mm_request_send entering: type 78 > debug3: monitor_read: checking request 78 > debug3: mm_request_send entering: type 79 > debug3: mm_request_receive entering > debug3: mm_request_receive_expect entering: type 79 > debug3: mm_request_receive entering > debug2: mac_setup: found hmac-sha2-256 > debug1: kex: server->client aes256-ctr hmac-sha2-256 none > debug3: mm_request_send entering: type 78 > debug3: monitor_read: checking request 78 > debug3: mm_request_send entering: type 79 > debug3: mm_request_receive entering > debug3: mm_request_receive_expect entering: type 79 > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received > debug3: mm_request_send entering: type 0 > debug3: monitor_read: checking request 0 > debug3: mm_answer_moduli: got parameters: 1024 4096 8192 > debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI > debug3: mm_request_receive_expect entering: type 1 > debug3: mm_request_receive entering > debug3: mm_request_send entering: type 1 > debug3: mm_choose_dh: remaining 0 > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug3: Wrote 536 bytes for a total of 1397 > debug2: monitor_read: 0 used once, disabling now > debug3: mm_request_receive entering > debug2: dh_gen_key: priv key bits set: 283/512 > debug2: bits set: 2035/4096 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug2: bits set: 2100/4096 > debug3: mm_key_sign entering > debug3: mm_request_send entering: type 5 > debug3: monitor_read: checking request 5 > debug3: mm_answer_sign > debug3: mm_answer_sign: signature 0x7f9e4e6c8010(271) > debug3: mm_request_send entering: type 6 > debug2: monitor_read: 5 used once, disabling now > debug3: mm_request_receive entering > debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN > debug3: mm_request_receive_expect entering: type 6 > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug2: cipher_init: set keylen (16 -> 32) > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: Wrote 1104 bytes for a total of 2501 > debug2: set_newkeys: mode 0 > debug2: cipher_init: set keylen (16 -> 32) > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug3: Wrote 64 bytes for a total of 2565 > debug1: userauth-request for user username service ssh-connection method none > debug1: attempt 0 failures 0 > debug3: mm_getpwnamallow entering > debug3: mm_request_send entering: type 7 > debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM > debug3: mm_request_receive_expect entering: type 8 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 7 > debug3: mm_answer_pwnamallow > debug2: parse_server_config: config reprocess config len 687 > debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 > debug3: mm_request_send entering: type 8 > debug2: monitor_read: 7 used once, disabling now > debug3: mm_request_receive entering > debug2: input_userauth_request: setting up authctxt for username > debug3: mm_start_pam entering > debug3: mm_request_send entering: type 50 > debug3: mm_inform_authserv entering > debug3: mm_request_send entering: type 3 > debug3: mm_inform_authrole entering > debug3: mm_request_send entering: type 4 > debug2: input_userauth_request: try method none > debug3: Wrote 96 bytes for a total of 2661 > debug3: monitor_read: checking request 50 > debug1: PAM: initializing for "username" > debug1: userauth-request for user username service ssh-connection method > gssapi-with-mic > debug1: attempt 1 failures 0 > debug2: input_userauth_request: try method gssapi-with-mic > debug3: mm_request_send entering: type 38 > debug3: mm_request_receive_expect entering: type 39 > debug3: mm_request_receive entering > debug1: PAM: setting PAM_RHOST to "10.5.5.57" > debug1: PAM: setting PAM_TTY to "ssh" > debug2: monitor_read: 50 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 3 > debug3: mm_answer_authserv: service=ssh-connection, style= > debug2: monitor_read: 3 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 4 > debug3: mm_answer_authrole: role= > debug2: monitor_read: 4 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 38 > debug3: mm_request_send entering: type 39 > Postponed gssapi-with-mic for username from 10.5.5.57 port 15110 ssh2 > debug3: Wrote 64 bytes for a total of 2725 > debug3: mm_request_receive entering > debug3: mm_request_send entering: type 40 > debug3: mm_request_receive_expect entering: type 41 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 40 > debug1: Got no client credentials > debug3: mm_request_send entering: type 41 > debug3: Wrote 208 bytes for a total of 2933 > debug3: mm_request_receive entering > debug3: mm_request_send entering: type 44 > debug3: mm_request_receive_expect entering: type 45 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 44 > debug3: mm_request_send entering: type 45 > debug3: mm_request_send entering: type 42 > debug3: mm_request_receive_expect entering: type 43 > debug3: mm_request_receive entering > debug3: mm_request_receive entering > debug3: monitor_read: checking request 42 > Authorized to username, krb5 principal username at IPADOMAIN.NET (krb5_kuserok) > debug3: mm_answer_gss_userok: sending result 1 > debug3: mm_request_send entering: type 43 > debug3: mm_ssh_gssapi_userok: user authenticated > debug3: mm_do_pam_account entering > debug3: mm_request_send entering: type 51 > debug3: mm_request_receive_expect entering: type 52 > debug3: mm_request_receive entering > debug3: mm_request_receive_expect entering: type 51 > debug3: mm_request_receive entering > debug1: do_pam_account: called > debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) > debug3: mm_request_send entering: type 52 > Accepted gssapi-with-mic for username from 10.5.5.57 port 15110 ssh2 > debug1: monitor_child_preauth: username has been authenticated by > privileged process > debug3: mm_get_keystate: Waiting for new keys > debug3: mm_request_receive_expect entering: type 25 > debug3: mm_request_receive entering > debug3: mm_do_pam_account returning 1 > debug3: Wrote 48 bytes for a total of 2981 > debug3: mm_send_keystate: Sending new keys: 0x7f9e4e6c6a20 0x7f9e4e6c8840 > debug3: mm_newkeys_to_blob: converting 0x7f9e4e6c6a20 > debug3: mm_newkeys_to_blob: converting 0x7f9e4e6c8840 > debug3: mm_send_keystate: New keys have been sent > debug3: mm_send_keystate: Sending compression state > debug3: mm_request_send entering: type 25 > debug3: mm_send_keystate: Finished sending state > debug3: mm_request_send entering: type 80 > debug3: mm_request_receive_expect entering: type 81 > debug3: mm_request_receive entering > debug3: mm_newkeys_from_blob: 0x7f9e4e6e5ec0(159) > debug2: mac_setup: found hmac-sha2-256 > debug3: mm_get_keystate: Waiting for second key > debug3: mm_newkeys_from_blob: 0x7f9e4e6e5ec0(159) > debug2: mac_setup: found hmac-sha2-256 > debug3: mm_get_keystate: Getting compression state > debug3: mm_get_keystate: Getting Network I/O buffers > debug3: mm_request_receive_expect entering: type 80 > debug3: mm_request_receive entering > debug3: mm_request_send entering: type 81 > debug3: mm_share_sync: Share sync > debug3: mm_share_sync: Share sync end > debug1: temporarily_use_uid: 756600344/756600344 (e=0/0) > debug1: No credentials stored > debug1: restore_uid: 0/0 > debug1: SELinux support disabled > debug1: PAM: establishing credentials > debug3: PAM: opening session > debug1: temporarily_use_uid: 756600344/756600344 (e=0/0) > debug1: No credentials stored > debug1: restore_uid: 0/0 > User child is on pid 7359 > debug3: mm_request_receive entering > debug1: PAM: establishing credentials > debug1: permanently_set_uid: 756600344/756600344 > debug2: set_newkeys: mode 0 > debug2: cipher_init: set keylen (16 -> 32) > debug2: set_newkeys: mode 1 > debug2: cipher_init: set keylen (16 -> 32) > debug1: Entering interactive session for SSH2. > debug2: fd 10 setting O_NONBLOCK > debug2: fd 11 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 256 win 16384 max > 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug2: session_new: allocate (allocated 0 max 10) > debug3: session_unused: session id 0 unused > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug3: Wrote 64 bytes for a total of 3045 > debug1: server_input_channel_req: channel 0 request pty-req reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug3: mm_request_send entering: type 26 > debug3: monitor_read: checking request 26 > debug3: mm_answer_pty entering > debug2: session_new: allocate (allocated 0 max 10) > debug3: session_unused: session id 0 unused > debug1: session_new: session 0 > debug3: mm_request_send entering: type 27 > debug3: mm_answer_pty: tty /dev/pts/1 ptyfd 9 > debug3: mm_request_receive entering > debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY > debug3: mm_request_receive_expect entering: type 27 > debug3: mm_request_receive entering > debug1: session_pty_req: session 0 alloc /dev/pts/1 > debug1: server_input_channel_req: channel 0 request shell reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug2: fd 3 setting TCP_NODELAY > debug2: channel 0: rfd 14 isatty > debug2: fd 14 setting O_NONBLOCK > debug3: fd 12 is O_NONBLOCK > debug3: Wrote 160 bytes for a total of 3205 > debug1: Setting controlling tty using TIOCSCTTY. > debug3: Wrote 112 bytes for a total of 3317 > debug3: Wrote 400 bytes for a total of 3717 > debug3: Wrote 160 bytes for a total of 3877 > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From lkrispen at redhat.com Wed Jun 17 08:08:12 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 10:08:12 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> Message-ID: <55812AEC.9050100@redhat.com> Hi, this is really strange, if these conflict entries get created they should be the same on all servers. could you repeat the two searches requesting the attribute "nscpentrywsi" (you have to do it as directory manager, and add -o ldif-wrap=no), it could give info when and where these entries were created. Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Anotherexample. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, > permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some of our > servers, very often on servers from specific site. Usually it is > simply a doubles and we can remove the renamed change to get > everything back. But why do we have them at all? > > May be someone could explain, how we can detect the cause of this > replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, simultaneously, > on two servers. I think this can happen if a client tries to add an > entry and if it doesn't get a response in some time retries on another > server. > to find out which client this is you need to check on which servers > the entries were originally added and then see which client was doing it > > Sometime it is moderately harmful, because, for example HBAC stops > working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From henry.hofmann at osthus.com Wed Jun 17 08:21:22 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Wed, 17 Jun 2015 08:21:22 +0000 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <55810EBE.3050906@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> Message-ID: <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration: > > http://www.freeipa.org/page/HowTo/vsphere5_integration Tanks, your expression is very helpful for nested group memberships. But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user. > > BTW, if Redmine is run by Apache, you can also leverage native Web<->SSSD<->FreeIPA/AD integration, following Our Redmine is running with an ruby webserver based on lock files and in the front we used an nginx webproxy. > http://www.freeipa.org/page/Web_App_Authentication > > Martin >> I understand this is for application which is using Kerberos. > No, it is not only for that. >> I have some web applications like "redmine" and "owncloud" which have a >> own user management. They needs to be configure to LDAP to grant >> authorizations without Kerberos. And not all of them used apache or >> tomcat as application server. > For OwnCloud use > https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406 > and read a backstory in https://github.com/owncloud/core/issues/10130 > > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access. > What you mean with " You don't need to include the user which runs Redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access ". Normally we create users and groups in FreeIPA, add the users to the groups. Currently we sync the user and groups to Redmine and grant the permission roles (Developer or Manager) to the groups. In this scenario I can manage remotely the grants for user in every webserver that we used. > Both these methods rely on PAM authentication which is powered by SSSD. > > -- > / Alexander Bokovoy Thanks for your help. Henry -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVYEuBHEu+nQzo7NUAQhF5ggAhRRwwTW2XkV4wqe3Q4IAbLFvux8KrVpC MZ5qovGeyY5N9Fk/MunfC0eg2J2t7KGU9bdJEuWNIZtxH8tLZudRIQL7DMrUs0hF yNoCIfa0PgMNhS7OFGMtlpF76YBsA50xP9Qhd8hXOsGMnqaaaZ54psUCO4fOSiLB RGFXaFIs6u1odq93DRImVGvy2mBN1MPC+cG1fQHZN089OZ7aFQunNTIWeGptmTX8 CjspbonsB1HZzN7vRDLs2RKGLm+7f8gv4MZHN1gBFLzTjAAZ1ke2+vOM+e+QmHXL GHCx9yPr3C9GvB89cN5tssD/F32Pixa0UzENYAk7CHqQE7cKRpNAOw== =jfYn -----END PGP SIGNATURE----- From sbose at redhat.com Wed Jun 17 08:35:57 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 17 Jun 2015 10:35:57 +0200 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> Message-ID: <20150617083557.GO3616@p.redhat.com> On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration: > > > > http://www.freeipa.org/page/HowTo/vsphere5_integration > Tanks, your expression is very helpful for nested group memberships. > > But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user. The user can be looked up in the compat tree, e.g. ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry at ad.domain' HTH bye, Sumit > > > > > BTW, if Redmine is run by Apache, you can also leverage native Web<->SSSD<->FreeIPA/AD integration, following > Our Redmine is running with an ruby webserver based on lock files and in the front we used an nginx webproxy. > > > http://www.freeipa.org/page/Web_App_Authentication > > > > Martin > > > >> I understand this is for application which is using Kerberos. > > No, it is not only for that. > > >> I have some web applications like "redmine" and "owncloud" which have a > >> own user management. They needs to be configure to LDAP to grant > >> authorizations without Kerberos. And not all of them used apache or > >> tomcat as application server. > > For OwnCloud use > > https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406 > > and read a backstory in https://github.com/owncloud/core/issues/10130 > > > > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access. > > > What you mean with " You don't need to include the user which runs Redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access ". > Normally we create users and groups in FreeIPA, add the users to the groups. Currently we sync the user and groups to Redmine and grant the permission roles (Developer or Manager) to the groups. In this scenario I can manage remotely the grants for user in every webserver that we used. > > > Both these methods rely on PAM authentication which is powered by SSSD. > > > > -- > > / Alexander Bokovoy > > Thanks for your help. > Henry > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Universal 3.1.0 (Build 860) > Charset: us-ascii > > wsBVAwUBVYEuBHEu+nQzo7NUAQhF5ggAhRRwwTW2XkV4wqe3Q4IAbLFvux8KrVpC > MZ5qovGeyY5N9Fk/MunfC0eg2J2t7KGU9bdJEuWNIZtxH8tLZudRIQL7DMrUs0hF > yNoCIfa0PgMNhS7OFGMtlpF76YBsA50xP9Qhd8hXOsGMnqaaaZ54psUCO4fOSiLB > RGFXaFIs6u1odq93DRImVGvy2mBN1MPC+cG1fQHZN089OZ7aFQunNTIWeGptmTX8 > CjspbonsB1HZzN7vRDLs2RKGLm+7f8gv4MZHN1gBFLzTjAAZ1ke2+vOM+e+QmHXL > GHCx9yPr3C9GvB89cN5tssD/F32Pixa0UzENYAk7CHqQE7cKRpNAOw== > =jfYn > -----END PGP SIGNATURE----- > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From lkrispen at redhat.com Wed Jun 17 08:58:00 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 10:58:00 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> Message-ID: <55813698.3040808@redhat.com> Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Anotherexample. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, > permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some of our > servers, very often on servers from specific site. Usually it is > simply a doubles and we can remove the renamed change to get > everything back. But why do we have them at all? > > May be someone could explain, how we can detect the cause of this > replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, simultaneously, > on two servers. I think this can happen if a client tries to add an > entry and if it doesn't get a response in some time retries on another > server. > to find out which client this is you need to check on which servers > the entries were originally added and then see which client was doing it > > Sometime it is moderately harmful, because, for example HBAC stops > working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 09:03:25 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 09:03:25 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55813698.3040808@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> Message-ID: <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Wed Jun 17 09:14:44 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 17 Jun 2015 11:14:44 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> Message-ID: <55813A84.8030809@redhat.com> Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server which was > included in domain just a few hours ago. Looks like this dup came > right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to share them > to everyone. I'll continue discussion here, trying to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new add > should have been rejected, if it was not there the question is why. > > Do you have any additional info on replica 26, when was it created, > was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with scope > subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig > Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some of > our servers, very often on servers from specific site. Usually > it is simply a doubles and we can remove the renamed change to > get everything back. But why do we have them at all? > > May be someone could explain, how we can detect the cause of > this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if a > client tries to add an entry and if it doesn't get a response in > some time retries on another server. > to find out which client this is you need to check on which > servers the entries were originally added and then see which > client was doing it > > > Sometime it is moderately harmful, because, for example HBAC stops > working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 17 09:18:52 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 11:18:52 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> Message-ID: <55813B7C.4030905@redhat.com> On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server which was > included in domain just a few hours ago. Looks like this dup came > right after this new replica creation. > so on which servers does the "nsuniqueid" entry exist ? can you check for 5580f3210000001a0000 in the access log of replica 26, then check the errro log around this time and eventually the replica install log > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to share them > to everyone. I'll continue discussion here, trying to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new add > should have been rejected, if it was not there the question is why. > > Do you have any additional info on replica 26, when was it created, > was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with scope > subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig > Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some of > our servers, very often on servers from specific site. Usually > it is simply a doubles and we can remove the renamed change to > get everything back. But why do we have them at all? > > May be someone could explain, how we can detect the cause of > this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if a > client tries to add an entry and if it doesn't get a response in > some time retries on another server. > to find out which client this is you need to check on which > servers the entries were originally added and then see which > client was doing it > > > Sometime it is moderately harmful, because, for example HBAC stops > working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 09:22:47 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 09:22:47 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55813A84.8030809@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> Message-ID: <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 09:34:05 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 09:34:05 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55813B7C.4030905@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813B7C.4030905@redhat.com> Message-ID: <8aafb7f1acf04a0fa3694a510af85c92@sib-ums03.Megafon.ru> In access log: [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 RESULT err=0 tag=105 nentries=0 etime=0 csn=5580f3210000001a0000 There is a lot of strange around this time in error log: [17/Jun/2015:10:07:58 +0600] - 389-Directory/1.3.3.1 B2015.112.027 starting up [17/Jun/2015:10:07:59 +0600] - WARNING: userRoot: entry cache size 2199021B is less than db size 4702208B; We recommend to increase the entry cache size nsslapd-cachememsize. [17/Jun/2015:10:07:59 +0600] - WARNING: ipaca: entry cache size 5368708B is less than db size 7684096B; We recommend to increase the entry cache size nsslapd-cachememsize. [17/Jun/2015:10:07:59 +0600] - I'm resizing my cache now...cache was 2097152 and is now 1677721 [17/Jun/2015:10:07:59 +0600] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=unix,dc=megafon,dc=ru [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target ou=sudoers,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=users,cn=compat,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=megafon,dc=ru does not exist [17/Jun/2015:10:07:59 +0600] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1395 ldap://msk-rhidm-02.unix.megafon.ru:389} 547bf945000005730000 5 571895c000205730000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 86 ldap://msk-rhidm-01.unix.megafon.ru:389} 547b84aa000000560000 550 be1f3000600560000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 96 ldap://sib-rhidm01.unix.megafon.ru:389} 54783af1000000600000 5580 f063000000600000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 91 ldap://vlg-rhidm01.unix.megafon.ru:389} 547869c80000005b0000 5580 03a00003005b0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 97 ldap://sib-rhidm02.unix.megafon.ru:389} 54783af0000000610000 557f bf0d000b00610000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1095 ldap://sib-rhidm03.unix.megafon.ru:389} 5478452d000004470000 55 34c492000404470000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1090 ldap://url-rhidm01.unix.megafon.ru:389} 547851bc000004420000 54 e701c8000004420000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1195 ldap://url-rhidm02.unix.megafon.ru:389} 5478632a000004ab0000 55 78184d000004ab0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1290 ldap://vlg-rhidm03.unix.megafon.ru:389} 547bfe130000050a0000 55 52f02e0004050a0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1495 ldap://vlg-rhidm02.unix.megafon.ru:389} 547c3fb1000005d70000 55 669747000305d70000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1695 ldap://cnt-rhidm02.unix.megafon.ru:389} 547c4ddc0000069f0000 54 7c4de60002069f0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1590 ldap://nw-rhidm01.unix.megafon.ru:389} 548a8052000006360000 548 a805c000706360000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1795 ldap://dv-rhidm01.unix.megafon.ru:389} 548a894c000007030000 54e 3d4ee000507030000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1895 ldap://dv-rhidm02.unix.megafon.ru:389} 54e2d305000007670000 557 809c5000007670000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1585 ldap://nw-rhidm01.unix.megafon.ru:389} 54e5b04a000006310000 557 6c6dd000606310000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1995 ldap://nw-rhidm02.unix.megafon.ru:389} 555ac86c000007cb0000 555 ac86d000307cb0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1990 ldap://nw-rhidm02.unix.megafon.ru:389} 5576acc9000007c60000 557 6acca000107c60000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1985 ldap://nw-rhidm02.unix.megafon.ru:389} 5576b866000007c10000 557 6b867000107c10000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1980 ldap://nw-rhidm02.unix.megafon.ru:389} 5576c6ef000007bc0000 557 6c6f0000107bc0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1085 ldap://kvk-rhidm01.unix.megafon.ru:389} 557fb8740000043d0000 55 7fb8760000043d0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1080 ldap://kvk-rhidm01.unix.megafon.ru:389} 557fbf1d000004380000 55 7fbf1e000104380000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica o=ipaca there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from tho se servers in the changelog. [17/Jun/2015:10:07:59 +0600] set_krb5_creds - Could not get initial credentials for principal [ldap/kvk-rhidm02.unix.megafon.ru at UNIX.MEGAFON.RU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [17/Jun/2015:10:07:59 +0600] attrlist_replace - attr_replace (nsslapd-referral, ldap://msk-rhidm-03.unix.megafon.ru:389/o%3Dipaca) failed. [17/Jun/2015:10:07:59 +0600] attrlist_replace - attr_replace (nsslapd-referral, ldap://msk-rhidm-03.unix.megafon.ru:389/o%3Dipaca) failed. [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 11 ldap://msk-rhidm-02.unix.megafon.ru:389} 547bf9110000000b0000 557 fee720005000b0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 9 ldap://msk-rhidm-01.unix.megafon.ru:389} 547b8469000000090000 557f bb84000d00090000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 4 ldap://sib-rhidm01.unix.megafon.ru:389} 54783b0a000000040000 557fb b84000c00040000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 8 ldap://vlg-rhidm01.unix.megafon.ru:389} 5478696c000000080000 55803 311000b00080000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 3 ldap://sib-rhidm02.unix.megafon.ru:389} 54783ab6000000030000 557fb f6c000900030000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 5 ldap://sib-rhidm03.unix.megafon.ru:389} 547844f4000000050000 557fb b82000e00050000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 7 ldap://url-rhidm02.unix.megafon.ru:389} 547862f0000000070000 557fb b82002b00070000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 12 ldap://vlg-rhidm03.unix.megafon.ru:389} 547bfdbb0000000c0000 5580 2b370008000c0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 13 ldap://vlg-rhidm02.unix.megafon.ru:389} 547c3f560000000d0000 557f bb8a0004000d0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 14 ldap://cnt-rhidm01.unix.megafon.ru:389} 547c4a320000000e0000 557f f65d0003000e0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 15 ldap://cnt-rhidm02.unix.megafon.ru:389} 547c4da10000000f0000 557f bb8a0009000f0000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 17 ldap://dv-rhidm01.unix.megafon.ru:389} 548a8909000000110000 557fb b82002900110000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 18 ldap://dv-rhidm02.unix.megafon.ru:389} 54e2d2bc000000120000 557fb b8a000100120000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 19 ldap://nw-rhidm01.unix.megafon.ru:389} 54e5b04e001000130000 557fb b8e000200130000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 23 ldap://nw-rhidm02.unix.megafon.ru:389} 5576c6bb000000170000 557fb b91000000170000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 25 ldap://kvk-rhidm01.unix.megafon.ru:389} 557fbe89001700190000 557f e327000200190000] which is present in RUV [database RUV] [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=unix,dc=megafon,dc=ru there were some differences between the changelog max RUV and the d atabase RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [17/Jun/2015:10:07:59 +0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Err or: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [17/Jun/2015:10:07:59 +0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [17/Jun/2015:10:07:59 +0600] NSMMReplicationPlugin - agmt="cn=meTomsk-rhidm-03.unix.megafon.ru" (msk-rhidm-03:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [17/Jun/2015:10:07:59 +0600] attrcrypt - No symmetric key found for cipher AES in backend changelog, attempting to create one... [17/Jun/2015:10:07:59 +0600] attrcrypt - Key for cipher AES successfully generated and stored [17/Jun/2015:10:07:59 +0600] attrcrypt - No symmetric key found for cipher 3DES in backend changelog, attempting to create one... [17/Jun/2015:10:07:59 +0600] attrcrypt - Key for cipher 3DES successfully generated and stored [17/Jun/2015:10:07:59 +0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [17/Jun/2015:10:07:59 +0600] - Listening on All Interfaces port 636 for LDAPS requests [17/Jun/2015:10:07:59 +0600] - Listening on /var/run/slapd-UNIX-MEGAFON-RU.socket for LDAPI requests [17/Jun/2015:10:08:02 +0600] NSMMReplicationPlugin - agmt="cn=meTomsk-rhidm-03.unix.megafon.ru" (msk-rhidm-03:389): Replication bind with GSSAPI auth resumed [17/Jun/2015:10:08:03 +0600] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 2 max work q stack size 2 [17/Jun/2015:10:08:03 +0600] - slapd shutting down - waiting for 28 threads to terminate [17/Jun/2015:10:08:03 +0600] - slapd shutting down - closing down internal subsystems and plugins [17/Jun/2015:10:08:03 +0600] NSMMReplicationPlugin - agmt="cn=meTomsk-rhidm-03.unix.megafon.ru" (msk-rhidm-03:389): Warning: Attempting to release replica, but unable to receive endReplication exte nded operation response from the replica. Error -5 (Timed out) [17/Jun/2015:10:08:03 +0600] - Waiting for 4 database threads to stop [17/Jun/2015:10:08:04 +0600] - All database threads now stopped [17/Jun/2015:10:08:04 +0600] - slapd shutting down - freed 2 work q stack objects - freed 2 op stack objects [17/Jun/2015:10:08:04 +0600] - slapd stopped. [17/Jun/2015:10:08:06 +0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [17/Jun/2015:10:08:06 +0600] - SSL alert: Configured NSS Ciphers WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:19 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. so on which servers does the "nsuniqueid" entry exist ? can you check for 5580f3210000001a0000 in the access log of replica 26, then check the errro log around this time and eventually the replica install log WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Wed Jun 17 09:45:37 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 17 Jun 2015 11:45:37 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> Message-ID: <558141C1.4020003@redhat.com> On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: > > This was a usual "ipa-replica-install --setup-ca --setup-dns" and > after that ipa-adtrust-install. > > No DEL found: > > # grep "cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access > > [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage > Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 > filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter > ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member > ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr > ipaPermExcludedAttr" > > [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage > Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage > Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > It is also possible this entry on affected servers was previously > duplicated and not correctly managed to delete (more recent dup was > deleted). > > Is there any natural way to fix such issues? Maybe ipa-replica-manage > force-sync, or ipa-replica-manage re-initialize on affected site > servers from normal servers could help? > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:15 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hello Alexander, > > How did you initialize that new replica 26. > Either 'cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part > of the total init data, or a DEL of that entry happened on replica 26 > (before a new ADD) but the DEL was not replicated to replica12. > Would you check in replica26 access logs if that entry was deleted ? > > thanks > theirry > > On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server which > was included in domain just a few hours ago. Looks like this dup > came right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to share > them to everyone. I'll continue discussion here, trying to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new add > should have been rejected, if it was not there the question is why. > > Do you have any additional info on replica 26, when was it > created, was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with > scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of > *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some > of our servers, very often on servers from specific site. > Usually it is simply a doubles and we can remove the > renamed change to get everything back. But why do we have > them at all? > > May be someone could explain, how we can detect the cause > of this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if a > client tries to add an entry and if it doesn't get a response > in some time retries on another server. > to find out which client this is you need to check on which > servers the entries were originally added and then see which > client was doing it > > > > Sometime it is moderately harmful, because, for example HBAC > stops working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Jun 17 09:47:54 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 17 Jun 2015 19:47:54 +1000 Subject: [Freeipa-users] Firefox issue with web ui certificate In-Reply-To: References: Message-ID: <20150617094754.GJ29330@dhcp-40-8.bne.redhat.com> On Wed, Jun 17, 2015 at 12:40:37PM +0530, Prashant Bapat wrote: > Hi, > > I have gotten into a strange situation. I'm running FreeIPA for 2 different > environments, dev/production. By mistake, the domain for both are > configured same. Say EXAMPLE.COM. > > Now the problem users are facing when using the web UI using Firefox. It > complains that the "secure connection failed" and "(Error code: > sec_error_reused_issuer_and_serial)". > > This I understand is happening because the certificate authority for both > my environments is under the same name. > > Users can only access 1 environment. The other environment will throw this > error. > > This happens only with Firefox. Chrome and Safari work fine. > > What are my options to fix this ? > > Thanks. > --Prashant Hi Prashant, If both environments need to be used simultaneously, I would suggest using separate Firefox profiles for working with the different environments. Start Firefox with the `-ProfileManager' option to create and select profiles. If only one of the environments is in use, you can delete the "offline data" for the unused environment. Hope that helps! Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Alexander.Frolushkin at megafon.ru Wed Jun 17 09:51:36 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 09:51:36 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <558141C1.4020003@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> Message-ID: I'm pretty sure id 26 is unique ipa-replica-manage list-ruv Directory Manager password: unable to decode: {replica 20} 555ac826000100140000 55716e57000300140000 unable to decode: {replica 24} 557fb7d4000400180000 557fb9a1001000180000 unable to decode: {replica 22} 5576b83e000100160000 5576ba4b000200160000 unable to decode: {replica 21} 5576ac96000000150000 5576b52e000200150000 dv-rhidm01.unix.megafon.ru:389: 17 cnt-rhidm01.unix.megafon.ru:389: 14 msk-rhidm-01.unix.megafon.ru:389: 9 sib-rhidm01.unix.megafon.ru:389: 4 cnt-rhidm02.unix.megafon.ru:389: 15 nw-rhidm02.unix.megafon.ru:389: 23 kvk-rhidm02.unix.megafon.ru:389: 26 dv-rhidm02.unix.megafon.ru:389: 18 vlg-rhidm01.unix.megafon.ru:389: 8 kvk-rhidm01.unix.megafon.ru:389: 25 msk-rhidm-02.unix.megafon.ru:389: 11 vlg-rhidm02.unix.megafon.ru:389: 13 url-rhidm01.unix.megafon.ru:389: 6 vlg-rhidm03.unix.megafon.ru:389: 12 sib-rhidm03.unix.megafon.ru:389: 5 nw-rhidm01.unix.megafon.ru:389: 19 url-rhidm02.unix.megafon.ru:389: 7 msk-rhidm-03.unix.megafon.ru:389: 10 sib-rhidm02.unix.megafon.ru:389: 3 "Unable to decode" - This is al all our existed in past replicas, which was removed, but regularly appearing this way. We not yet found way to fix it completely. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:46 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 17 09:52:37 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 11:52:37 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <558141C1.4020003@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> Message-ID: <55814365.6060208@redhat.com> On 06/17/2015 11:45 AM, thierry bordaz wrote: > > On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: >> >> This was a usual "ipa-replica-install --setup-ca --setup-dns" and >> after that ipa-adtrust-install. >> >> No DEL found: >> >> # grep "cn=System: Manage Host >> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access >> >> [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: >> Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" >> scope=0 filter="(objectClass=*)" attrs="ipaPermRight >> ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn >> objectClass memberOf member ipaPermTarget ipaPermDefaultAttr >> ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" >> >> [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage >> Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" >> > > There is something I miss. conn=2 op=91 was a direct update on > replica26 (not replicated) because it received its own > CSN=5580f3210000001a0000. But it created a conflict entry, so at that > time it existed the same entry (the one created 20150408070720Z) . So > the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from > > Would you check if the replicaID=26 is unique in the topology > (list-ruv for example) ? > >> [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage >> Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" >> >> It is also possible this entry on affected servers was previously >> duplicated and not correctly managed to delete (more recent dup was >> deleted). >> >> Is there any natural way to fix such issues? Maybe ipa-replica-manage >> force-sync, or ipa-replica-manage re-initialize on affected site >> servers from normal servers could help? >> >> WBR, >> >> Alexander Frolushkin >> >> Cell +79232508764 >> >> Work +79232507764 >> >> *From:*thierry bordaz [mailto:tbordaz at redhat.com] >> *Sent:* Wednesday, June 17, 2015 3:15 PM >> *To:* Alexander Frolushkin (SIB) >> *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] replication conflicts >> >> Hello Alexander, >> >> How did you initialize that new replica 26. >> Either 'cn=System: Manage Host >> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part >> of the total init data, or a DEL of that entry happened on replica 26 >> (before a new ADD) but the DEL was not replicated to replica12. >> Would you check in replica26 access logs if that entry was deleted ? >> >> thanks >> theirry >> >> On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: >> >> This is correct, thank you for understanding and for helping! >> >> Replica with id 26 was created today, this is our new server >> which was included in domain just a few hours ago. Looks like >> this dup came right after this new replica creation. >> >> WBR, >> >> Alexander Frolushkin >> >> Cell +79232508764 >> >> Work +79232507764 >> >> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] >> *Sent:* Wednesday, June 17, 2015 2:58 PM >> *To:* Alexander Frolushkin (SIB) >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] replication conflicts >> >> Hi, >> >> you did send the data directly to me, maybe not wanting to share >> them to everyone. I'll continue discussion here, trying to be >> careful. >> >> The "good" entry was created in April on replica 12 "0x0c" >> createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z >> >> the "nsuniqueid" entry was created today on replica 26 "0x1a" >> createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z >> >> if the original entry would have existed on replica26 the new add >> should have been rejected, if it was not there the question is why. >> >> Do you have any additional info on replica 26, when was it >> created, was it disconnected for some time ?? >> >> Ludwig >> >> On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: >> >> Hello. >> >> Another example. Today appeared on servers of different site. >> >> Original LDIF: >> >> # extended LDIF >> >> # >> >> # LDAPv3 >> >> # base > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with >> scope subtree >> >> # filter: (objectclass=*) >> >> # requesting: ALL >> >> # >> >> # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru >> >> dn: cn=System: Manage Host >> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc >> >> =ru >> >> ipaPermTargetFilter: (objectclass=ipahost) >> >> ipaPermRight: write >> >> ipaPermBindRuleType: permission >> >> ipaPermissionType: V2 >> >> ipaPermissionType: MANAGED >> >> ipaPermissionType: SYSTEM >> >> cn: System: Manage Host Keytab >> >> objectClass: ipapermission >> >> objectClass: top >> >> objectClass: groupofnames >> >> objectClass: ipapermissionv2 >> >> member: cn=Host >> Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >> >> member: cn=Host >> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >> >> ipaPermDefaultAttr: krbprincipalkey >> >> ipaPermDefaultAttr: krblastpwdchange >> >> ipaPermLocation: >> cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru >> >> # search result >> >> search: 2 >> >> result: 0 Success >> >> # numResponses: 2 >> >> # numEntries: 1 >> >> Duplicate: >> >> # extended LDIF >> >> # >> >> # LDAPv3 >> >> # base > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> >> with scope subtree >> >> # filter: (objectclass=*) >> >> # requesting: ALL >> >> # >> >> # System: Manage Host Keytab + >> 708bba65-14a611e5-8a48fd19-df27ff01, permissio >> >> ns, pbac, unix.megafon.ru >> >> dn: cn=System: Manage Host >> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff >> >> 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru >> >> ipaPermTargetFilter: (objectclass=ipahost) >> >> ipaPermRight: write >> >> ipaPermBindRuleType: permission >> >> ipaPermissionType: V2 >> >> ipaPermissionType: MANAGED >> >> ipaPermissionType: SYSTEM >> >> cn: System: Manage Host Keytab >> >> objectClass: ipapermission >> >> objectClass: top >> >> objectClass: groupofnames >> >> objectClass: ipapermissionv2 >> >> member: cn=Host >> Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >> >> member: cn=Host >> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >> >> ipaPermDefaultAttr: krbprincipalkey >> >> ipaPermDefaultAttr: krblastpwdchange >> >> ipaPermLocation: >> cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru >> >> # search result >> >> search: 2 >> >> result: 0 Success >> >> # numResponses: 2 >> >> # numEntries: 1 >> >> No other servers in IPA domain have such duplicates. >> >> WBR, >> >> Alexander Frolushkin >> >> Cell +79232508764 >> >> Work +79232507764 >> >> *From:*freeipa-users-bounces at redhat.com >> >> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of >> *Ludwig Krispenz >> *Sent:* Tuesday, June 16, 2015 3:52 PM >> *To:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] replication conflicts >> >> On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: >> >> Hello. >> >> Just to remind if somebody still not familiar with our >> IPA installation J >> >> We currently have 18 IPA servers in domain, on 8 sites in >> different regions across the Russia. >> >> And now, our new problem. >> >> Regularly we getting a nsds5ReplConflict records on some >> of our servers, very often on servers from specific site. >> Usually it is simply a doubles and we can remove the >> renamed change to get everything back. But why do we have >> them at all? >> >> May be someone could explain, how we can detect the cause >> of this replication conflicts? >> >> if you are talking about having two "duplicate" entries, >> one: uid=xxxxx, >> one: nsuniqueid=nnnnnnnn+uid=xxxxx, >> >> these entries appear if the entry uid=xxxxx was added, >> simultaneously, on two servers. I think this can happen if a >> client tries to add an entry and if it doesn't get a response >> in some time retries on another server. >> to find out which client this is you need to check on which >> servers the entries were originally added and then see which >> client was doing it >> >> >> >> Sometime it is moderately harmful, because, for example HBAC >> stops working on specific server while doubles still present. >> >> Thanks in forward... >> >> WBR, >> >> Alexander Frolushkin >> >> Cell +79232508764 >> >> Work +79232507764 >> >> ------------------------------------------------------------------------ >> >> >> ?????????? ? ???? ????????? ????????????? ????????????? ??? >> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >> ??????????? ???????????????? ??????????, ??????? ?? ????? >> ???? ???????? ??? ???????????? ???-????, ????? ?????????. >> ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, >> ?????????????, ??????????? ??? ??????????????? ?????????? >> ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? >> ???????? ??? ????????? ????????, ??????????, ??????????????? >> ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? >> ???? ????????? ? ????? ????????? ??? ????? ? ??????????. >> >> The information contained in this communication is intended >> solely for the use of the individual or entity to whom it is >> addressed and others authorized to receive it. It may contain >> confidential or legally privileged information. The contents >> may not be disclosed or used by anyone other than the >> addressee. If you are not the intended recipient(s), any use, >> disclosure, copying, distribution or any action taken or >> omitted to be taken in reliance on it is prohibited and may >> be unlawful. If you have received this communication in error >> please notify us immediately by responding to this email and >> then delete the e-mail and all attachments and any copies >> thereof. >> >> (c)20mf50 >> >> >> >> >> ------------------------------------------------------------------------ >> >> >> ?????????? ? ???? ????????? ????????????? ????????????? ??? >> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >> ??????????? ???????????????? ??????????, ??????? ?? ????? >> ???? ???????? ??? ???????????? ???-????, ????? ?????????. >> ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, >> ?????????????, ??????????? ??? ??????????????? ?????????? >> ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? >> ???????? ??? ????????? ????????, ??????????, ??????????????? >> ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? >> ???? ????????? ? ????? ????????? ??? ????? ? ??????????. >> >> The information contained in this communication is intended >> solely for the use of the individual or entity to whom it is >> addressed and others authorized to receive it. It may contain >> confidential or legally privileged information. The contents >> may not be disclosed or used by anyone other than the >> addressee. If you are not the intended recipient(s), any use, >> disclosure, copying, distribution or any action taken or >> omitted to be taken in reliance on it is prohibited and may >> be unlawful. If you have received this communication in error >> please notify us immediately by responding to this email and >> then delete the e-mail and all attachments and any copies >> thereof. >> >> (c)20mf50 >> >> ------------------------------------------------------------------------ >> >> >> ?????????? ? ???? ????????? ????????????? ????????????? ??? >> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >> ??????????? ???????????????? ??????????, ??????? ?? ????? ???? >> ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? >> ??????? ????? ?????????, ?? ?????????????, ?????????????, >> ??????????? ??? ??????????????? ?????????? ????????? ??? ??? >> ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? >> ????????, ??????????, ??????????????? ???????? ??????????? ?? >> ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? >> ????????? ??? ????? ? ??????????. >> >> The information contained in this communication is intended >> solely for the use of the individual or entity to whom it is >> addressed and others authorized to receive it. It may contain >> confidential or legally privileged information. The contents may >> not be disclosed or used by anyone other than the addressee. If >> you are not the intended recipient(s), any use, disclosure, >> copying, distribution or any action taken or omitted to be taken >> in reliance on it is prohibited and may be unlawful. If you have >> received this communication in error please notify us immediately >> by responding to this email and then delete the e-mail and all >> attachments and any copies thereof. >> >> (c)20mf50 >> >> >> >> ------------------------------------------------------------------------ >> >> ?????????? ? ???? ????????? ????????????? ????????????? ??? >> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? >> ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? >> ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? >> ?????????, ?? ?????????????, ?????????????, ??????????? ??? >> ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? >> ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, >> ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? >> ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. >> >> The information contained in this communication is intended solely >> for the use of the individual or entity to whom it is addressed and >> others authorized to receive it. It may contain confidential or >> legally privileged information. The contents may not be disclosed or >> used by anyone other than the addressee. If you are not the intended >> recipient(s), any use, disclosure, copying, distribution or any >> action taken or omitted to be taken in reliance on it is prohibited >> and may be unlawful. If you have received this communication in error >> please notify us immediately by responding to this email and then >> delete the e-mail and all attachments and any copies thereof. >> >> (c)20mf50 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 17 09:55:29 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 11:55:29 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55814365.6060208@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> Message-ID: <55814411.9020902@redhat.com> On 06/17/2015 11:52 AM, Ludwig Krispenz wrote: > > On 06/17/2015 11:45 AM, thierry bordaz wrote: >> >> On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: >>> >>> This was a usual "ipa-replica-install --setup-ca --setup-dns" and >>> after that ipa-adtrust-install. >>> >>> No DEL found: >>> >>> # grep "cn=System: Manage Host >>> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access >>> >>> [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: >>> Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" >>> scope=0 filter="(objectClass=*)" attrs="ipaPermRight >>> ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn >>> objectClass memberOf member ipaPermTarget ipaPermDefaultAttr >>> ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" >>> >>> [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage >>> Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" >>> >> >> There is something I miss. conn=2 op=91 was a direct update on >> replica26 (not replicated) because it received its own >> CSN=5580f3210000001a0000. But it created a conflict entry, so at that >> time it existed the same entry (the one created 20150408070720Z) . So >> the direct update should have been rejected. > I think the search in op=89 did not return an entry, so it was added > in op 91, that seems to be ok, but then 4 hrs later there is conn=237 > adding it again. > > Alexander, > > could you get the complete 'conn=237 op=93' and also the start of conn > 293, to show where teh connection comes from of course conn=237 >> >> Would you check if the replicaID=26 is unique in the topology >> (list-ruv for example) ? >> >>> [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: >>> Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" >>> >>> It is also possible this entry on affected servers was previously >>> duplicated and not correctly managed to delete (more recent dup was >>> deleted). >>> >>> Is there any natural way to fix such issues? Maybe >>> ipa-replica-manage force-sync, or ipa-replica-manage re-initialize >>> on affected site servers from normal servers could help? >>> >>> WBR, >>> >>> Alexander Frolushkin >>> >>> Cell +79232508764 >>> >>> Work +79232507764 >>> >>> *From:*thierry bordaz [mailto:tbordaz at redhat.com] >>> *Sent:* Wednesday, June 17, 2015 3:15 PM >>> *To:* Alexander Frolushkin (SIB) >>> *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] replication conflicts >>> >>> Hello Alexander, >>> >>> How did you initialize that new replica 26. >>> Either 'cn=System: Manage Host >>> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part >>> of the total init data, or a DEL of that entry happened on replica >>> 26 (before a new ADD) but the DEL was not replicated to replica12. >>> Would you check in replica26 access logs if that entry was deleted ? >>> >>> thanks >>> theirry >>> >>> On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: >>> >>> This is correct, thank you for understanding and for helping! >>> >>> Replica with id 26 was created today, this is our new server >>> which was included in domain just a few hours ago. Looks like >>> this dup came right after this new replica creation. >>> >>> WBR, >>> >>> Alexander Frolushkin >>> >>> Cell +79232508764 >>> >>> Work +79232507764 >>> >>> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] >>> *Sent:* Wednesday, June 17, 2015 2:58 PM >>> *To:* Alexander Frolushkin (SIB) >>> *Cc:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] replication conflicts >>> >>> Hi, >>> >>> you did send the data directly to me, maybe not wanting to share >>> them to everyone. I'll continue discussion here, trying to be >>> careful. >>> >>> The "good" entry was created in April on replica 12 "0x0c" >>> createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z >>> >>> the "nsuniqueid" entry was created today on replica 26 "0x1a" >>> createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z >>> >>> if the original entry would have existed on replica26 the new >>> add should have been rejected, if it was not there the question >>> is why. >>> >>> Do you have any additional info on replica 26, when was it >>> created, was it disconnected for some time ?? >>> >>> Ludwig >>> >>> On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: >>> >>> Hello. >>> >>> Another example. Today appeared on servers of different site. >>> >>> Original LDIF: >>> >>> # extended LDIF >>> >>> # >>> >>> # LDAPv3 >>> >>> # base >> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with >>> scope subtree >>> >>> # filter: (objectclass=*) >>> >>> # requesting: ALL >>> >>> # >>> >>> # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru >>> >>> dn: cn=System: Manage Host >>> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc >>> >>> =ru >>> >>> ipaPermTargetFilter: (objectclass=ipahost) >>> >>> ipaPermRight: write >>> >>> ipaPermBindRuleType: permission >>> >>> ipaPermissionType: V2 >>> >>> ipaPermissionType: MANAGED >>> >>> ipaPermissionType: SYSTEM >>> >>> cn: System: Manage Host Keytab >>> >>> objectClass: ipapermission >>> >>> objectClass: top >>> >>> objectClass: groupofnames >>> >>> objectClass: ipapermissionv2 >>> >>> member: cn=Host >>> Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >>> >>> member: cn=Host >>> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >>> >>> ipaPermDefaultAttr: krbprincipalkey >>> >>> ipaPermDefaultAttr: krblastpwdchange >>> >>> ipaPermLocation: >>> cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru >>> >>> # search result >>> >>> search: 2 >>> >>> result: 0 Success >>> >>> # numResponses: 2 >>> >>> # numEntries: 1 >>> >>> Duplicate: >>> >>> # extended LDIF >>> >>> # >>> >>> # LDAPv3 >>> >>> # base >> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> >>> with scope subtree >>> >>> # filter: (objectclass=*) >>> >>> # requesting: ALL >>> >>> # >>> >>> # System: Manage Host Keytab + >>> 708bba65-14a611e5-8a48fd19-df27ff01, permissio >>> >>> ns, pbac, unix.megafon.ru >>> >>> dn: cn=System: Manage Host >>> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff >>> >>> 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru >>> >>> ipaPermTargetFilter: (objectclass=ipahost) >>> >>> ipaPermRight: write >>> >>> ipaPermBindRuleType: permission >>> >>> ipaPermissionType: V2 >>> >>> ipaPermissionType: MANAGED >>> >>> ipaPermissionType: SYSTEM >>> >>> cn: System: Manage Host Keytab >>> >>> objectClass: ipapermission >>> >>> objectClass: top >>> >>> objectClass: groupofnames >>> >>> objectClass: ipapermissionv2 >>> >>> member: cn=Host >>> Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >>> >>> member: cn=Host >>> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru >>> >>> ipaPermDefaultAttr: krbprincipalkey >>> >>> ipaPermDefaultAttr: krblastpwdchange >>> >>> ipaPermLocation: >>> cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru >>> >>> # search result >>> >>> search: 2 >>> >>> result: 0 Success >>> >>> # numResponses: 2 >>> >>> # numEntries: 1 >>> >>> No other servers in IPA domain have such duplicates. >>> >>> WBR, >>> >>> Alexander Frolushkin >>> >>> Cell +79232508764 >>> >>> Work +79232507764 >>> >>> *From:*freeipa-users-bounces at redhat.com >>> >>> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of >>> *Ludwig Krispenz >>> *Sent:* Tuesday, June 16, 2015 3:52 PM >>> *To:* freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] replication conflicts >>> >>> On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: >>> >>> Hello. >>> >>> Just to remind if somebody still not familiar with our >>> IPA installation J >>> >>> We currently have 18 IPA servers in domain, on 8 sites >>> in different regions across the Russia. >>> >>> And now, our new problem. >>> >>> Regularly we getting a nsds5ReplConflict records on some >>> of our servers, very often on servers from specific >>> site. Usually it is simply a doubles and we can remove >>> the renamed change to get everything back. But why do we >>> have them at all? >>> >>> May be someone could explain, how we can detect the >>> cause of this replication conflicts? >>> >>> if you are talking about having two "duplicate" entries, >>> one: uid=xxxxx, >>> one: nsuniqueid=nnnnnnnn+uid=xxxxx, >>> >>> these entries appear if the entry uid=xxxxx was added, >>> simultaneously, on two servers. I think this can happen if a >>> client tries to add an entry and if it doesn't get a >>> response in some time retries on another server. >>> to find out which client this is you need to check on which >>> servers the entries were originally added and then see which >>> client was doing it >>> >>> >>> >>> Sometime it is moderately harmful, because, for example HBAC >>> stops working on specific server while doubles still present. >>> >>> Thanks in forward... >>> >>> WBR, >>> >>> Alexander Frolushkin >>> >>> Cell +79232508764 >>> >>> Work +79232507764 >>> >>> ------------------------------------------------------------------------ >>> >>> >>> ?????????? ? ???? ????????? ????????????? ????????????? ??? >>> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >>> ??????????? ???????????????? ??????????, ??????? ?? ????? >>> ???? ???????? ??? ???????????? ???-????, ????? ?????????. >>> ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, >>> ?????????????, ??????????? ??? ??????????????? ?????????? >>> ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? >>> ???????? ??? ????????? ????????, ??????????, ??????????????? >>> ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? >>> ???? ????????? ? ????? ????????? ??? ????? ? ??????????. >>> >>> The information contained in this communication is intended >>> solely for the use of the individual or entity to whom it is >>> addressed and others authorized to receive it. It may >>> contain confidential or legally privileged information. The >>> contents may not be disclosed or used by anyone other than >>> the addressee. If you are not the intended recipient(s), any >>> use, disclosure, copying, distribution or any action taken >>> or omitted to be taken in reliance on it is prohibited and >>> may be unlawful. If you have received this communication in >>> error please notify us immediately by responding to this >>> email and then delete the e-mail and all attachments and any >>> copies thereof. >>> >>> (c)20mf50 >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> ?????????? ? ???? ????????? ????????????? ????????????? ??? >>> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >>> ??????????? ???????????????? ??????????, ??????? ?? ????? >>> ???? ???????? ??? ???????????? ???-????, ????? ?????????. >>> ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, >>> ?????????????, ??????????? ??? ??????????????? ?????????? >>> ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? >>> ???????? ??? ????????? ????????, ??????????, ??????????????? >>> ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? >>> ???? ????????? ? ????? ????????? ??? ????? ? ??????????. >>> >>> The information contained in this communication is intended >>> solely for the use of the individual or entity to whom it is >>> addressed and others authorized to receive it. It may >>> contain confidential or legally privileged information. The >>> contents may not be disclosed or used by anyone other than >>> the addressee. If you are not the intended recipient(s), any >>> use, disclosure, copying, distribution or any action taken >>> or omitted to be taken in reliance on it is prohibited and >>> may be unlawful. If you have received this communication in >>> error please notify us immediately by responding to this >>> email and then delete the e-mail and all attachments and any >>> copies thereof. >>> >>> (c)20mf50 >>> >>> ------------------------------------------------------------------------ >>> >>> >>> ?????????? ? ???? ????????? ????????????? ????????????? ??? >>> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >>> ??????????? ???????????????? ??????????, ??????? ?? ????? ???? >>> ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? >>> ??????? ????? ?????????, ?? ?????????????, ?????????????, >>> ??????????? ??? ??????????????? ?????????? ????????? ??? ??? >>> ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? >>> ????????, ??????????, ??????????????? ???????? ??????????? ?? >>> ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? >>> ????????? ??? ????? ? ??????????. >>> >>> The information contained in this communication is intended >>> solely for the use of the individual or entity to whom it is >>> addressed and others authorized to receive it. It may contain >>> confidential or legally privileged information. The contents may >>> not be disclosed or used by anyone other than the addressee. If >>> you are not the intended recipient(s), any use, disclosure, >>> copying, distribution or any action taken or omitted to be taken >>> in reliance on it is prohibited and may be unlawful. If you have >>> received this communication in error please notify us >>> immediately by responding to this email and then delete the >>> e-mail and all attachments and any copies thereof. >>> >>> (c)20mf50 >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> ?????????? ? ???? ????????? ????????????? ????????????? ??? >>> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? >>> ??????????? ???????????????? ??????????, ??????? ?? ????? ???? >>> ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? >>> ??????? ????? ?????????, ?? ?????????????, ?????????????, >>> ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? >>> ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, >>> ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? >>> ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? >>> ??????????. >>> >>> The information contained in this communication is intended solely >>> for the use of the individual or entity to whom it is addressed and >>> others authorized to receive it. It may contain confidential or >>> legally privileged information. The contents may not be disclosed or >>> used by anyone other than the addressee. If you are not the intended >>> recipient(s), any use, disclosure, copying, distribution or any >>> action taken or omitted to be taken in reliance on it is prohibited >>> and may be unlawful. If you have received this communication in >>> error please notify us immediately by responding to this email and >>> then delete the e-mail and all attachments and any copies thereof. >>> >>> (c)20mf50 >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 09:56:48 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 09:56:48 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55814365.6060208@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> Message-ID: <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 10:03:19 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 10:03:19 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55814411.9020902@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <55814411.9020902@redhat.com> Message-ID: # grep "conn=237" ./access [17/Jun/2015:14:37:03 +0600] conn=237 fd=71 slot=71 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:14:37:03 +0600] conn=237 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:14:37:03 +0600] conn=237 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:14:37:03 +0600] conn=237 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:14:37:03 +0600] conn=237 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:14:37:03 +0600] conn=237 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:14:37:03 +0600] conn=237 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:37:03 +0600] conn=237 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [17/Jun/2015:14:37:03 +0600] conn=237 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [17/Jun/2015:14:37:03 +0600] conn=237 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [17/Jun/2015:14:37:03 +0600] conn=237 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [17/Jun/2015:14:37:03 +0600] conn=237 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [17/Jun/2015:14:37:03 +0600] conn=237 op=5 RESULT err=0 tag=120 nentries=0 etime=0 [17/Jun/2015:14:37:04 +0600] conn=237 op=6 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [17/Jun/2015:14:37:04 +0600] conn=237 op=6 RESULT err=0 tag=120 nentries=0 etime=0 [17/Jun/2015:14:37:05 +0600] conn=237 op=7 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [17/Jun/2015:14:37:05 +0600] conn=237 op=7 RESULT err=0 tag=120 nentries=0 etime=0 [17/Jun/2015:14:37:07 +0600] conn=237 op=8 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Wednesday, June 17, 2015 3:55 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:52 AM, Ludwig Krispenz wrote: On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from of course conn=237 Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Wed Jun 17 10:10:18 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 17 Jun 2015 12:10:18 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> Message-ID: <5581478A.5050408@redhat.com> On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: > > Will this be enough? > > # grep "conn=237 op=93" ./access > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage > Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 > nentries=0 etime=0 csn=555ac936000000140000 > This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? > # grep "conn=293" ./access > > [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from > 10.99.75.82 to 10.61.8.2 > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:53 PM > *To:* thierry bordaz > *Cc:* Alexander Frolushkin (SIB); freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:45 AM, thierry bordaz wrote: > > > On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: > > This was a usual "ipa-replica-install --setup-ca --setup-dns" > and after that ipa-adtrust-install. > > No DEL found: > > # grep "cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access > > [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH > base="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > scope=0 filter="(objectClass=*)" attrs="ipaPermRight > ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn > objectClass memberOf member ipaPermTarget ipaPermDefaultAttr > ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" > > [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: > Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > > There is something I miss. conn=2 op=91 was a direct update on > replica26 (not replicated) because it received its own > CSN=5580f3210000001a0000. But it created a conflict entry, so at > that time it existed the same entry (the one created > 20150408070720Z) . So the direct update should have been rejected. > > I think the search in op=89 did not return an entry, so it was added > in op 91, that seems to be ok, but then 4 hrs later there is conn=237 > adding it again. > > Alexander, > > could you get the complete 'conn=237 op=93' and also the start of conn > 293, to show where teh connection comes from > > > Would you check if the replicaID=26 is unique in the topology > (list-ruv for example) ? > > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage > Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > It is also possible this entry on affected servers was previously > duplicated and not correctly managed to delete (more recent dup was > deleted). > > Is there any natural way to fix such issues? Maybe ipa-replica-manage > force-sync, or ipa-replica-manage re-initialize on affected site > servers from normal servers could help? > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:15 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > Hello Alexander, > > How did you initialize that new replica 26. > Either 'cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part > of the total init data, or a DEL of that entry happened on replica 26 > (before a new ADD) but the DEL was not replicated to replica12. > Would you check in replica26 access logs if that entry was deleted ? > > thanks > theirry > > On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server which > was included in domain just a few hours ago. Looks like this dup > came right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to share > them to everyone. I'll continue discussion here, trying to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new add > should have been rejected, if it was not there the question is why. > > Do you have any additional info on replica 26, when was it > created, was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with > scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of > *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some > of our servers, very often on servers from specific site. > Usually it is simply a doubles and we can remove the > renamed change to get everything back. But why do we have > them at all? > > May be someone could explain, how we can detect the cause > of this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if a > client tries to add an entry and if it doesn't get a response > in some time retries on another server. > to find out which client this is you need to check on which > servers the entries were originally added and then see which > client was doing it > > > > > Sometime it is moderately harmful, because, for example HBAC > stops working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 10:13:03 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 10:13:03 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <5581478A.5050408@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> Message-ID: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 17 10:35:18 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 12:35:18 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> Message-ID: <55814D66.7000103@redhat.com> conn=237 is from 10.99.75.82 which replica is this ? On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: > > This is not a good news, because replica id 20 is not exist for a some > days already. It was recreated and now have id 23 > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:10 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: > > Will this be enough? > > # grep "conn=237 op=93" ./access > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 > nentries=0 etime=0 csn=555ac936000000140000 > > This operation is a replicated one and the CSN is from May 19th. So > why a replica (26) created today was initialized without that entry ? > This updates was originated from replica20. Was it stopped and > restarted recently ? > > > # grep "conn=293" ./access > > [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from > 10.99.75.82 to 10.61.8.2 > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" > > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:53 PM > *To:* thierry bordaz > *Cc:* Alexander Frolushkin (SIB); freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:45 AM, thierry bordaz wrote: > > > On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: > > This was a usual "ipa-replica-install --setup-ca --setup-dns" > and after that ipa-adtrust-install. > > No DEL found: > > # grep "cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access > > [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH > base="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > scope=0 filter="(objectClass=*)" attrs="ipaPermRight > ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn > objectClass memberOf member ipaPermTarget ipaPermDefaultAttr > ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" > > [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: > Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > > There is something I miss. conn=2 op=91 was a direct update on > replica26 (not replicated) because it received its own > CSN=5580f3210000001a0000. But it created a conflict entry, so at > that time it existed the same entry (the one created > 20150408070720Z) . So the direct update should have been rejected. > > I think the search in op=89 did not return an entry, so it was added > in op 91, that seems to be ok, but then 4 hrs later there is conn=237 > adding it again. > > Alexander, > > could you get the complete 'conn=237 op=93' and also the start of conn > 293, to show where teh connection comes from > > > > Would you check if the replicaID=26 is unique in the topology > (list-ruv for example) ? > > > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage > Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > It is also possible this entry on affected servers was previously > duplicated and not correctly managed to delete (more recent dup was > deleted). > > Is there any natural way to fix such issues? Maybe ipa-replica-manage > force-sync, or ipa-replica-manage re-initialize on affected site > servers from normal servers could help? > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:15 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > Hello Alexander, > > How did you initialize that new replica 26. > Either 'cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part > of the total init data, or a DEL of that entry happened on replica 26 > (before a new ADD) but the DEL was not replicated to replica12. > Would you check in replica26 access logs if that entry was deleted ? > > thanks > theirry > > On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server which > was included in domain just a few hours ago. Looks like this dup > came right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to share > them to everyone. I'll continue discussion here, trying to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new add > should have been rejected, if it was not there the question is why. > > Do you have any additional info on replica 26, when was it > created, was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with > scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of > *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our IPA > installation J > > We currently have 18 IPA servers in domain, on 8 sites in > different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on some > of our servers, very often on servers from specific site. > Usually it is simply a doubles and we can remove the > renamed change to get everything back. But why do we have > them at all? > > May be someone could explain, how we can detect the cause > of this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if a > client tries to add an entry and if it doesn't get a response > in some time retries on another server. > to find out which client this is you need to check on which > servers the entries were originally added and then see which > client was doing it > > > > > > Sometime it is moderately harmful, because, for example HBAC > stops working on specific server while doubles still present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 10:36:42 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 10:36:42 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55814D66.7000103@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> Message-ID: <60a5a992d9614d6eac2e409537ee7da0@sib-ums03.Megafon.ru> >conn=237 is from 10.99.75.82 which replica is this ? msk-rhidm-03.unix.megafon.ru:389: 10 On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 10:57:04 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 10:57:04 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55814D66.7000103@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> Message-ID: <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> Unfortunately, number of duplicates grows dramatically on most sites. Some servers already have over 40 duplicates. Could you please say, may I use re-initialize on falling replica from the good one to fix this? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 4:35 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts conn=237 is from 10.99.75.82 which replica is this ? On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 17 11:33:52 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 17 Jun 2015 13:33:52 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> Message-ID: <55815B20.9000805@redhat.com> On 06/17/2015 12:57 PM, Alexander Frolushkin wrote: > > Unfortunately, number of duplicates grows dramatically on most sites. > Some servers already have over 40 duplicates. > > Could you please say, may I use re-initialize on falling replica from > the good one to fix this? > If you have a good one, this should work, "dups" are only created when a replicated ADD is received for an existing entry. But what really puzzles me is that you do not have them on all servers, something weird seems to happen, this entry seems to exist whit several replicaids, and why would replica 10 replicate this 4 hrs after the replica installation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:35 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'thierry bordaz'; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > conn=237 is from 10.99.75.82 which replica is this ? > > On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: > > This is not a good news, because replica id 20 is not exist for a > some days already. It was recreated and now have id 23 > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:10 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: > > Will this be enough? > > # grep "conn=237 op=93" ./access > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 > tag=105 nentries=0 etime=0 csn=555ac936000000140000 > > This operation is a replicated one and the CSN is from May 19th. > So why a replica (26) created today was initialized without that > entry ? > This updates was originated from replica20. Was it stopped and > restarted recently ? > > > > # grep "conn=293" ./access > > [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection > from 10.99.75.82 to 10.61.8.2 > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" > > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:53 PM > *To:* thierry bordaz > *Cc:* Alexander Frolushkin (SIB); freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:45 AM, thierry bordaz wrote: > > > On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: > > This was a usual "ipa-replica-install --setup-ca > --setup-dns" and after that ipa-adtrust-install. > > No DEL found: > > # grep "cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > ./access > > [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH > base="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > scope=0 filter="(objectClass=*)" attrs="ipaPermRight > ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType > cn objectClass memberOf member ipaPermTarget > ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr > ipaPermExcludedAttr" > > [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD > dn="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > > There is something I miss. conn=2 op=91 was a direct update on > replica26 (not replicated) because it received its own > CSN=5580f3210000001a0000. But it created a conflict entry, so > at that time it existed the same entry (the one created > 20150408070720Z) . So the direct update should have been rejected. > > I think the search in op=89 did not return an entry, so it was > added in op 91, that seems to be ok, but then 4 hrs later there is > conn=237 adding it again. > > Alexander, > > could you get the complete 'conn=237 op=93' and also the start of > conn 293, to show where teh connection comes from > > > > > Would you check if the replicaID=26 is unique in the topology > (list-ruv for example) ? > > > > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > It is also possible this entry on affected servers was previously > duplicated and not correctly managed to delete (more recent dup > was deleted). > > Is there any natural way to fix such issues? Maybe > ipa-replica-manage force-sync, or ipa-replica-manage re-initialize > on affected site servers from normal servers could help? > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:15 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > Hello Alexander, > > How did you initialize that new replica 26. > Either 'cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not > part of the total init data, or a DEL of that entry happened on > replica 26 (before a new ADD) but the DEL was not replicated to > replica12. > Would you check in replica26 access logs if that entry was deleted ? > > thanks > theirry > > On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server > which was included in domain just a few hours ago. Looks like > this dup came right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to > share them to everyone. I'll continue discussion here, trying > to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new > add should have been rejected, if it was not there the > question is why. > > Do you have any additional info on replica 26, when was it > created, was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, > unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: > cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: > cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of > *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our > IPA installation J > > We currently have 18 IPA servers in domain, on 8 sites > in different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on > some of our servers, very often on servers from > specific site. Usually it is simply a doubles and we > can remove the renamed change to get everything back. > But why do we have them at all? > > May be someone could explain, how we can detect the > cause of this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if > a client tries to add an entry and if it doesn't get a > response in some time retries on another server. > to find out which client this is you need to check on > which servers the entries were originally added and then > see which client was doing it > > > > > > > Sometime it is moderately harmful, because, for example > HBAC stops working on specific server while doubles still > present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? > ??? ?????????? ???, ??????? ??? ??????????. ? ????????? > ????? ??????????? ???????????????? ??????????, ??????? ?? > ????? ???? ???????? ??? ???????????? ???-????, ????? > ?????????. ???? ?? ?? ??????? ????? ?????????, ?? > ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? > ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? > ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is > intended solely for the use of the individual or entity to > whom it is addressed and others authorized to receive it. > It may contain confidential or legally privileged > information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the > intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you > have received this communication in error please notify us > immediately by responding to this email and then delete > the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? > ??? ?????????? ???, ??????? ??? ??????????. ? ????????? > ????? ??????????? ???????????????? ??????????, ??????? ?? > ????? ???? ???????? ??? ???????????? ???-????, ????? > ?????????. ???? ?? ?? ??????? ????? ?????????, ?? > ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? > ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? > ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is > intended solely for the use of the individual or entity to > whom it is addressed and others authorized to receive it. > It may contain confidential or legally privileged > information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the > intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you > have received this communication in error please notify us > immediately by responding to this email and then delete > the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Jun 17 11:38:23 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 11:38:23 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55815B20.9000805@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> <55815B20.9000805@redhat.com> Message-ID: Ok, I'll try this soon, thank you! Also, please note, most of today dups appeared when 4 of 19 servers was very busy in IO (all our servers are VMs), because dirsrv debug was enabled to gather logs for our case about attrlist_replace - attr_replace (nsslapd-referral, ldap://xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed. errors Also during collection some of dirsrv instances hangs and was restarted. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 5:34 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 12:57 PM, Alexander Frolushkin wrote: Unfortunately, number of duplicates grows dramatically on most sites. Some servers already have over 40 duplicates. Could you please say, may I use re-initialize on falling replica from the good one to fix this? If you have a good one, this should work, "dups" are only created when a replicated ADD is received for an existing entry. But what really puzzles me is that you do not have them on all servers, something weird seems to happen, this entry seems to exist whit several replicaids, and why would replica 10 replicate this 4 hrs after the replica installation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 4:35 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts conn=237 is from 10.99.75.82 which replica is this ? On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From henry.hofmann at osthus.com Wed Jun 17 11:58:46 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Wed, 17 Jun 2015 11:58:46 +0000 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <20150617083557.GO3616@p.redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> Message-ID: <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration: > > > > > http://www.freeipa.org/page/HowTo/vsphere5_integration > > Tanks, your expression is very helpful for nested group memberships. > > But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a > > reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user. > > The user can be looked up in the compat tree, e.g. > > ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry at ad.domain' > > HTH > > bye, > Sumit Thanks, I get more and more information and amazed about FreeIPA and functionally. I can successfully login in Redmine and Cloud with users from the trust domain. I have add additional attributes for the user accounts like "mail" etc. For the external trust user is this not possible. How I can get these additional information's for the trust users? Best regards, Henry - -----Original Message----- From: Sumit Bose [mailto:sbose at redhat.com] Sent: Mittwoch, 17. Juni 2015 10:36 To: Henry Hofmann Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Question for AD trust and Webservices On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration: > > > > http://www.freeipa.org/page/HowTo/vsphere5_integration > Tanks, your expression is very helpful for nested group memberships. > > But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user. The user can be looked up in the compat tree, e.g. ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry at ad.domain' HTH bye, Sumit > > > > > BTW, if Redmine is run by Apache, you can also leverage native > > Web<->SSSD<->FreeIPA/AD integration, following > Our Redmine is running with an ruby webserver based on lock files and in the front we used an nginx webproxy. > > > http://www.freeipa.org/page/Web_App_Authentication > > > > Martin > > > >> I understand this is for application which is using Kerberos. > > No, it is not only for that. > > >> I have some web applications like "redmine" and "owncloud" which > >> have a own user management. They needs to be configure to LDAP to > >> grant authorizations without Kerberos. And not all of them used > >> apache or tomcat as application server. > > For OwnCloud use > > https://apps.owncloud.com/content/show.php/Unix+user+backend?content > > =148406 and read a backstory in > > https://github.com/owncloud/core/issues/10130 > > > > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access. > > > What you mean with " You don't need to include the user which runs Redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access ". > Normally we create users and groups in FreeIPA, add the users to the groups. Currently we sync the user and groups to Redmine and grant the permission roles (Developer or Manager) to the groups. In this scenario I can manage remotely the grants for user in every webserver that we used. > > > Both these methods rely on PAM authentication which is powered by SSSD. > > > > -- > > / Alexander Bokovoy > > Thanks for your help. > Henry -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVYFg+XEu+nQzo7NUAQgvZAgAwDtapg070WOR7qCozzEqjpBAxLyLATN9 0n5RD/TWa95BCUoX8FWMXEaywMrEuY7AGgRu9Rvr+vDZFWMzpEa6VP16G7TupOfe nPVgcA6UqP/KqrfES+PqUwIMYxU0f0oTXEPY5u9dO54EN/1mGlijW9ddAj+e3SKq VmFHUUim4dqjIR7lFg0ARMdo/O9x4l4Rlu6SrOzrTHFCi2zhEvU6JBaO2zktjQ0Z +kyOXSpKLlX9sOm9oBGpWgrX66847gqmVsIrM7hsIFvWWJvYGosTOGdWAKq6yHZv JBZysmv19rU/NMR9GU/4cybL9LeMOPcD4cR8cXKAf/AIbGiMZV9FlQ== =rakA -----END PGP SIGNATURE----- From piotr.baranowski at osec.pl Wed Jun 17 12:09:05 2015 From: piotr.baranowski at osec.pl (Piotr Baranowski) Date: Wed, 17 Jun 2015 14:09:05 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy Message-ID: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> Hi list! I have a challenging setup i need some help with. My topology: EXTERNAL CLIENTS <-> INTERNET <-> SERVER <-> IPA <-> INTERNAL CLIENTS There is no problem with Internal clients. They register/enroll and then work like a charm. The challenge is how external access IPA server. Firewall does a DNAT from external interface to internal one DNATed services are: 389/tcp 646/tcp 464/tcp 53/tcp 88/tcp and 464/udp 53/udp 88/udp I'm using apache with mod_proxy config to pass http/https traffic from clients to actual ipa server. It's done using following config: ProxyPreserveHost On ProxyRequests Off ProxyPass / http://A.B.C.D/ timeout=300 keepalive=On ServerName id.osec.pl SSLEngine On SSLProxyEngine On SSLCertificateFile /etc/pki/tls/certs/osec.crt SSLCertificateKeyFile /etc/pki/tls/private/osec.key SSLCACertificateFile /etc/pki/tls/certs/certum.crt ProxyPreserveHost On ProxyRequests Off ProxyPass / https://A.B.C.D/ timeout=300 keepalive=On ServerName id.osec.pl DNS SRV records are setup correctly and autodiscovery works. When I run ipa-client-install --mkhomedir i get a nicely working setup. External clients complain about ssl cert: [root at biuro1 ~]# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Using existing certificate '/etc/ipa/ca.crt'. Discovery was successful! Hostname: biuro1.osec.pl Realm: OSEC.PL DNS Domain: osec.pl IPA Server: id.osec.pl BaseDN: dc=osec,dc=pl Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for admin at OSEC.PL : Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Peer's certificate issuer has been marked as not trusted by the user. It seems that client does not like the cert presented by "proxying" server. Am I doing something fundamentally wrong here? Can registration process be proxied by apache/mod_proxy? best regards -- Piotr Baranowski -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jun 17 12:15:02 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 15:15:02 +0300 Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> Message-ID: <20150617121502.GA24163@redhat.com> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >Hi list! > >I have a challenging setup i need some help with. > >My topology: >EXTERNAL CLIENTS <-> INTERNET <-> SERVER <-> IPA <-> INTERNAL CLIENTS > >There is no problem with Internal clients. They register/enroll and then work like a charm. >The challenge is how external access IPA server. > >Firewall does a DNAT from external interface to internal one > >DNATed services are: >389/tcp >646/tcp >464/tcp >53/tcp >88/tcp >and >464/udp >53/udp >88/udp > >I'm using apache with mod_proxy config to pass http/https traffic from clients to actual ipa server. >It's done using following config: > > >ProxyPreserveHost On >ProxyRequests Off >ProxyPass / http://A.B.C.D/ timeout=300 keepalive=On >ServerName id.osec.pl > > > >SSLEngine On >SSLProxyEngine On >SSLCertificateFile /etc/pki/tls/certs/osec.crt >SSLCertificateKeyFile /etc/pki/tls/private/osec.key >SSLCACertificateFile /etc/pki/tls/certs/certum.crt >ProxyPreserveHost On >ProxyRequests Off >ProxyPass / https://A.B.C.D/ timeout=300 keepalive=On >ServerName id.osec.pl > > >DNS SRV records are setup correctly and autodiscovery works. > >When I run ipa-client-install --mkhomedir i get a nicely working setup. >External clients complain about ssl cert: > >[root at biuro1 ~]# ipa-client-install >WARNING: ntpd time&date synchronization service will not be configured as >conflicting service (chronyd) is enabled >Use --force-ntpd option to disable it and force configuration of ntpd > >Using existing certificate '/etc/ipa/ca.crt'. >Discovery was successful! >Hostname: biuro1.osec.pl >Realm: OSEC.PL >DNS Domain: osec.pl >IPA Server: id.osec.pl >BaseDN: dc=osec,dc=pl > >Continue to configure the system with these values? [no]: yes >Synchronizing time with KDC... >Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. >User authorized to enroll computers: admin >Password for admin at OSEC.PL : >Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Peer's certificate issuer has been marked as not trusted by the user. > >It seems that client does not like the cert presented by "proxying" server. > >Am I doing something fundamentally wrong here? >Can registration process be proxied by apache/mod_proxy? So you have two different certificates in use here and your client doesn't know about the other certificate (from your proxy). You need either to deliver that certificate to the client by yourself or change your proxying technology to something different. For example, you can use sniproxy which doesn't require in-the-middle certificate. https://github.com/dlundquist/sniproxy -- / Alexander Bokovoy From tbordaz at redhat.com Wed Jun 17 12:16:20 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 17 Jun 2015 14:16:20 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> <55815B20.9000805@redhat.com> Message-ID: <55816514.6070601@redhat.com> On 06/17/2015 01:38 PM, Alexander Frolushkin wrote: > > Ok, I'll try this soon, thank you! > > Also, please note, most of today dups appeared when 4 of 19 servers > was very busy in IO (all our servers are VMs), because dirsrv debug > was enabled to gather logs for our case about > > attrlist_replace - attr_replace (nsslapd-referral, > ldap://xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed. > This message comes if you have duplicated ReplicaID. 'list-ruv' would show you a same url appearing several times with different RID. To be back on the original problem (dup), I wonder if it is not related to cleanruv/corrupted RUV. A new replica26 is created and is initialized from a master and it does not contain entry 555ac936000000140000. That allows the creation of 5580f3210000001a0000. Then replica10 sends 555ac936000000140000 to replica26. That means that changelog/ruv of replica10 contained that update, so either cleanallruv20 did not happen on replica10 or fail to clean its CL. Replica10 has a very old update that was not known from the master used to init replica26. Was replica10 restarted recently. thanks theirry > > errors > > Also during collection some of dirsrv instances hangs and was restarted. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 5:34 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'thierry bordaz'; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 12:57 PM, Alexander Frolushkin wrote: > > Unfortunately, number of duplicates grows dramatically on most > sites. Some servers already have over 40 duplicates. > > Could you please say, may I use re-initialize on falling replica > from the good one to fix this? > > If you have a good one, this should work, "dups" are only created when > a replicated ADD is received for an existing entry. > But what really puzzles me is that you do not have them on all > servers, something weird seems to happen, this entry seems to exist > whit several replicaids, and why would replica 10 replicate this 4 hrs > after the replica installation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:35 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'thierry bordaz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > conn=237 is from 10.99.75.82 which replica is this ? > > On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: > > This is not a good news, because replica id 20 is not exist for a > some days already. It was recreated and now have id 23 > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:10 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: > > Will this be enough? > > # grep "conn=237 op=93" ./access > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 > tag=105 nentries=0 etime=0 csn=555ac936000000140000 > > This operation is a replicated one and the CSN is from May 19th. > So why a replica (26) created today was initialized without that > entry ? > This updates was originated from replica20. Was it stopped and > restarted recently ? > > > > > # grep "conn=293" ./access > > [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection > from 10.99.75.82 to 10.61.8.2 > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" > > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:53 PM > *To:* thierry bordaz > *Cc:* Alexander Frolushkin (SIB); freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:45 AM, thierry bordaz wrote: > > > On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: > > This was a usual "ipa-replica-install --setup-ca > --setup-dns" and after that ipa-adtrust-install. > > No DEL found: > > # grep "cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > ./access > > [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH > base="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > scope=0 filter="(objectClass=*)" attrs="ipaPermRight > ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType > cn objectClass memberOf member ipaPermTarget > ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr > ipaPermExcludedAttr" > > [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD > dn="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > > There is something I miss. conn=2 op=91 was a direct update on > replica26 (not replicated) because it received its own > CSN=5580f3210000001a0000. But it created a conflict entry, so > at that time it existed the same entry (the one created > 20150408070720Z) . So the direct update should have been rejected. > > I think the search in op=89 did not return an entry, so it was > added in op 91, that seems to be ok, but then 4 hrs later there is > conn=237 adding it again. > > Alexander, > > could you get the complete 'conn=237 op=93' and also the start of > conn 293, to show where teh connection comes from > > > > > > Would you check if the replicaID=26 is unique in the topology > (list-ruv for example) ? > > > > > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > It is also possible this entry on affected servers was previously > duplicated and not correctly managed to delete (more recent dup > was deleted). > > Is there any natural way to fix such issues? Maybe > ipa-replica-manage force-sync, or ipa-replica-manage re-initialize > on affected site servers from normal servers could help? > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:15 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > Hello Alexander, > > How did you initialize that new replica 26. > Either 'cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not > part of the total init data, or a DEL of that entry happened on > replica 26 (before a new ADD) but the DEL was not replicated to > replica12. > Would you check in replica26 access logs if that entry was deleted ? > > thanks > theirry > > On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server > which was included in domain just a few hours ago. Looks like > this dup came right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to > share them to everyone. I'll continue discussion here, trying > to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new > add should have been rejected, if it was not there the > question is why. > > Do you have any additional info on replica 26, when was it > created, was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, > unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: > cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: > cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of > *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our > IPA installation J > > We currently have 18 IPA servers in domain, on 8 sites > in different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on > some of our servers, very often on servers from > specific site. Usually it is simply a doubles and we > can remove the renamed change to get everything back. > But why do we have them at all? > > May be someone could explain, how we can detect the > cause of this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if > a client tries to add an entry and if it doesn't get a > response in some time retries on another server. > to find out which client this is you need to check on > which servers the entries were originally added and then > see which client was doing it > > > > > > > > Sometime it is moderately harmful, because, for example > HBAC stops working on specific server while doubles still > present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? > ??? ?????????? ???, ??????? ??? ??????????. ? ????????? > ????? ??????????? ???????????????? ??????????, ??????? ?? > ????? ???? ???????? ??? ???????????? ???-????, ????? > ?????????. ???? ?? ?? ??????? ????? ?????????, ?? > ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? > ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? > ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is > intended solely for the use of the individual or entity to > whom it is addressed and others authorized to receive it. > It may contain confidential or legally privileged > information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the > intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you > have received this communication in error please notify us > immediately by responding to this email and then delete > the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? > ??? ?????????? ???, ??????? ??? ??????????. ? ????????? > ????? ??????????? ???????????????? ??????????, ??????? ?? > ????? ???? ???????? ??? ???????????? ???-????, ????? > ?????????. ???? ?? ?? ??????? ????? ?????????, ?? > ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? > ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? > ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is > intended solely for the use of the individual or entity to > whom it is addressed and others authorized to receive it. > It may contain confidential or legally privileged > information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the > intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you > have received this communication in error please notify us > immediately by responding to this email and then delete > the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jun 17 12:20:00 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 15:20:00 +0300 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> Message-ID: <20150617122000.GC24163@redhat.com> On Wed, 17 Jun 2015, Henry Hofmann wrote: >Thanks, I get more and more information and amazed about FreeIPA and functionally. >I can successfully login in Redmine and Cloud with users from the trust domain. > >I have add additional attributes for the user accounts like "mail" etc. >For the external trust user is this not possible. How I can get these >additional information's for the trust users? you cannot add them in the compat tree. Compat tree is a run-time view which takes _existing_ data in LDAP or from SSSD, adopts to a different schema and represents it. If there are no sources to take "mail" from, one cannot make a persistent version of it in the compat tree. -- / Alexander Bokovoy From Alexander.Frolushkin at megafon.ru Wed Jun 17 12:27:45 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 17 Jun 2015 12:27:45 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55816514.6070601@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> <55815B20.9000805@redhat.com> <55816514.6070601@redhat.com> Message-ID: <6a9ee184a0a549eab53054c5d71beb73@sib-ums03.Megafon.ru> Except: "unable to decode: {replica 22} 5576b83e000200160000 5576ba4b000200160000 unable to decode: {replica 20} 55716e57000300140000 55716e57000300140000 unable to decode: {replica 16} 548a8126000000100000 548a8126000000100000 unable to decode: {replica 24} 557fb7d4000400180000 557fb9a1001000180000 unable to decode: {replica 21} 5576ac96000000150000 5576b52e000200150000" records, all replicas are unique and have corresponding id's. Total number of not "unable to decode" servers is equal to real number of replicas in domain. I can confirm some of cleanallruv processes was not finished correctly after some replica remove. Slapd on replica id 10 last restarted yesterday 15:05 server local time. The same question, may it help if I tomorrow will do re-initialize all replicas from our relatively good-conditioned site? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 6:16 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 01:38 PM, Alexander Frolushkin wrote: Ok, I'll try this soon, thank you! Also, please note, most of today dups appeared when 4 of 19 servers was very busy in IO (all our servers are VMs), because dirsrv debug was enabled to gather logs for our case about attrlist_replace - attr_replace (nsslapd-referral, ldap://xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed. This message comes if you have duplicated ReplicaID. 'list-ruv' would show you a same url appearing several times with different RID. To be back on the original problem (dup), I wonder if it is not related to cleanruv/corrupted RUV. A new replica26 is created and is initialized from a master and it does not contain entry 555ac936000000140000. That allows the creation of 5580f3210000001a0000. Then replica10 sends 555ac936000000140000 to replica26. That means that changelog/ruv of replica10 contained that update, so either cleanallruv20 did not happen on replica10 or fail to clean its CL. Replica10 has a very old update that was not known from the master used to init replica26. Was replica10 restarted recently. thanks theirry errors Also during collection some of dirsrv instances hangs and was restarted. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 5:34 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 12:57 PM, Alexander Frolushkin wrote: Unfortunately, number of duplicates grows dramatically on most sites. Some servers already have over 40 duplicates. Could you please say, may I use re-initialize on falling replica from the good one to fix this? If you have a good one, this should work, "dups" are only created when a replicated ADD is received for an existing entry. But what really puzzles me is that you do not have them on all servers, something weird seems to happen, this entry seems to exist whit several replicaids, and why would replica 10 replicate this 4 hrs after the replica installation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 4:35 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts conn=237 is from 10.99.75.82 which replica is this ? On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From piotr.baranowski at osec.pl Wed Jun 17 12:29:19 2015 From: piotr.baranowski at osec.pl (Piotr Baranowski) Date: Wed, 17 Jun 2015 14:29:19 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <20150617121502.GA24163@redhat.com> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> Message-ID: <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> ----- Oryginalna wiadomo?? ----- > Od: "Alexander Bokovoy" > So you have two different certificates in use here and your client > doesn't know about the other certificate (from your proxy). You need > either to deliver that certificate to the client by yourself or change > your proxying technology to something different. > > For example, you can use sniproxy which doesn't require in-the-middle > certificate. https://github.com/dlundquist/sniproxy Thanks for that hint. I'll have a look at that. However I have an Idea: If I could export ipa's mod_nss cert+key and then use them on my proxy running mod_ssl that probably could solve the issue. Right? Piotr From abokovoy at redhat.com Wed Jun 17 12:31:13 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 15:31:13 +0300 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> Message-ID: <20150617122637.GD24163@redhat.com> On Wed, 17 Jun 2015, Henry Hofmann wrote: >> For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You >> don't need to include the user which runs redmine into shadow group >> with FreeIPA because user accounts are never in > /etc/shadow for >> FreeIPA so you don't need that access. >> >What you mean with " You don't need to include the user which runs >Redmine into shadow group with FreeIPA because user accounts are never >in > /etc/shadow for FreeIPA so you don't need that access ". Normally The redmine_pam_auth solution runs authentication process with the help of PAM modules. PAM modules need to access the data they would be using to check the passwords. In a classical setup with redmine_pam_auth, that would be having access to /etc/shadow file which is limited on most systems. On Fedora, for example, only root can access it so PAM module that checks the passwords via /etc/shadow would need to be run with root privileges. In other distributions situation may be different and 'shadow' group membership may be used to limit access to /etc/shadow. When using pam_sss, one doesn't need to access /etc/shadow at all, thus my suggestion. -- / Alexander Bokovoy From henry.hofmann at osthus.com Wed Jun 17 12:34:02 2015 From: henry.hofmann at osthus.com (Henry Hofmann) Date: Wed, 17 Jun 2015 12:34:02 +0000 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <20150617122000.GC24163@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> Message-ID: <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ok, how can I configure the map of source attributes (mail or any other) to compat tree? Thanks and best regards, Henry - -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Mittwoch, 17. Juni 2015 14:20 To: Henry Hofmann Cc: Sumit Bose; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Question for AD trust and Webservices On Wed, 17 Jun 2015, Henry Hofmann wrote: >Thanks, I get more and more information and amazed about FreeIPA and functionally. >I can successfully login in Redmine and Cloud with users from the trust domain. > >I have add additional attributes for the user accounts like "mail" etc. >For the external trust user is this not possible. How I can get these >additional information's for the trust users? you cannot add them in the compat tree. Compat tree is a run-time view which takes _existing_ data in LDAP or from SSSD, adopts to a different schema and represents it. If there are no sources to take "mail" from, one cannot make a persistent version of it in the compat tree. - -- / Alexander Bokovoy -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVYFpO3Eu+nQzo7NUAQiaoQf+OQz8r7jESBID+JBRVGhS17zZH9PFuRNk Q8DUEaFAAH0/tR9bSoRrB7aPH2CpAsVzi5I/z1DuQY0//oQaWReimUez082Q8PbK xV8jlGnaReLv2B+1EULjqJmBQ6+ljiABNp61nLl5tDA6+GGvVoQmeMuddOq/fWIi SYu6Obixsu5mzS8W5EmZyEbw1g94cbvLutoZWZ8D6s215oeqcsb99GfVBuh+NbSR 4tQcQ3HdaTE/hQXVlJW/Mi4Y5607tsnC9ABSIVC6J8+XLhm84vKo5fpQiBxDQg8X zDfedqRsIiTF+HNCUNwBKT6wkdiDbB2cz4a3TyvV4mvXQTWIboB/0A== =PK4K -----END PGP SIGNATURE----- From tbordaz at redhat.com Wed Jun 17 12:40:09 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 17 Jun 2015 14:40:09 +0200 Subject: [Freeipa-users] replication conflicts In-Reply-To: <6a9ee184a0a549eab53054c5d71beb73@sib-ums03.Megafon.ru> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> <55815B20.9000805@redhat.com> <55816514.6070601@redhat.com> <6a9ee184a0a549eab53054c5d71beb73@sib-ums03.Megafon.ru> Message-ID: <55816AA9.6020808@redhat.com> On 06/17/2015 02:27 PM, Alexander Frolushkin wrote: > > Except: > > "unable to decode: {replica 22} 5576b83e000200160000 5576ba4b000200160000 > > unable to decode: {replica 20} 55716e57000300140000 55716e57000300140000 > > unable to decode: {replica 16} 548a8126000000100000 548a8126000000100000 > > unable to decode: {replica 24} 557fb7d4000400180000 557fb9a1001000180000 > > unable to decode: {replica 21} 5576ac96000000150000 5576b52e000200150000" > > records, all replicas are unique and have corresponding id's. > > Total number of not "unable to decode" servers is equal to real number > of replicas in domain. > > I can confirm some of cleanallruv processes was not finished correctly > after some replica remove. > > Slapd on replica id 10 last restarted yesterday 15:05 server local time. > It was restarted 16/Jun/2015:15:05 and send the update one day after ! [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 May be it was very very slow. > The same question, may it help if I tomorrow will do re-initialize all > replicas from our relatively good-conditioned site? > If you reinit all replicas, it will clear their CL so such very old updates will no long exist. Now if it exists very slow replica (like replica10) that holds their updates for long before replicating then it increases the possibility of creating conflicts. > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 6:16 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > > On 06/17/2015 01:38 PM, Alexander Frolushkin wrote: > > Ok, I'll try this soon, thank you! > > Also, please note, most of today dups appeared when 4 of 19 > servers was very busy in IO (all our servers are VMs), because > dirsrv debug was enabled to gather logs for our case about > > attrlist_replace - attr_replace (nsslapd-referral, > ldap://xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed. > > > This message comes if you have duplicated ReplicaID. 'list-ruv' would > show you a same url appearing several times with different RID. > > To be back on the original problem (dup), I wonder if it is not > related to cleanruv/corrupted RUV. > > A new replica26 is created and is initialized from a master and it > does not contain entry 555ac936000000140000. That allows the creation of > 5580f3210000001a0000. > Then replica10 sends 555ac936000000140000 to replica26. That means > that changelog/ruv of replica10 contained that update, so either > cleanallruv20 did not happen on replica10 or fail to clean its CL. > > Replica10 has a very old update that was not known from the master > used to init replica26. > Was replica10 restarted recently. > > thanks > theirry > > errors > > Also during collection some of dirsrv instances hangs and was restarted. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 5:34 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'thierry bordaz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 12:57 PM, Alexander Frolushkin wrote: > > Unfortunately, number of duplicates grows dramatically on most > sites. Some servers already have over 40 duplicates. > > Could you please say, may I use re-initialize on falling replica > from the good one to fix this? > > If you have a good one, this should work, "dups" are only created when > a replicated ADD is received for an existing entry. > But what really puzzles me is that you do not have them on all > servers, something weird seems to happen, this entry seems to exist > whit several replicaids, and why would replica 10 replicate this 4 hrs > after the replica installation. > > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:35 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'thierry bordaz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > conn=237 is from 10.99.75.82 which replica is this ? > > On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: > > This is not a good news, because replica id 20 is not exist for a > some days already. It was recreated and now have id 23 > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 4:10 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: > > Will this be enough? > > # grep "conn=237 op=93" ./access > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 > tag=105 nentries=0 etime=0 csn=555ac936000000140000 > > This operation is a replicated one and the CSN is from May 19th. > So why a replica (26) created today was initialized without that > entry ? > This updates was originated from replica20. Was it stopped and > restarted recently ? > > > > > > # grep "conn=293" ./access > > [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection > from 10.99.75.82 to 10.61.8.2 > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > > [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" > > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:53 PM > *To:* thierry bordaz > *Cc:* Alexander Frolushkin (SIB); freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/17/2015 11:45 AM, thierry bordaz wrote: > > > On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: > > This was a usual "ipa-replica-install --setup-ca > --setup-dns" and after that ipa-adtrust-install. > > No DEL found: > > # grep "cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > ./access > > [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH > base="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > scope=0 filter="(objectClass=*)" attrs="ipaPermRight > ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType > cn objectClass memberOf member ipaPermTarget > ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr > ipaPermExcludedAttr" > > [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD > dn="cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > > There is something I miss. conn=2 op=91 was a direct update on > replica26 (not replicated) because it received its own > CSN=5580f3210000001a0000. But it created a conflict entry, so > at that time it existed the same entry (the one created > 20150408070720Z) . So the direct update should have been rejected. > > I think the search in op=89 did not return an entry, so it was > added in op 91, that seems to be ok, but then 4 hrs later there is > conn=237 adding it again. > > Alexander, > > could you get the complete 'conn=237 op=93' and also the start of > conn 293, to show where teh connection comes from > > > > > > > Would you check if the replicaID=26 is unique in the topology > (list-ruv for example) ? > > > > > > > [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: > Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" > > It is also possible this entry on affected servers was previously > duplicated and not correctly managed to delete (more recent dup > was deleted). > > Is there any natural way to fix such issues? Maybe > ipa-replica-manage force-sync, or ipa-replica-manage re-initialize > on affected site servers from normal servers could help? > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Wednesday, June 17, 2015 3:15 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* 'Ludwig Krispenz'; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > Hello Alexander, > > How did you initialize that new replica 26. > Either 'cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not > part of the total init data, or a DEL of that entry happened on > replica 26 (before a new ADD) but the DEL was not replicated to > replica12. > Would you check in replica26 access logs if that entry was deleted ? > > thanks > theirry > > On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: > > This is correct, thank you for understanding and for helping! > > Replica with id 26 was created today, this is our new server > which was included in domain just a few hours ago. Looks like > this dup came right after this new replica creation. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* Wednesday, June 17, 2015 2:58 PM > *To:* Alexander Frolushkin (SIB) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] replication conflicts > > Hi, > > you did send the data directly to me, maybe not wanting to > share them to everyone. I'll continue discussion here, trying > to be careful. > > The "good" entry was created in April on replica 12 "0x0c" > createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z > > the "nsuniqueid" entry was created today on replica 26 "0x1a" > createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z > > if the original entry would have existed on replica26 the new > add should have been rejected, if it was not there the > question is why. > > Do you have any additional info on replica 26, when was it > created, was it disconnected for some time ?? > > Ludwig > > On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: > > Hello. > > Another example. Today appeared on servers of different site. > > Original LDIF: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab, permissions, pbac, > unix.megafon.ru > > dn: cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc > > =ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: > cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > Duplicate: > > # extended LDIF > > # > > # LDAPv3 > > # base Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> > with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > # System: Manage Host Keytab + > 708bba65-14a611e5-8a48fd19-df27ff01, permissio > > ns, pbac, unix.megafon.ru > > dn: cn=System: Manage Host > Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff > > 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermTargetFilter: (objectclass=ipahost) > > ipaPermRight: write > > ipaPermBindRuleType: permission > > ipaPermissionType: V2 > > ipaPermissionType: MANAGED > > ipaPermissionType: SYSTEM > > cn: System: Manage Host Keytab > > objectClass: ipapermission > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermissionv2 > > member: cn=Host > Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > member: cn=Host > Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru > > ipaPermDefaultAttr: krbprincipalkey > > ipaPermDefaultAttr: krblastpwdchange > > ipaPermLocation: > cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 2 > > # numEntries: 1 > > No other servers in IPA domain have such duplicates. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of > *Ludwig Krispenz > *Sent:* Tuesday, June 16, 2015 3:52 PM > *To:* freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] replication conflicts > > On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello. > > Just to remind if somebody still not familiar with our > IPA installation J > > We currently have 18 IPA servers in domain, on 8 sites > in different regions across the Russia. > > And now, our new problem. > > Regularly we getting a nsds5ReplConflict records on > some of our servers, very often on servers from > specific site. Usually it is simply a doubles and we > can remove the renamed change to get everything back. > But why do we have them at all? > > May be someone could explain, how we can detect the > cause of this replication conflicts? > > if you are talking about having two "duplicate" entries, > one: uid=xxxxx, > one: nsuniqueid=nnnnnnnn+uid=xxxxx, > > these entries appear if the entry uid=xxxxx was added, > simultaneously, on two servers. I think this can happen if > a client tries to add an entry and if it doesn't get a > response in some time retries on another server. > to find out which client this is you need to check on > which servers the entries were originally added and then > see which client was doing it > > > > > > > > > Sometime it is moderately harmful, because, for example > HBAC stops working on specific server while doubles still > present. > > Thanks in forward... > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? > ??? ?????????? ???, ??????? ??? ??????????. ? ????????? > ????? ??????????? ???????????????? ??????????, ??????? ?? > ????? ???? ???????? ??? ???????????? ???-????, ????? > ?????????. ???? ?? ?? ??????? ????? ?????????, ?? > ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? > ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? > ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is > intended solely for the use of the individual or entity to > whom it is addressed and others authorized to receive it. > It may contain confidential or legally privileged > information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the > intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you > have received this communication in error please notify us > immediately by responding to this email and then delete > the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? > ??? ?????????? ???, ??????? ??? ??????????. ? ????????? > ????? ??????????? ???????????????? ??????????, ??????? ?? > ????? ???? ???????? ??? ???????????? ???-????, ????? > ?????????. ???? ?? ?? ??????? ????? ?????????, ?? > ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? > ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? > ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is > intended solely for the use of the individual or entity to > whom it is addressed and others authorized to receive it. > It may contain confidential or legally privileged > information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the > intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you > have received this communication in error please notify us > immediately by responding to this email and then delete > the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? > ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended > solely for the use of the individual or entity to whom it is > addressed and others authorized to receive it. It may contain > confidential or legally privileged information. The contents > may not be disclosed or used by anyone other than the > addressee. If you are not the intended recipient(s), any use, > disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it is prohibited and may be > unlawful. If you have received this communication in error > please notify us immediately by responding to this email and > then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > > > > > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jun 17 13:14:16 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Jun 2015 09:14:16 -0400 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <55809268.5090608@gmail.com> References: <55809268.5090608@gmail.com> Message-ID: <558172A8.7000908@redhat.com> Janelle wrote: > Hi, > > Had a server - named ipa001.example.com -- it was a replica. It died. It > was re-installed. However, prior to the re-install it was saying the > wonderful: > > TLS error -8172:Peer's certificate issuer has been marked as not trusted > by the user. > > It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a > replica or trying to join it back in to the existing ring of servers) > and at the end of the ipa-server-install - it gives: > > Done. > Restarting the directory server > Restarting the KDC > Restarting the certificate server > Restarting the web server > Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' > 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' > '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' > 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero > exit status 1 > Configuration of client side components failed! > ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' > '--on-master' '--unattended' '--domain' 'example.com' '--server' > 'ipa001.example.com' '--realm' 'example.com' '--hostname' > 'ipa001.example.com'' returned non-zero exit status 1 > > and checking /var/log/ipaclient-install.log - the exact same TLS error???? > > But this is a brand new system, with brand new OS and the install was > ipa-server-install to install a clean server. > > I don't understand how this is happening. There is no "peer" to be not > trusted? What version of IPA and distro? (I don't think that probably has anything to do with it, just curious in case it does eventually matter). What does /etc/openldap/ldap.conf look like? Normally it should have TLS_CACERT /etc/ipa/ca.crt Any chance you can share the server and client install logs? rob From rcritten at redhat.com Wed Jun 17 13:15:02 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Jun 2015 09:15:02 -0400 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: References: Message-ID: <558172D6.1000200@redhat.com> Randall Harrison wrote: > Hello freeipa! > > I am having difficulty installing freeipa on a freshly installed > CentOS6.6 box. I have not had this problem on previous CentOS releases, > and it installed with no problems on a CentOS7.1 box. > > Here is a list of steps I took to install: > > 1.) Disable SElinux and IPtables (for testing purposes only) > 2.) reboot > 3.) yum update > 4.) reboot > 5.) yum install ipa-server bind bind-dyndb-ldap > 6.) ipa-server-install --setup-dns > 7.) the install scrip errors out > > I have attached the ipa-server install log and pki-ca log. > > All help is appreciated! > > Randy > > Can you see what version of java is installed? You want 1.7.x and not 1.8.x. rob From janellenicole80 at gmail.com Wed Jun 17 13:19:30 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 17 Jun 2015 06:19:30 -0700 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <558172A8.7000908@redhat.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> Message-ID: <558173E2.9020306@gmail.com> On 6/17/15 6:14 AM, Rob Crittenden wrote: > Janelle wrote: >> Hi, >> >> Had a server - named ipa001.example.com -- it was a replica. It died. It >> was re-installed. However, prior to the re-install it was saying the >> wonderful: >> >> TLS error -8172:Peer's certificate issuer has been marked as not trusted >> by the user. >> >> It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a >> replica or trying to join it back in to the existing ring of servers) >> and at the end of the ipa-server-install - it gives: >> >> Done. >> Restarting the directory server >> Restarting the KDC >> Restarting the certificate server >> Restarting the web server >> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero >> exit status 1 >> Configuration of client side components failed! >> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >> '--on-master' '--unattended' '--domain' 'example.com' '--server' >> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >> 'ipa001.example.com'' returned non-zero exit status 1 >> >> and checking /var/log/ipaclient-install.log - the exact same TLS >> error???? >> >> But this is a brand new system, with brand new OS and the install was >> ipa-server-install to install a clean server. >> >> I don't understand how this is happening. There is no "peer" to be not >> trusted? > > What version of IPA and distro? (I don't think that probably has > anything to do with it, just curious in case it does eventually matter). > > What does /etc/openldap/ldap.conf look like? Normally it should have > TLS_CACERT /etc/ipa/ca.crt > > Any chance you can share the server and client install logs? > > rob 4.1.4 = IPA CentOS 7.1 Oooh... Found something: /etc/openldap/ldap.conf: TLS_CACERTDIR /etc/openldap/certs Going to investigate. ~J From rcritten at redhat.com Wed Jun 17 13:21:47 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Jun 2015 09:21:47 -0400 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <558173E2.9020306@gmail.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> Message-ID: <5581746B.4080604@redhat.com> Janelle wrote: > On 6/17/15 6:14 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Hi, >>> >>> Had a server - named ipa001.example.com -- it was a replica. It died. It >>> was re-installed. However, prior to the re-install it was saying the >>> wonderful: >>> >>> TLS error -8172:Peer's certificate issuer has been marked as not trusted >>> by the user. >>> >>> It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a >>> replica or trying to join it back in to the existing ring of servers) >>> and at the end of the ipa-server-install - it gives: >>> >>> Done. >>> Restarting the directory server >>> Restarting the KDC >>> Restarting the certificate server >>> Restarting the web server >>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero >>> exit status 1 >>> Configuration of client side components failed! >>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>> 'ipa001.example.com'' returned non-zero exit status 1 >>> >>> and checking /var/log/ipaclient-install.log - the exact same TLS >>> error???? >>> >>> But this is a brand new system, with brand new OS and the install was >>> ipa-server-install to install a clean server. >>> >>> I don't understand how this is happening. There is no "peer" to be not >>> trusted? >> >> What version of IPA and distro? (I don't think that probably has >> anything to do with it, just curious in case it does eventually matter). >> >> What does /etc/openldap/ldap.conf look like? Normally it should have >> TLS_CACERT /etc/ipa/ca.crt >> >> Any chance you can share the server and client install logs? >> >> rob > 4.1.4 = IPA > CentOS 7.1 > > Oooh... Found something: /etc/openldap/ldap.conf: > > TLS_CACERTDIR /etc/openldap/certs > > Going to investigate. > ~J > That should be fine assuming there aren't any certs in there (and on a brand new system I'd think you'd have empty NSS databases). rob From janellenicole80 at gmail.com Wed Jun 17 13:43:40 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 17 Jun 2015 06:43:40 -0700 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <5581746B.4080604@redhat.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> Message-ID: <5581798C.2010303@gmail.com> On 6/17/15 6:21 AM, Rob Crittenden wrote: > Janelle wrote: >> On 6/17/15 6:14 AM, Rob Crittenden wrote: >>> Janelle wrote: >>>> Hi, >>>> >>>> Had a server - named ipa001.example.com -- it was a replica. It >>>> died. It >>>> was re-installed. However, prior to the re-install it was saying the >>>> wonderful: >>>> >>>> TLS error -8172:Peer's certificate issuer has been marked as not >>>> trusted >>>> by the user. >>>> >>>> It was rebuilt - new OS and doing a brand new ipa-server-install >>>> (NOT a >>>> replica or trying to join it back in to the existing ring of servers) >>>> and at the end of the ipa-server-install - it gives: >>>> >>>> Done. >>>> Restarting the directory server >>>> Restarting the KDC >>>> Restarting the certificate server >>>> Restarting the web server >>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero >>>> exit status 1 >>>> Configuration of client side components failed! >>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>>> 'ipa001.example.com'' returned non-zero exit status 1 >>>> >>>> and checking /var/log/ipaclient-install.log - the exact same TLS >>>> error???? >>>> >>>> But this is a brand new system, with brand new OS and the install was >>>> ipa-server-install to install a clean server. >>>> >>>> I don't understand how this is happening. There is no "peer" to be not >>>> trusted? >>> >>> What version of IPA and distro? (I don't think that probably has >>> anything to do with it, just curious in case it does eventually >>> matter). >>> >>> What does /etc/openldap/ldap.conf look like? Normally it should have >>> TLS_CACERT /etc/ipa/ca.crt >>> >>> Any chance you can share the server and client install logs? >>> >>> rob >> 4.1.4 = IPA >> CentOS 7.1 >> >> Oooh... Found something: /etc/openldap/ldap.conf: >> >> TLS_CACERTDIR /etc/openldap/certs >> >> Going to investigate. >> ~J >> > > That should be fine assuming there aren't any certs in there (and on a > brand new system I'd think you'd have empty NSS databases). > > rob Well I was able to get another server stood up, but now if I go back to the server I was TRYING to set up and add it as a replica: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipa002.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Using reverse zone(s) 202.161.17.in-addr.arpa. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: NetworkError: cannot connect to 'ldaps://ipa001.example.com': TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ======================== ipareplica-install.log below: 2015-06-17T13:37:48Z DEBUG stderr= 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' 2015-06-17T13:37:48Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipaserver/install/plugins'... 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/baseupdate.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/ca_renewal_master.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_agreements.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/rename_managed.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_idranges.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_pacs.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_passsync.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_referint.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_services.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_uniqueness.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' 2015-06-17T13:37:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' 2015-06-17T13:37:49Z DEBUG group dirsrv exists 2015-06-17T13:37:49Z DEBUG user dirsrv exists 2015-06-17T13:37:49Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 642, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 626, in main tls_cacertfile=cafile) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 169, in create_connection clientctrls=clientctrls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1206, in error_handler error=info) 2015-06-17T13:37:49Z DEBUG The ipa-replica-install command failed, exception: NetworkError: cannot connect to 'ldaps://ipa001.example.com': TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. From abokovoy at redhat.com Wed Jun 17 13:51:59 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 16:51:59 +0300 Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> Message-ID: <20150617135159.GE24163@redhat.com> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >----- Oryginalna wiadomo?? ----- >> Od: "Alexander Bokovoy" >> So you have two different certificates in use here and your client >> doesn't know about the other certificate (from your proxy). You need >> either to deliver that certificate to the client by yourself or change >> your proxying technology to something different. >> >> For example, you can use sniproxy which doesn't require in-the-middle >> certificate. https://github.com/dlundquist/sniproxy > >Thanks for that hint. I'll have a look at that. > >However I have an Idea: >If I could export ipa's mod_nss cert+key and then use them on my proxy running mod_ssl that probably could solve the issue. > >Right? Sort of. Now you would have an issue of maintaining the certificate in multiple locations which would make rotation of it "interesting", so to say. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jun 17 13:56:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 16:56:23 +0300 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> Message-ID: <20150617135623.GF24163@redhat.com> On Wed, 17 Jun 2015, Henry Hofmann wrote: >Ok, how can I configure the map of source attributes (mail or any other) to compat tree? Go back in archives in this list and read discussions about "Single mail deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the compat tree as of right now. -- / Alexander Bokovoy From piotr.baranowski at osec.pl Wed Jun 17 13:57:57 2015 From: piotr.baranowski at osec.pl (Piotr Baranowski) Date: Wed, 17 Jun 2015 15:57:57 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <20150617135159.GE24163@redhat.com> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> <20150617135159.GE24163@redhat.com> Message-ID: <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> ----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisa?(a): > On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>----- Oryginalna wiadomo?? ----- >>> Od: "Alexander Bokovoy" >>> So you have two different certificates in use here and your client >>> doesn't know about the other certificate (from your proxy). You need >>> either to deliver that certificate to the client by yourself or change >>> your proxying technology to something different. >>> >>> For example, you can use sniproxy which doesn't require in-the-middle >>> certificate. https://github.com/dlundquist/sniproxy >> >>Thanks for that hint. I'll have a look at that. >> >>However I have an Idea: >>If I could export ipa's mod_nss cert+key and then use them on my proxy running >>mod_ssl that probably could solve the issue. >> >>Right? > Sort of. Now you would have an issue of maintaining the certificate in > multiple locations which would make rotation of it "interesting", so to > say. Those would be only TWO certificates to manage. What's the challenge here? Piotr From janellenicole80 at gmail.com Wed Jun 17 14:03:36 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 17 Jun 2015 07:03:36 -0700 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <5581746B.4080604@redhat.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> Message-ID: <55817E38.6040402@gmail.com> On 6/17/15 6:21 AM, Rob Crittenden wrote: > Janelle wrote: >> On 6/17/15 6:14 AM, Rob Crittenden wrote: >>> Janelle wrote: >>>> Hi, >>>> >>>> Had a server - named ipa001.example.com -- it was a replica. It >>>> died. It >>>> was re-installed. However, prior to the re-install it was saying the >>>> wonderful: >>>> >>>> TLS error -8172:Peer's certificate issuer has been marked as not >>>> trusted >>>> by the user. >>>> >>>> It was rebuilt - new OS and doing a brand new ipa-server-install >>>> (NOT a >>>> replica or trying to join it back in to the existing ring of servers) >>>> and at the end of the ipa-server-install - it gives: >>>> >>>> Done. >>>> Restarting the directory server >>>> Restarting the KDC >>>> Restarting the certificate server >>>> Restarting the web server >>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero >>>> exit status 1 >>>> Configuration of client side components failed! >>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>>> 'ipa001.example.com'' returned non-zero exit status 1 >>>> >>>> and checking /var/log/ipaclient-install.log - the exact same TLS >>>> error???? >>>> >>>> But this is a brand new system, with brand new OS and the install was >>>> ipa-server-install to install a clean server. >>>> >>>> I don't understand how this is happening. There is no "peer" to be not >>>> trusted? >>> >>> What version of IPA and distro? (I don't think that probably has >>> anything to do with it, just curious in case it does eventually >>> matter). >>> >>> What does /etc/openldap/ldap.conf look like? Normally it should have >>> TLS_CACERT /etc/ipa/ca.crt >>> >>> Any chance you can share the server and client install logs? >>> >>> rob >> 4.1.4 = IPA >> CentOS 7.1 >> >> Oooh... Found something: /etc/openldap/ldap.conf: >> >> TLS_CACERTDIR /etc/openldap/certs >> >> Going to investigate. >> ~J >> > > That should be fine assuming there aren't any certs in there (and on a > brand new system I'd think you'd have empty NSS databases). > > rob So this gets interesting now... Say you have 6 IPA servers, named ipa001-ipa006.example.com -- all working fine. Something happens to 002. It dies. You "ipa-replica-manage del --clean --force ipa002" to get rid of it. A period of time, say a month, goes by. You have lost a couple of other replicas for whatever reason, say 3 and 6. You decide you want to rebuild. You start with 002 - leaving the others up and running because you have users working. You firewall off 002 why you rebuild it. You reinstall OS, reinstall FreeIPA. But no matter what, when you start to configure IPA it comes up with the error of being untrusted. Now, you try the same thing on 003 and 006. SAME problem. For fun - you shutdown 005 and uninstall freeipa --unattended and then try to re-install it. Guess what - no issues. Is this somehow related to: Same domain and realm names floating around the net - so is it querying for a name somehow and one of the "still running" servers is saying - "NO NO NO -- that CERT is revoked!!!" - even though it never tries to connect to that server. Or am I just thinking far too outside the box? And this is exactly what has happened. Rebuilding one of the servers that was never REMOVED is working just fine. ~J From abokovoy at redhat.com Wed Jun 17 14:21:11 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Jun 2015 17:21:11 +0300 Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> <20150617135159.GE24163@redhat.com> <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> Message-ID: <20150617142111.GG24163@redhat.com> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisa?(a): > >> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>>----- Oryginalna wiadomo?? ----- >>>> Od: "Alexander Bokovoy" >>>> So you have two different certificates in use here and your client >>>> doesn't know about the other certificate (from your proxy). You need >>>> either to deliver that certificate to the client by yourself or change >>>> your proxying technology to something different. >>>> >>>> For example, you can use sniproxy which doesn't require in-the-middle >>>> certificate. https://github.com/dlundquist/sniproxy >>> >>>Thanks for that hint. I'll have a look at that. >>> >>>However I have an Idea: >>>If I could export ipa's mod_nss cert+key and then use them on my proxy running >>>mod_ssl that probably could solve the issue. >>> >>>Right? >> Sort of. Now you would have an issue of maintaining the certificate in >> multiple locations which would make rotation of it "interesting", so to >> say. > >Those would be only TWO certificates to manage. What's the challenge here? FreeIPA uses certmonger to rotate certificates when time approaches their expiration. Certmonger requests new certificate from the CA. In case you copied the certificate to some other server, you would need to manually maintain the other copy and there will be a period when IPA webserver's certificate would already be rotated but yours isn't. Setting certmonger to rotate the same certificate from two locations wouldn't work. I'm not saying it is hard, just that you should know what you are dealing with and accept window of blackout. -- / Alexander Bokovoy From npmccallum at redhat.com Wed Jun 17 14:30:03 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 17 Jun 2015 10:30:03 -0400 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode In-Reply-To: References: Message-ID: <1434551403.2815.4.camel@redhat.com> Prashant, I have proposed a patch for the issue: https://www.redhat.com/archives/freeipa-devel/2015-June/msg00505.html Please test it and let me know if it works for you. Nathaniel On Wed, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote: > Simo is right! This issue is same as > https://fedorahosted.org/freeipa/ticket/5047 > > If I change the algorithm in the otp url to uppercase it scans in > Google authenticator/iPhone. > > Further more I manually edited the /usr/lib/python2.7/site > -packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to > 'SHA' in a test VM and it works as expected. I hate to do this in the > production server though. > > > On 12 June 2015 at 23:32, Prashant Bapat wrote: > > Hi, > > > > Has anyone seen this ? When a user tries to scan the QR code he > > gets a message saying "invalid barcode". This happens only with > > iPhone + Google Authenticator. > > > > Thanks for your help. > > > > --Prashant > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From piotr.baranowski at osec.pl Wed Jun 17 14:45:24 2015 From: piotr.baranowski at osec.pl (Piotr Baranowski) Date: Wed, 17 Jun 2015 16:45:24 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <20150617142111.GG24163@redhat.com> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> <20150617135159.GE24163@redhat.com> <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> <20150617142111.GG24163@redhat.com> Message-ID: <1529614567.428032.1434552324622.JavaMail.zimbra@osec.pl> ----- 17 cze 2015 o 16:21, Alexander Bokovoy abokovoy at redhat.com napisa?(a): > On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisa?(a): >> >>> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>>>----- Oryginalna wiadomo?? ----- >>>>> Od: "Alexander Bokovoy" >>>>> So you have two different certificates in use here and your client >>>>> doesn't know about the other certificate (from your proxy). You need >>>>> either to deliver that certificate to the client by yourself or change >>>>> your proxying technology to something different. >>>>> >>>>> For example, you can use sniproxy which doesn't require in-the-middle >>>>> certificate. https://github.com/dlundquist/sniproxy >>>> >>>>Thanks for that hint. I'll have a look at that. >>>> >>>>However I have an Idea: >>>>If I could export ipa's mod_nss cert+key and then use them on my proxy running >>>>mod_ssl that probably could solve the issue. >>>> >>>>Right? >>> Sort of. Now you would have an issue of maintaining the certificate in >>> multiple locations which would make rotation of it "interesting", so to >>> say. >> >>Those would be only TWO certificates to manage. What's the challenge here? > FreeIPA uses certmonger to rotate certificates when time approaches > their expiration. Certmonger requests new certificate from the CA. In > case you copied the certificate to some other server, you would need to > manually maintain the other copy and there will be a period when IPA > webserver's certificate would already be rotated but yours isn't. > > Setting certmonger to rotate the same certificate from two locations > wouldn't work. > > I'm not saying it is hard, just that you should know what you are > dealing with and accept window of blackout. Good to know that. Thanks for the heads-up. I already exported the IPA CA cert, Server-Cert cert/key. I'll have to wait untill maintenance window before i reload my apache. Will keep you posted if that solved the problem. Piotr From nathan at nathanpeters.com Wed Jun 17 16:17:07 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Wed, 17 Jun 2015 09:17:07 -0700 Subject: [Freeipa-users] Cannot login with GSSAPI to IPA client In-Reply-To: <20150617074247.GN3616@p.redhat.com> References: <679b622289ae76684f6920ee8d01f8a5.squirrel@webmail.nathanpeters.com> <20150617074247.GN3616@p.redhat.com> Message-ID: > On Tue, Jun 16, 2015 at 04:32:31PM -0700, nathan at nathanpeters.com wrote: >> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd >> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 >> >> When I try to log in using MIT kerberos and a valid ticket it works on >> one >> client, and fails on the other. I have compared the /etc/krb5.conf, >> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients >> and >> they are identical (other than the hostnames). I can't seem to find any >> other difference between the clients. >> >> Password authentication works on both machines. >> >> Here is the dub log of the failed login machine (sshd) >> >> I think the relevant line is the very last one where it postpones the >> login for some reason >> >> Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 > > This message is in the other log as well and I think this is ok. > > Have you check if the keytab on the host with issue has the latest key > version? > > To check the call 'klist -k' as root on the server and then call 'kvno > host/...' with the principal shown in the klist output. Both kvno > numbers should be the same. If they differ call ipa-getkeytab on the > server to get a fresh keytab. Please note that you have to call kdestory > and kinit on the client to remove the old now invalid ticket from the > client's credential cache. > > HTH > > bye, > Sumit Following those directions, I ran into some issues but I think I may have just interpreted them wrong. Klist lists 4 principals all with the same name and kvno on that server. Shouldn't there be just one? ALso, when running kvno as root, I get back an error. I had to kinit first. I got this even on a server that was working though so I assume that step was skipped above. [root at fe1 home]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/fe1.ipadomain.net at IPADOMAIN.NET 1 host/fe1.ipadomain.net at IPADOMAIN.NET 1 host/fe1.ipadomain.net at IPADOMAIN.NET 1 host/fe1.ipadomain.net at IPADOMAIN.NET [root at fe1 home]# kvno host/fe1.ipadomain.net at IPADOMAIN.NET kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting client principal name [root at fe1 home]# kinit username Password for username at IPADOMAIN.NET: [root at fe1 home]# kvno host/fe1.ipadomain.net at IPADOMAIN.NET host/fe1.ipadomain.net at IPADOMAIN.NET: kvno = 1 From simo at redhat.com Wed Jun 17 16:59:29 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 17 Jun 2015 12:59:29 -0400 Subject: [Freeipa-users] Cannot login with GSSAPI to IPA client In-Reply-To: References: <679b622289ae76684f6920ee8d01f8a5.squirrel@webmail.nathanpeters.com> <20150617074247.GN3616@p.redhat.com> Message-ID: <1434560369.2716.54.camel@willson.usersys.redhat.com> On Wed, 2015-06-17 at 09:17 -0700, nathan at nathanpeters.com wrote: > > On Tue, Jun 16, 2015 at 04:32:31PM -0700, nathan at nathanpeters.com wrote: > >> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd > >> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 > >> > >> When I try to log in using MIT kerberos and a valid ticket it works on > >> one > >> client, and fails on the other. I have compared the /etc/krb5.conf, > >> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients > >> and > >> they are identical (other than the hostnames). I can't seem to find any > >> other difference between the clients. > >> > >> Password authentication works on both machines. > >> > >> Here is the dub log of the failed login machine (sshd) > >> > >> I think the relevant line is the very last one where it postpones the > >> login for some reason > >> > >> Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 > > > > This message is in the other log as well and I think this is ok. > > > > Have you check if the keytab on the host with issue has the latest key > > version? > > > > To check the call 'klist -k' as root on the server and then call 'kvno > > host/...' with the principal shown in the klist output. Both kvno > > numbers should be the same. If they differ call ipa-getkeytab on the > > server to get a fresh keytab. Please note that you have to call kdestory > > and kinit on the client to remove the old now invalid ticket from the > > client's credential cache. > > > > HTH > > > > bye, > > Sumit > > Following those directions, I ran into some issues but I think I may have > just interpreted them wrong. Klist lists 4 principals all with the same > name and kvno on that server. Shouldn't there be just one? Use the -e flag you will see each of them is for a different algorithm. (Each key is derived differently based on the specific algorithm supported) We should probably stop requesting all keys and just get one AES key for most cases, as that's the only one we really want to use anyway. > ALso, when running kvno as root, I get back an error. I had to kinit > first. I got this even on a server that was working though so I assume > that step was skipped above. > > [root at fe1 home]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/fe1.ipadomain.net at IPADOMAIN.NET > 1 host/fe1.ipadomain.net at IPADOMAIN.NET > 1 host/fe1.ipadomain.net at IPADOMAIN.NET > 1 host/fe1.ipadomain.net at IPADOMAIN.NET > [root at fe1 home]# kvno host/fe1.ipadomain.net at IPADOMAIN.NET > kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting > client principal name > [root at fe1 home]# kinit username > Password for username at IPADOMAIN.NET: > [root at fe1 home]# kvno host/fe1.ipadomain.net at IPADOMAIN.NET > host/fe1.ipadomain.net at IPADOMAIN.NET: kvno = 1 This is normal, you can obtain a ticket (that's what kvno does) only if you have a TGT (which is stored in the Credentials Cache). Simo. -- Simo Sorce * Red Hat, Inc * New York From npmccallum at redhat.com Wed Jun 17 17:16:37 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 17 Jun 2015 13:16:37 -0400 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode In-Reply-To: References: <1434551403.2815.4.camel@redhat.com> Message-ID: <1434561397.2815.15.camel@redhat.com> The change that you made might break other things. On Wed, 2015-06-17 at 22:45 +0530, Prashant Bapat wrote: > Hi Nathaniel, > > I think your patch should work. Please give me a day to test and > confirm. > > However, I changed this section in otptoken.py: > > StrEnum('ipatokenotpalgorithm?', > cli_name='algo', > label=_('Algorithm'), > doc=_('Token hash algorithm'), > default=u'sha1', > autofill=True, > flags=('no_update'), > values=(u'sha1', u'sha256', u'sha384', u'sha512'), > ) > > to > > StrEnum('ipatokenotpalgorithm?', > cli_name='algo', > label=_('Algorithm'), > doc=_('Token hash algorithm'), > default=u'SHA1', > autofill=True, > flags=('no_update'), > values=(u'SHA1', u'SHA256', u'SHA384', u'SHA512'), > ) > > And the Google Authenticator installed on a iPhone was able to scan > the QR code and work as expected. > > Thanks for looking into this. > > Regards. > --Prashant > > On 17 June 2015 at 20:00, Nathaniel McCallum > wrote: > > Prashant, > > > > I have proposed a patch for the issue: > > https://www.redhat.com/archives/freeipa-devel/2015 > > -June/msg00505.html > > > > Please test it and let me know if it works for you. > > > > Nathaniel > > > > On Wed, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote: > > > Simo is right! This issue is same as > > > https://fedorahosted.org/freeipa/ticket/5047 > > > > > > If I change the algorithm in the otp url to uppercase it scans in > > > Google authenticator/iPhone. > > > > > > Further more I manually edited the /usr/lib/python2.7/site > > > -packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to > > > 'SHA' in a test VM and it works as expected. I hate to do this in > > the > > > production server though. > > > > > > > > > On 12 June 2015 at 23:32, Prashant Bapat > > wrote: > > > > Hi, > > > > > > > > Has anyone seen this ? When a user tries to scan the QR code he > > > > gets a message saying "invalid barcode". This happens only with > > > > iPhone + Google Authenticator. > > > > > > > > Thanks for your help. > > > > > > > > --Prashant > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > From prashant at apigee.com Wed Jun 17 17:15:11 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 17 Jun 2015 22:45:11 +0530 Subject: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode In-Reply-To: <1434551403.2815.4.camel@redhat.com> References: <1434551403.2815.4.camel@redhat.com> Message-ID: Hi Nathaniel, I think your patch should work. Please give me a day to test and confirm. However, I changed this section in otptoken.py: StrEnum('ipatokenotpalgorithm?', cli_name='algo', label=_('Algorithm'), doc=_('Token hash algorithm'), default=u'sha1', autofill=True, flags=('no_update'), values=(u'sha1', u'sha256', u'sha384', u'sha512'), ) to StrEnum('ipatokenotpalgorithm?', cli_name='algo', label=_('Algorithm'), doc=_('Token hash algorithm'), default=*u'SHA1',* autofill=True, flags=('no_update'), values=*(u'SHA1', u'SHA256', u'SHA384', u'SHA512')*, ) And the Google Authenticator installed on a iPhone was able to scan the QR code and work as expected. Thanks for looking into this. Regards. --Prashant On 17 June 2015 at 20:00, Nathaniel McCallum wrote: > Prashant, > > I have proposed a patch for the issue: > https://www.redhat.com/archives/freeipa-devel/2015-June/msg00505.html > > Please test it and let me know if it works for you. > > Nathaniel > > On Wed, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote: > > Simo is right! This issue is same as > > https://fedorahosted.org/freeipa/ticket/5047 > > > > If I change the algorithm in the otp url to uppercase it scans in > > Google authenticator/iPhone. > > > > Further more I manually edited the /usr/lib/python2.7/site > > -packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to > > 'SHA' in a test VM and it works as expected. I hate to do this in the > > production server though. > > > > > > On 12 June 2015 at 23:32, Prashant Bapat wrote: > > > Hi, > > > > > > Has anyone seen this ? When a user tries to scan the QR code he > > > gets a message saying "invalid barcode". This happens only with > > > iPhone + Google Authenticator. > > > > > > Thanks for your help. > > > > > > --Prashant > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nathan at nathanpeters.com Wed Jun 17 17:44:39 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Wed, 17 Jun 2015 10:44:39 -0700 Subject: [Freeipa-users] Cannot login with GSSAPI to IPA client In-Reply-To: <20150617074247.GN3616@p.redhat.com> References: <679b622289ae76684f6920ee8d01f8a5.squirrel@webmail.nathanpeters.com> <20150617074247.GN3616@p.redhat.com> Message-ID: <9b4beb1800351ed45a226fe894f688a9.squirrel@webmail.nathanpeters.com> > On Tue, Jun 16, 2015 at 04:32:31PM -0700, nathan at nathanpeters.com wrote: >> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd >> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 >> >> When I try to log in using MIT kerberos and a valid ticket it works on >> one >> client, and fails on the other. I have compared the /etc/krb5.conf, >> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients >> and >> they are identical (other than the hostnames). I can't seem to find any >> other difference between the clients. >> >> Password authentication works on both machines. >> >> Here is the dub log of the failed login machine (sshd) >> >> I think the relevant line is the very last one where it postpones the >> login for some reason >> >> Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 > > This message is in the other log as well and I think this is ok. > > Have you check if the keytab on the host with issue has the latest key > version? > > To check the call 'klist -k' as root on the server and then call 'kvno > host/...' with the principal shown in the klist output. Both kvno > numbers should be the same. If they differ call ipa-getkeytab on the > server to get a fresh keytab. Please note that you have to call kdestory > and kinit on the client to remove the old now invalid ticket from the > client's credential cache. > > HTH > > bye, > Sumit It turns out this was something really basic. We had multiple DNS entries for this host, and the reverse entry did not match the DNS name I was connecting to the host with. From piotr.baranowski at osec.pl Wed Jun 17 18:59:30 2015 From: piotr.baranowski at osec.pl (Piotr Baranowski) Date: Wed, 17 Jun 2015 20:59:30 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <1529614567.428032.1434552324622.JavaMail.zimbra@osec.pl> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> <20150617135159.GE24163@redhat.com> <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> <20150617142111.GG24163@redhat.com> <1529614567.428032.1434552324622.JavaMail.zimbra@osec.pl> Message-ID: <2039944675.429042.1434567570292.JavaMail.zimbra@osec.pl> ----- 17 cze 2015 o 16:45, Piotr Baranowski piotr.baranowski at osec.pl napisa?(a): > ----- 17 cze 2015 o 16:21, Alexander Bokovoy abokovoy at redhat.com napisa?(a): > >> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>>----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisa?(a): >>> >>>> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>>>>----- Oryginalna wiadomo?? ----- >>>>>> Od: "Alexander Bokovoy" >>>>>> So you have two different certificates in use here and your client >>>>>> doesn't know about the other certificate (from your proxy). You need >>>>>> either to deliver that certificate to the client by yourself or change >>>>>> your proxying technology to something different. >>>>>> >>>>>> For example, you can use sniproxy which doesn't require in-the-middle >>>>>> certificate. https://github.com/dlundquist/sniproxy >>>>> >>>>>Thanks for that hint. I'll have a look at that. >>>>> >>>>>However I have an Idea: >>>>>If I could export ipa's mod_nss cert+key and then use them on my proxy running >>>>>mod_ssl that probably could solve the issue. >>>>> >>>>>Right? >>>> Sort of. Now you would have an issue of maintaining the certificate in >>>> multiple locations which would make rotation of it "interesting", so to >>>> say. >>> >>>Those would be only TWO certificates to manage. What's the challenge here? >> FreeIPA uses certmonger to rotate certificates when time approaches >> their expiration. Certmonger requests new certificate from the CA. In >> case you copied the certificate to some other server, you would need to >> manually maintain the other copy and there will be a period when IPA >> webserver's certificate would already be rotated but yours isn't. >> >> Setting certmonger to rotate the same certificate from two locations >> wouldn't work. >> >> I'm not saying it is hard, just that you should know what you are >> dealing with and accept window of blackout. > > Good to know that. > Thanks for the heads-up. > > I already exported the IPA CA cert, Server-Cert cert/key. > I'll have to wait untill maintenance window before i reload my apache. > > Will keep you posted if that solved the problem. So, the challenge was really not that difficult. I guess some of you may want to know how to do that and what are benefits. So firstly your ipa can be nicely hidden in the DMZ and it's access can be nicely controlled/proxied (mod_security anyone???) As I mentioned in the original email, tcp/udp traffic to IPA is DNATed using firewalld. The http/https traffic is proxied using mod_proxy/mod_ssl First part can be achieved on CentOS7.1/RHEL 7.1 like this: (assuming PUBLIC is your external network and 10.20.30.40 is the IP of IPA Server) firewall-cmd --zone=public --add-forward-port=port=389:proto=tcp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=636:proto=tcp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=53:proto=tcp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=53:proto=udp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=123:proto=udp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=88:proto=udp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=88:proto=tcp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=464:proto=tcp:toaddr=10.20.30.40 firewall-cmd --zone=public --add-forward-port=port=464:proto=udp:toaddr=10.20.30.40 If like in my case your perimeter server acts as an actual webserver and need to proxy the http/https requests you may setup a namebased vhost to pass traffic to target ipa server. ProxyPreserveHost On ProxyRequests Off ProxyPass / http://10.20.30.40/ timeout=300 keepalive=On ServerName ipa.fqdn.tld SSLEngine On SSLProxyEngine On SSLCertificateFile /etc/pki/tls/certs/freeipa.crt SSLCertificateKeyFile /etc/pki/tls/private/freeipa.key SSLCACertificateFile /etc/pki/tls/certs/freeipa-ca.crt ProxyPreserveHost On ProxyRequests Off ProxyPass / https://10.20.30.40/ timeout=300 keepalive=On ServerName ipa.fqdn.tld Actual IPA uses NSS (mod_nss) while proxy server runs using mod_ssl. It is necessary to extract CA cert, server key and server crt from IPA and plant them on the proxy host. First check the nicknames of the certs in the NSS database: certutil -L -d /etc/httpd/alias/ Extract IPA Server Cert: certutil -L -d /etc/httpd/alias/ -a -n 'Server-Cert' > ipa.crt Extract IPA Server private key: pk12util -o ipakey.p12 -n 'Server-Cert' -d /etc/httpd/alias/ Extract IPA CA cert: certutil -L -d /etc/httpd/alias/ -a -n 'YOURREALM.TLD IPA CA' > ipa-ca.crt Convert Private key: openssl pkcs12 -in ipakey.p12 -out ipa.key -nodes Transfer files to appropriate locations on the proxy server (/etc/pki/tls/{certs,private} most likely) apachectl configtest on the proxy server If it validates feel free to restart apache to apply changes. The client systems connecting from PUBLIC networks can successfuly execute ipa-client-install as well as access IPA WebUI. It works for me, I'll be happy to see your criticism if my little hack has a weak point. Best regards Piotr Baranowski From rcritten at redhat.com Wed Jun 17 21:00:11 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Jun 2015 17:00:11 -0400 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <55817E38.6040402@gmail.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> <55817E38.6040402@gmail.com> Message-ID: <5581DFDB.1090600@redhat.com> Janelle wrote: > On 6/17/15 6:21 AM, Rob Crittenden wrote: >> Janelle wrote: >>> On 6/17/15 6:14 AM, Rob Crittenden wrote: >>>> Janelle wrote: >>>>> Hi, >>>>> >>>>> Had a server - named ipa001.example.com -- it was a replica. It >>>>> died. It >>>>> was re-installed. However, prior to the re-install it was saying the >>>>> wonderful: >>>>> >>>>> TLS error -8172:Peer's certificate issuer has been marked as not >>>>> trusted >>>>> by the user. >>>>> >>>>> It was rebuilt - new OS and doing a brand new ipa-server-install >>>>> (NOT a >>>>> replica or trying to join it back in to the existing ring of servers) >>>>> and at the end of the ipa-server-install - it gives: >>>>> >>>>> Done. >>>>> Restarting the directory server >>>>> Restarting the KDC >>>>> Restarting the certificate server >>>>> Restarting the web server >>>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero >>>>> exit status 1 >>>>> Configuration of client side components failed! >>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>>>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>>>> 'ipa001.example.com'' returned non-zero exit status 1 >>>>> >>>>> and checking /var/log/ipaclient-install.log - the exact same TLS >>>>> error???? >>>>> >>>>> But this is a brand new system, with brand new OS and the install was >>>>> ipa-server-install to install a clean server. >>>>> >>>>> I don't understand how this is happening. There is no "peer" to be not >>>>> trusted? >>>> >>>> What version of IPA and distro? (I don't think that probably has >>>> anything to do with it, just curious in case it does eventually >>>> matter). >>>> >>>> What does /etc/openldap/ldap.conf look like? Normally it should have >>>> TLS_CACERT /etc/ipa/ca.crt >>>> >>>> Any chance you can share the server and client install logs? >>>> >>>> rob >>> 4.1.4 = IPA >>> CentOS 7.1 >>> >>> Oooh... Found something: /etc/openldap/ldap.conf: >>> >>> TLS_CACERTDIR /etc/openldap/certs >>> >>> Going to investigate. >>> ~J >>> >> >> That should be fine assuming there aren't any certs in there (and on a >> brand new system I'd think you'd have empty NSS databases). >> >> rob > So this gets interesting now... > > Say you have 6 IPA servers, named ipa001-ipa006.example.com -- all > working fine. > Something happens to 002. It dies. You "ipa-replica-manage del --clean > --force ipa002" to get rid of it. > > A period of time, say a month, goes by. You have lost a couple of other > replicas for whatever reason, say 3 and 6. You decide you want to > rebuild. You start with 002 - leaving the others up and running because > you have users working. You firewall off 002 why you rebuild it. > > You reinstall OS, reinstall FreeIPA. But no matter what, when you start > to configure IPA it comes up with the error of being untrusted. Now, you > try the same thing on 003 and 006. SAME problem. > > For fun - you shutdown 005 and uninstall freeipa --unattended and then > try to re-install it. Guess what - no issues. > > Is this somehow related to: > Same domain and realm names floating around the net - so is it querying > for a name somehow and one of the "still running" servers is saying - > "NO NO NO -- that CERT is revoked!!!" - even though it never tries to > connect to that server. > > Or am I just thinking far too outside the box? And this is exactly what > has happened. Rebuilding one of the servers that was never REMOVED is > working just fine. You just jumped to a completely different scenario: from a fresh standalone install to a replica install. We should probably pick one and solve it. I think the leap you're making is that the issue is that it notices some previous cert. A revoked service cert wouldn't have any effect as those service certs aren't in use. It very well could be finding the "wrong" realm based on DNS SRV records. The logs should show you what the client discovered. Things happen in multiple steps so perhaps there is a disconnect where the right server is used in some, but not all, cases. rob From rcritten at redhat.com Wed Jun 17 21:03:39 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Jun 2015 17:03:39 -0400 Subject: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy In-Reply-To: <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> References: <1057119754.425832.1434542945376.JavaMail.zimbra@osec.pl> <20150617121502.GA24163@redhat.com> <826543504.426052.1434544159397.JavaMail.zimbra@osec.pl> <20150617135159.GE24163@redhat.com> <1546736798.427432.1434549477229.JavaMail.zimbra@osec.pl> Message-ID: <5581E0AB.70102@redhat.com> Piotr Baranowski wrote: > ----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisa?(a): > >> On Wed, 17 Jun 2015, Piotr Baranowski wrote: >>> ----- Oryginalna wiadomo?? ----- >>>> Od: "Alexander Bokovoy" >>>> So you have two different certificates in use here and your client >>>> doesn't know about the other certificate (from your proxy). You need >>>> either to deliver that certificate to the client by yourself or change >>>> your proxying technology to something different. >>>> >>>> For example, you can use sniproxy which doesn't require in-the-middle >>>> certificate. https://github.com/dlundquist/sniproxy >>> >>> Thanks for that hint. I'll have a look at that. >>> >>> However I have an Idea: >>> If I could export ipa's mod_nss cert+key and then use them on my proxy running >>> mod_ssl that probably could solve the issue. >>> >>> Right? >> Sort of. Now you would have an issue of maintaining the certificate in >> multiple locations which would make rotation of it "interesting", so to >> say. > > Those would be only TWO certificates to manage. What's the challenge here? When the cert on the IPA master expires it will be automatically renewed by certmonger. when the cert on your reverse proxy expires all requests will be denied due to an expired cert until you pull the updated cert from the IPA master and put it onto the proxy server and restart. In other words, two years from now, at 3 in the morning on a Sunday (it's always Sunday) it will expire and lots of things will break first thing Monday morning, before your coffee. rob From randall.harrison91 at gmail.com Thu Jun 18 02:07:21 2015 From: randall.harrison91 at gmail.com (Randall Harrison) Date: Wed, 17 Jun 2015 19:07:21 -0700 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: <558172D6.1000200@redhat.com> References: <558172D6.1000200@redhat.com> Message-ID: Hey Rob, I tried the install again with Java 1.7 and no joy. Do you recommend a clean install with 1.7? On Jun 17, 2015 6:15 AM, "Rob Crittenden" wrote: > Randall Harrison wrote: > >> Hello freeipa! >> >> I am having difficulty installing freeipa on a freshly installed >> CentOS6.6 box. I have not had this problem on previous CentOS releases, >> and it installed with no problems on a CentOS7.1 box. >> >> Here is a list of steps I took to install: >> >> 1.) Disable SElinux and IPtables (for testing purposes only) >> 2.) reboot >> 3.) yum update >> 4.) reboot >> 5.) yum install ipa-server bind bind-dyndb-ldap >> 6.) ipa-server-install --setup-dns >> 7.) the install scrip errors out >> >> I have attached the ipa-server install log and pki-ca log. >> >> All help is appreciated! >> >> Randy >> >> >> > Can you see what version of java is installed? You want 1.7.x and not > 1.8.x. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 18 02:26:21 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Jun 2015 22:26:21 -0400 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: References: <558172D6.1000200@redhat.com> Message-ID: <55822C4D.1090600@redhat.com> Randall Harrison wrote: > Hey Rob, > > I tried the install again with Java 1.7 and no joy. Do you recommend a > clean install with 1.7? Be sure the CA is completely uninstalled. The installer sometimes doesn't record that a CA has been partially installed causing the uninstall to skip it, which causes subsequent installs to fail. Do this: # ipa-server-install --uninstal # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force Then try the install again. rob > > On Jun 17, 2015 6:15 AM, "Rob Crittenden" > wrote: > > Randall Harrison wrote: > > Hello freeipa! > > I am having difficulty installing freeipa on a freshly installed > CentOS6.6 box. I have not had this problem on previous CentOS > releases, > and it installed with no problems on a CentOS7.1 box. > > Here is a list of steps I took to install: > > 1.) Disable SElinux and IPtables (for testing purposes only) > 2.) reboot > 3.) yum update > 4.) reboot > 5.) yum install ipa-server bind bind-dyndb-ldap > 6.) ipa-server-install --setup-dns > 7.) the install scrip errors out > > I have attached the ipa-server install log and pki-ca log. > > All help is appreciated! > > Randy > > > > Can you see what version of java is installed? You want 1.7.x and > not 1.8.x. > > rob > From Alexander.Frolushkin at megafon.ru Thu Jun 18 05:26:45 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Thu, 18 Jun 2015 05:26:45 +0000 Subject: [Freeipa-users] replication conflicts In-Reply-To: <55816AA9.6020808@redhat.com> References: <95dd9f2f1b2a4bef973221b801dddee6@sib-ums03.Megafon.ru> <557FF1BA.9040503@redhat.com> <5b0d853346b1478fa3d0aa34223944b7@sib-ums03.Megafon.ru> <55813698.3040808@redhat.com> <71690d00f91d4ce4bf55eb9d572c5704@sib-ums03.Megafon.ru> <55813A84.8030809@redhat.com> <7fef9252834a49f789de38761a50a714@sib-ums03.Megafon.ru> <558141C1.4020003@redhat.com> <55814365.6060208@redhat.com> <98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru> <5581478A.5050408@redhat.com> <55814D66.7000103@redhat.com> <8d95d0d3193641ffb200e897b68d2083@sib-ums03.Megafon.ru> <55815B20.9000805@redhat.com> <55816514.6070601@redhat.com> <6a9ee184a0a549eab53054c5d71beb73@sib-ums03.Megafon.ru> <55816AA9.6020808@redhat.com> Message-ID: <15df3e1fc1b0421f9f6cea2e7f93e240@sib-ums03.Megafon.ru> Hello! Thanks, currently I'm trying to re-initialize all our replicas, hope this will fix most issues. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 6:40 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 02:27 PM, Alexander Frolushkin wrote: Except: "unable to decode: {replica 22} 5576b83e000200160000 5576ba4b000200160000 unable to decode: {replica 20} 55716e57000300140000 55716e57000300140000 unable to decode: {replica 16} 548a8126000000100000 548a8126000000100000 unable to decode: {replica 24} 557fb7d4000400180000 557fb9a1001000180000 unable to decode: {replica 21} 5576ac96000000150000 5576b52e000200150000" records, all replicas are unique and have corresponding id's. Total number of not "unable to decode" servers is equal to real number of replicas in domain. I can confirm some of cleanallruv processes was not finished correctly after some replica remove. Slapd on replica id 10 last restarted yesterday 15:05 server local time. It was restarted 16/Jun/2015:15:05 and send the update one day after ! [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 May be it was very very slow. The same question, may it help if I tomorrow will do re-initialize all replicas from our relatively good-conditioned site? If you reinit all replicas, it will clear their CL so such very old updates will no long exist. Now if it exists very slow replica (like replica10) that holds their updates for long before replicating then it increases the possibility of creating conflicts. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 6:16 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 01:38 PM, Alexander Frolushkin wrote: Ok, I'll try this soon, thank you! Also, please note, most of today dups appeared when 4 of 19 servers was very busy in IO (all our servers are VMs), because dirsrv debug was enabled to gather logs for our case about attrlist_replace - attr_replace (nsslapd-referral, ldap://xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed. This message comes if you have duplicated ReplicaID. 'list-ruv' would show you a same url appearing several times with different RID. To be back on the original problem (dup), I wonder if it is not related to cleanruv/corrupted RUV. A new replica26 is created and is initialized from a master and it does not contain entry 555ac936000000140000. That allows the creation of 5580f3210000001a0000. Then replica10 sends 555ac936000000140000 to replica26. That means that changelog/ruv of replica10 contained that update, so either cleanallruv20 did not happen on replica10 or fail to clean its CL. Replica10 has a very old update that was not known from the master used to init replica26. Was replica10 restarted recently. thanks theirry errors Also during collection some of dirsrv instances hangs and was restarted. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 5:34 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 12:57 PM, Alexander Frolushkin wrote: Unfortunately, number of duplicates grows dramatically on most sites. Some servers already have over 40 duplicates. Could you please say, may I use re-initialize on falling replica from the good one to fix this? If you have a good one, this should work, "dups" are only created when a replicated ADD is received for an existing entry. But what really puzzles me is that you do not have them on all servers, something weird seems to happen, this entry seems to exist whit several replicaids, and why would replica 10 replicate this 4 hrs after the replica installation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 4:35 PM To: Alexander Frolushkin (SIB) Cc: 'thierry bordaz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts conn=237 is from 10.99.75.82 which replica is this ? On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:56 AM, Alexander Frolushkin wrote: Will this be enough? # grep "conn=237 op=93" ./access [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" [17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0 etime=0 csn=555ac936000000140000 This operation is a replicated one and the CSN is from May 19th. So why a replica (26) created today was initialized without that entry ? This updates was originated from replica20. Was it stopped and restarted recently ? # grep "conn=293" ./access [17/Jun/2015:15:33:04 +0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to 10.61.8.2 [17/Jun/2015:15:33:04 +0600] conn=293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [17/Jun/2015:15:33:04 +0600] conn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru at unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 3:53 PM To: thierry bordaz Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote: This was a usual "ipa-replica-install --setup-ca --setup-dns" and after that ipa-adtrust-install. No DEL found: # grep "cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" ./access [17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" scope=0 filter="(objectClass=*)" attrs="ipaPermRight ipaPermTargetFilter ipaPermBindRuleType ipaPermissionType cn objectClass memberOf member ipaPermTarget ipaPermDefaultAttr ipaPermLocation ipaPermIncludedAttr ipaPermExcludedAttr" [17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" There is something I miss. conn=2 op=91 was a direct update on replica26 (not replicated) because it received its own CSN=5580f3210000001a0000. But it created a conflict entry, so at that time it existed the same entry (the one created 20150408070720Z) . So the direct update should have been rejected. I think the search in op=89 did not return an entry, so it was added in op 91, that seems to be ok, but then 4 hrs later there is conn=237 adding it again. Alexander, could you get the complete 'conn=237 op=93' and also the start of conn 293, to show where teh connection comes from Would you check if the replicaID=26 is unique in the topology (list-ruv for example) ? [17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn="cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, June 17, 2015 3:15 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to replica12. Would you check in replica26 access logs if that entry was deleted ? thanks theirry On 06/17/2015 11:03 AM, Alexander Frolushkin wrote: This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, June 17, 2015 2:58 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts Hi, you did send the data directly to me, maybe not wanting to share them to everyone. I'll continue discussion here, trying to be careful. The "good" entry was created in April on replica 12 "0x0c" createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z the "nsuniqueid" entry was created today on replica 26 "0x1a" createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z if the original entry would have existed on replica26 the new add should have been rejected, if it was not there the question is why. Do you have any additional info on replica 26, when was it created, was it disconnected for some time ?? Ludwig On 06/17/2015 08:13 AM, Alexander Frolushkin wrote: Hello. Another example. Today appeared on servers of different site. Original LDIF: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc =ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Duplicate: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, permissio ns, pbac, unix.megafon.ru dn: cn=System: Manage Host Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Keytab objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru member: cn=Host Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru ipaPermDefaultAttr: krbprincipalkey ipaPermDefaultAttr: krblastpwdchange ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 No other servers in IPA domain have such duplicates. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two "duplicate" entries, one: uid=xxxxx, one: nsuniqueid=nnnnnnnn+uid=xxxxx, these entries appear if the entry uid=xxxxx was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Jun 18 05:46:35 2015 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 18 Jun 2015 11:16:35 +0530 Subject: [Freeipa-users] Changing the SSL certificate for the WebUI Message-ID: Hi All, There is a way to change the certificate for the web UI. I went with a standard install with a self signed CA etc. Now I want to install a cert from a commercial CA. I don't mind using the IPA CA certs for the 389 DS, just want to change the cert for the UI. Any pointers on how to do this ? Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From Less at imagine-sw.com Thu Jun 18 06:56:40 2015 From: Less at imagine-sw.com (Les Stott) Date: Thu, 18 Jun 2015 06:56:40 +0000 Subject: [Freeipa-users] CentOS 6.6 Installation Issues In-Reply-To: <55822C4D.1090600@redhat.com> References: <558172D6.1000200@redhat.com> <55822C4D.1090600@redhat.com> Message-ID: <4ED173A868981548967B4FCA2707222628146AB9@AACMBXP04.exchserver.com> Randall, Check your apache error logs for any errors and the modules loaded via httpd.conf. The ipa server log does show that it can reach apache for most things. I had a similar issue not too long ago when trying to install a CA replica on an existing ipa server, which is pretty much the same process that the master server install does. I found that I was missing modules in httpd.conf and errors were popping up about mod_proxy. As it turned out, not having those modules loaded caused the installer to fail. See https://www.redhat.com/archives/freeipa-users/2015-February/msg00041.html for the solution that helped me, hopefully it helps you too. Regards, Les > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Rob Crittenden > Sent: Thursday, 18 June 2015 12:26 PM > To: Randall Harrison; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] CentOS 6.6 Installation Issues > > Randall Harrison wrote: > > Hey Rob, > > > > I tried the install again with Java 1.7 and no joy. Do you recommend a > > clean install with 1.7? > > Be sure the CA is completely uninstalled. The installer sometimes doesn't > record that a CA has been partially installed causing the uninstall to skip it, > which causes subsequent installs to fail. > > Do this: > > # ipa-server-install --uninstal > # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki- > ca --force > > Then try the install again. > > rob > > > > On Jun 17, 2015 6:15 AM, "Rob Crittenden" > > wrote: > > > > Randall Harrison wrote: > > > > Hello freeipa! > > > > I am having difficulty installing freeipa on a freshly installed > > CentOS6.6 box. I have not had this problem on previous CentOS > > releases, > > and it installed with no problems on a CentOS7.1 box. > > > > Here is a list of steps I took to install: > > > > 1.) Disable SElinux and IPtables (for testing purposes only) > > 2.) reboot > > 3.) yum update > > 4.) reboot > > 5.) yum install ipa-server bind bind-dyndb-ldap > > 6.) ipa-server-install --setup-dns > > 7.) the install scrip errors out > > > > I have attached the ipa-server install log and pki-ca log. > > > > All help is appreciated! > > > > Randy > > > > > > > > Can you see what version of java is installed? You want 1.7.x and > > not 1.8.x. > > > > rob > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Markus.Moj at mc.ingenico.com Thu Jun 18 08:41:01 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Thu, 18 Jun 2015 08:41:01 +0000 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Message-ID: Hi @all, I am new to freeIPA operating and are facing an issue with mail object in freeIPA. We are running Jira from Atlassian and are trying to authenticate against freeIPA. The authentication process is running but mail object is not provided by freeIPA to Jira to inform users about new events / trackers or whatsoever. If a test object is displayed with ldapsearch mail attribute is available and set but is not useable by Jira. How is it possibilt to inherit mail accounts in Jira to be able to authenticate and use FreeIPA as IDM for Jira as well as for Liunx systems. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 476 bytes Desc: not available URL: From dbischof at hrz.uni-kassel.de Thu Jun 18 09:09:25 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Thu, 18 Jun 2015 11:09:25 +0200 (CEST) Subject: [Freeipa-users] svnserve authentication against IPA Message-ID: Hi, I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, there's a separate user database with SASL auth: /etc/sasl2/svn.conf --- pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/sasldb2 mech_list: DIGEST-MD5 --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 128 max-encryption = 256 --- On a test system, I changed svnserve auth to saslauthd and IPA: /etc/sasl2/svn.conf --- pwcheck_method: saslauthd auxprop_plugin: ldap mech_list: PLAIN ldapdb_mech: PLAIN --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 0 max-encryption = 256 --- /etc/saslauthd.conf --- ldap_servers: ldaps://localhost/ ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE --- Though this setup basically works and svnserve and IPA are running on the same machine I'm unhappy with PLAIN and "min-encryption = 0". What would you suggest to improve security/enable encryption in this setup? I considered switching from svnserve to Apache, but that would imply that my users will have to get used to something new. Mit freundlichen Gruessen/With best regards, --Daniel. From rcritten at redhat.com Thu Jun 18 13:33:54 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Jun 2015 09:33:54 -0400 Subject: [Freeipa-users] Changing the SSL certificate for the WebUI In-Reply-To: References: Message-ID: <5582C8C2.8040605@redhat.com> Prashant Bapat wrote: > Hi All, > > There is a way to change the certificate for the web UI. > > I went with a standard install with a self signed CA etc. Now I want to > install a cert from a commercial CA. I don't mind using the IPA CA certs > for the 389 DS, just want to change the cert for the UI. > > Any pointers on how to do this ? http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP From James.Benson at utsa.edu Thu Jun 18 15:08:45 2015 From: James.Benson at utsa.edu (James Benson) Date: Thu, 18 Jun 2015 10:08:45 -0500 Subject: [Freeipa-users] Issues Message-ID: <5582DEFD.1030900@utsa.edu> Hi all, I'm a fairly advanced user, however, having issues with setting up freeIPA. I've started with Fedora 22 server (both with minimal install and basic install), modified the hosts and hostname file respectively to xx.xx.xx.xx ipa.cloud.local ipa cloud.local and began the install options selected were: no ipa.cloud.local cloud.local CLOUD.LOCAL Directory Manager Password: set IPA admin password: set yes But I always get this error: CA did not start in 300.0s I've modified the /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to increase the timeout value, but no luck. Suggestions? Thanks, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: From simo at redhat.com Thu Jun 18 15:28:52 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 18 Jun 2015 11:28:52 -0400 Subject: [Freeipa-users] Issues In-Reply-To: <5582DEFD.1030900@utsa.edu> References: <5582DEFD.1030900@utsa.edu> Message-ID: <1434641332.2716.77.camel@willson.usersys.redhat.com> On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote: > Hi all, > I'm a fairly advanced user, however, having issues with setting up > freeIPA. I've started with Fedora 22 server (both with minimal install > and basic install), modified the hosts and hostname file respectively to > xx.xx.xx.xx ipa.cloud.local ipa > cloud.local > and began the install options selected were: > no > ipa.cloud.local > cloud.local > CLOUD.LOCAL > Directory Manager Password: set > IPA admin password: set > yes > > But I always get this error: > CA did not start in 300.0s > > > I've modified the > /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to > increase the timeout value, but no luck. > > Suggestions? What pki-base package version do you have installed ? Simo. -- Simo Sorce * Red Hat, Inc * New York From James.Benson at utsa.edu Thu Jun 18 15:47:01 2015 From: James.Benson at utsa.edu (James Benson) Date: Thu, 18 Jun 2015 10:47:01 -0500 Subject: [Freeipa-users] Issues In-Reply-To: <1434641332.2716.77.camel@willson.usersys.redhat.com> References: <5582DEFD.1030900@utsa.edu> <1434641332.2716.77.camel@willson.usersys.redhat.com> Message-ID: <5582E7F5.6080006@utsa.edu> Freeipa 4.1.4 On 06/18/2015 10:28 AM, Simo Sorce wrote: > On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote: >> Hi all, >> I'm a fairly advanced user, however, having issues with setting up >> freeIPA. I've started with Fedora 22 server (both with minimal install >> and basic install), modified the hosts and hostname file respectively to >> xx.xx.xx.xx ipa.cloud.local ipa >> cloud.local >> and began the install options selected were: >> no >> ipa.cloud.local >> cloud.local >> CLOUD.LOCAL >> Directory Manager Password: set >> IPA admin password: set >> yes >> >> But I always get this error: >> CA did not start in 300.0s >> >> >> I've modified the >> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to >> increase the timeout value, but no luck. >> >> Suggestions? > > What pki-base package version do you have installed ? > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: From abokovoy at redhat.com Thu Jun 18 15:53:29 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Jun 2015 11:53:29 -0400 (EDT) Subject: [Freeipa-users] Issues In-Reply-To: <5582DEFD.1030900@utsa.edu> References: <5582DEFD.1030900@utsa.edu> Message-ID: <1769794547.4815590.1434642809970.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hi all, > I'm a fairly advanced user, however, having issues with setting up > freeIPA. I've started with Fedora 22 server (both with minimal install > and basic install), modified the hosts and hostname file respectively to > xx.xx.xx.xx ipa.cloud.local ipa > cloud.local > and began the install options selected were: > no > ipa.cloud.local > cloud.local > CLOUD.LOCAL > Directory Manager Password: set > IPA admin password: set > yes > > But I always get this error: > CA did not start in 300.0s > > > I've modified the > /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to > increase the timeout value, but no luck. > > Suggestions? Is this a VM? Do you have a driver for random number generator added to it? like virtio-rng for libvirtd/kvm. It might well be that the VM struggles to get enough entropy to generate certificates. -- / Alexander Bokovoy From simo at redhat.com Thu Jun 18 15:55:29 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 18 Jun 2015 11:55:29 -0400 Subject: [Freeipa-users] Issues In-Reply-To: <5582E7F5.6080006@utsa.edu> References: <5582DEFD.1030900@utsa.edu> <1434641332.2716.77.camel@willson.usersys.redhat.com> <5582E7F5.6080006@utsa.edu> Message-ID: <1434642929.2716.78.camel@willson.usersys.redhat.com> On Thu, 2015-06-18 at 10:47 -0500, James Benson wrote: > Freeipa 4.1.4 Please run rpm -qi pki-base > On 06/18/2015 10:28 AM, Simo Sorce wrote: > > On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote: > >> Hi all, > >> I'm a fairly advanced user, however, having issues with setting up > >> freeIPA. I've started with Fedora 22 server (both with minimal install > >> and basic install), modified the hosts and hostname file respectively to > >> xx.xx.xx.xx ipa.cloud.local ipa > >> cloud.local > >> and began the install options selected were: > >> no > >> ipa.cloud.local > >> cloud.local > >> CLOUD.LOCAL > >> Directory Manager Password: set > >> IPA admin password: set > >> yes > >> > >> But I always get this error: > >> CA did not start in 300.0s > >> > >> > >> I've modified the > >> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to > >> increase the timeout value, but no luck. > >> > >> Suggestions? > > > > What pki-base package version do you have installed ? > > > > Simo. > > > -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Thu Jun 18 16:03:27 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 18 Jun 2015 18:03:27 +0200 Subject: [Freeipa-users] Issues In-Reply-To: <5582DEFD.1030900@utsa.edu> References: <5582DEFD.1030900@utsa.edu> Message-ID: <5582EBCF.2020504@redhat.com> On 18.6.2015 17:08, James Benson wrote: > Hi all, > I'm a fairly advanced user, however, having issues with setting up freeIPA. > I've started with Fedora 22 server (both with minimal install and basic > install), modified the hosts and hostname file respectively to > xx.xx.xx.xx ipa.cloud.local ipa > cloud.local BTW never ever use .local otherwise you will have terrible problems in future. Please see http://www.freeipa.org/page/Deployment_Recommendations#DNS before you start installing your FreeIPA servers and let us know if you have further questions. Petr^2 Spacek > and began the install options selected were: > no > ipa.cloud.local > cloud.local > CLOUD.LOCAL > Directory Manager Password: set > IPA admin password: set > yes > > But I always get this error: > CA did not start in 300.0s > > > I've modified the > /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to increase > the timeout value, but no luck. > > Suggestions? > > Thanks, > > James From James.Benson at utsa.edu Thu Jun 18 20:05:51 2015 From: James.Benson at utsa.edu (James Benson) Date: Thu, 18 Jun 2015 15:05:51 -0500 Subject: [Freeipa-users] Issues In-Reply-To: <1769794547.4815590.1434642809970.JavaMail.zimbra@redhat.com> References: <5582DEFD.1030900@utsa.edu> <1769794547.4815590.1434642809970.JavaMail.zimbra@redhat.com> Message-ID: <5583249F.3070006@utsa.edu> This is a virtual machine, rng-tools-5-4.fc22.x86_64 is installed ... I did just try to create a gpg key and it seemed to have entropy issues... I did however run the command $ rngd -W 4096 $ cat /proc/sys/kernel/random/entropy_avail to fill the entropy up again (previously reporting around 3081), now it is at 4094. gpg works now with no issues, redid the install but still failed at the same step. On 06/18/2015 10:53 AM, Alexander Bokovoy wrote: > > > ----- Original Message ----- >> Hi all, >> I'm a fairly advanced user, however, having issues with setting up >> freeIPA. I've started with Fedora 22 server (both with minimal install >> and basic install), modified the hosts and hostname file respectively to >> xx.xx.xx.xx ipa.cloud.local ipa >> cloud.local >> and began the install options selected were: >> no >> ipa.cloud.local >> cloud.local >> CLOUD.LOCAL >> Directory Manager Password: set >> IPA admin password: set >> yes >> >> But I always get this error: >> CA did not start in 300.0s >> >> >> I've modified the >> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to >> increase the timeout value, but no luck. >> >> Suggestions? > Is this a VM? Do you have a driver for random number generator added to it? like virtio-rng for libvirtd/kvm. > It might well be that the VM struggles to get enough entropy to generate certificates. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: From abokovoy at redhat.com Thu Jun 18 20:26:02 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Jun 2015 16:26:02 -0400 (EDT) Subject: [Freeipa-users] Issues In-Reply-To: <5583249F.3070006@utsa.edu> References: <5582DEFD.1030900@utsa.edu> <1769794547.4815590.1434642809970.JavaMail.zimbra@redhat.com> <5583249F.3070006@utsa.edu> Message-ID: <795884174.5193468.1434659162551.JavaMail.zimbra@redhat.com> ----- Original Message ----- > This is a virtual machine, rng-tools-5-4.fc22.x86_64 is installed ... > I did just try to create a gpg key and it seemed to have entropy > issues... I did however run the command > $ rngd -W 4096 > $ cat /proc/sys/kernel/random/entropy_avail > to fill the entropy up again (previously reporting around 3081), now it > is at 4094. gpg works now with no issues, redid the install but still > failed at the same step. Ok, then you need to provide logs. IPA's install log is /var/log/ipaserver-install.log, at the end of it there will be output of our communication with dogtag. Also dogtag logs in /var/log/pki/. -- / Alexander Bokovoy From richard at familjenklar.se Fri Jun 19 05:30:52 2015 From: richard at familjenklar.se (richard) Date: Fri, 19 Jun 2015 07:30:52 +0200 Subject: [Freeipa-users] stickybits and freeipa In-Reply-To: <1434459662.2716.8.camel@willson.usersys.redhat.com> References: <0e1593d891ae5e97c536816431d36bf1@www.familjenklar.se> <1434375281.22266.5.camel@willson.usersys.redhat.com> <95518f99deb608a356cf51bcf98dab3f@www.familjenklar.se> <1434459662.2716.8.camel@willson.usersys.redhat.com> Message-ID: Hi, I found a workaround for this problem. I installed nscd and now it works, i will file a bug-report since the application doesnt perform the get user id correct. // Richard 2015-06-16 15:01 skrev Simo Sorce: > On Tue, 2015-06-16 at 14:50 +0200, richard wrote: >> Hi, >> >> I have made a trace with gdb, and this is the output from that. >> So it looks like the suid user isnt found. > > Hi Richard, > this looks like a bug in the application you are using, as a failure to > lookup a user (if that is the case), should never end up with a > segfault. > > I would contact that application developer and file a bug with them. > > Simo. > >> Program received signal SIGSEGV, Segmentation fault. >> 0x08518f44 in utilcuti_GetUsrid(void) () >> Missing separate debuginfos, use: debuginfo-install >> atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 >> cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 >> fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 >> gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 >> glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 >> harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 >> libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 >> libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 >> libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 >> libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 >> libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 >> libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 >> libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 >> libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 >> libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 >> libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 >> libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 >> mesa-libEGL-10.3.3-1.20141110.fc20.i686 >> mesa-libGL-10.3.3-1.20141110.fc20.i686 >> mesa-libgbm-10.3.3-1.20141110.fc20.i686 >> mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 >> pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 >> xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 >> (gdb) bt >> #0 0x08518f44 in utilcuti_GetUsrid(void) () >> #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const >> *, char *, char const *) () >> #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, >> char >> const *, char const *, char const *, char const *, char *, char const >> *, >> char *) () >> #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const &, int) () >> #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const &, int) () >> #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () >> #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () >> #7 0x083b3854 in Document::Delete(void) () >> #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () >> #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) >> () >> #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () >> #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () >> #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () >> #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () >> #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () >> #15 0x081b2aee in EXECUTECMD::File(PSTRING const &, PSTRING const &) >> () >> #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const &, PSTRING const &) >> () >> #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () >> #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () >> #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () >> #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () >> #21 0x081af72b in KEY_T::Execute(void) () >> #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const &, PSTRING const >> &, >> int, JSTRING const &) () >> #23 0x08059106 in EXCO::Initiate(void) () >> #24 0x0805a355 in EXCO::Edit(void) () >> #25 0x080544f5 in main () >> >> // Richard >> >> 2015-06-15 15:34 skrev Simo Sorce: >> > On Sun, 2015-06-14 at 20:53 +0200, richard wrote: >> >> Hi, >> >> >> >> We are about to implement freeipa in our environment. >> >> During some test so have we discovered problems when we are trying to >> >> run scripts with the suid bit set. >> >> It looks like the system is trying to authenticate the suid user >> >> against >> >> freeipa, but since suid user doesnt have a valid ticket, so will the >> >> script not run. >> >> I would need some help to get around this problem. >> >> >> >> Is it possible to configure a keytab for the suid user so that this >> >> user >> >> always have a valid ticket? >> > >> > Hi Richard, >> > it is unclear to me what problem you are having. >> > >> > Can you provide some log or output you receive when running commands >> > that do not work as you expect ? >> > >> > The kernel doesn't really care (nor try) to authenticate users when the >> > suid bit is set, so there must be some other component involved that is >> > causing you trouble. >> > >> > Simo. From tompos at martos.bme.hu Fri Jun 19 09:02:48 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Fri, 19 Jun 2015 11:02:48 +0200 Subject: [Freeipa-users] clean-run doesn't work Message-ID: <5583DAB8.60002@martos.bme.hu> hi All, $ ipa-replica-manage list-ruv unable to decode: {replica 6} 55832e8e000300060000 55832e8e000300060000 ipa31.bph.cxn:389: 8 ipa12.bpo.cxn:389: 5 ipa32.bph.cxn:389: 7 ipa11.bpo.cxn:389: 3 ipa.cxn.com:389: 4 $ ipa-replica-manage clean-ruv 6 unable to decode: {replica 6} 55832e8e000300060000 55832e8e000300060000 Replica ID 6 not found Background: yesterday I deployed this ldap cluster and migrated users to. Everything worked fine, except one time I had to recreate the replication, because the process didn't finish successfully (due to a closed firewall port). After the command 'ipa-server-install --uninstall' it worked like a charm. But now I see the above on the replica master. in addition, I can see numerous and various errors on other replicas, eg: [19/Jun/2015:10:53:43 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa.cxn.com:389/o%3Dipaca) failed. There is in the mailing list archives, that the solution is running clean-run. Thanks, tamas From christoph.kaminski at biotronik.com Fri Jun 19 09:12:39 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 19 Jun 2015 11:12:39 +0200 Subject: [Freeipa-users] Antwort: clean-run doesn't work In-Reply-To: <5583DAB8.60002@martos.bme.hu> References: <5583DAB8.60002@martos.bme.hu> Message-ID: freeipa-users-bounces at redhat.com schrieb am 19.06.2015 11:02:48: > Von: Tamas Papp > An: freeipa-users at redhat.com > Datum: 19.06.2015 11:04 > Betreff: [Freeipa-users] clean-run doesn't work > Gesendet von: freeipa-users-bounces at redhat.com > > hi All, > > $ ipa-replica-manage list-ruv > unable to decode: {replica 6} 55832e8e000300060000 55832e8e000300060000 > ipa31.bph.cxn:389: 8 > ipa12.bpo.cxn:389: 5 > ipa32.bph.cxn:389: 7 > ipa11.bpo.cxn:389: 3 > ipa.cxn.com:389: 4 > > $ ipa-replica-manage clean-ruv 6 > unable to decode: {replica 6} 55832e8e000300060000 55832e8e000300060000 > Replica ID 6 not found > > > > Background: yesterday I deployed this ldap cluster and migrated users > to. Everything worked fine, except one time I had to recreate the > replication, because the process didn't finish successfully (due to a > closed firewall port). After the command 'ipa-server-install > --uninstall' it worked like a charm. > But now I see the above on the replica master. > > > in addition, I can see numerous and various errors on other replicas, eg: > > [19/Jun/2015:10:53:43 +0200] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa.cxn.com:389/o%3Dipaca) failed. > > > There is in the mailing list archives, that the solution is running > clean-run. > > > > Thanks, > tamas > for this problem you can see the thread "Haunted servers?" here on ml. There is a solution from me for this but it doesnt work 100% :/ we have a Ticket @Red Hat for this problem, ( https://access.redhat.com/support/cases/#/case/01429034 if you have rh support) But is really sad/silly how RH support works (read the whole ticket). Greetz -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Jun 19 09:34:21 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 19 Jun 2015 11:34:21 +0200 Subject: [Freeipa-users] WG: Re: Haunted servers? In-Reply-To: References: Message-ID: <5583E21D.9060503@redhat.com> Hi Christoph, bad news. So to summarize, you have a procedure to cleanup your env, but once you restart the master the ghosts are back. I really want to find out where they are coming from, so If you have to restart your server, could you please lookup these data, after the server is stopped: dbscan -f /var/lib/dirsrv/slapd-s/db/userRoot/nsuniqueid.db -k =ffffffff-ffffffff-ffffffff-ffffffff -r =ffffffff-ffffffff-ffffffff-ffffffff 3 this gives you the RUVID and you can look it up in the database [root at elkris scripts]# dbscan -f /var/lib/dirsrv/slapd-/db/userRoot/id2entry.db -K id 3 rdn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff nsUniqueId: ffffffff-ffffffff-ffffffff-ffffffff objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 51dc3bac000000640000 nsds50ruv: {replica 100 ldap://localhost:30522} 557fd541000000640000 557fd9d30 00000640000 nsds50ruv: {replica 200 ldap://localhost:4945} 557fd6e6000000c80000 557fda0e00 ...... then check the contents of the changelog: [root at elkris scripts]# dbscan -f /var/lib/dirsrv/slapd-/changelogdb/ec450682-7c0a11e2-aa0e8005-8430f734_51dc3bac000000640000.db | more the first entries contain th ruv data: dbid: 0000006f000000000000 entry count: 307 dbid: 000000de000000000000 purge ruv: {replicageneration} 51dc3bac000000640000 {replica 100 ldap://localhost:30522} {replica 200 ldap://localhost:30522} dbid: 0000014d000000000000 max ruv: {replicageneration} 51dc3bac000000640000 {replica 100} 557fd541000000640000 557fd9d3000000640000 {replica 200} 557fd6e6000000c80000 557fda0e000000c80000 On 06/12/2015 07:38 AM, Christoph Kaminski wrote: > I've been too early pleased :/ After ipactl restart of our first > master (where we re-initialize from) are the 'ghost' rids again there... > > I think there is something like a fs backup for dirsrv (changelog?) > but where? > > > > > we had the same problem (and some more) and yesterday we have > > successfully cleaned the gohst rid's > > > > our fix: > > > > 1. stop all cleanallruv Tasks, if it works with ipa-replica-manage > > abort-clean-ruv. It hasnt worked here. We have done it manually on > > ALL replicas with: > > a) replica stop > > b) delete all nsds5ReplicaClean from /etc/dirsrv/slapd-HSO/dse.ldif > > c) replica start > > > > 2. prepare on EACH ipa a cleanruv ldif file with ALL ghost rids > > inside (really ALL from all ipa replicas, we has had some rids only > > on some replicas...) > > Example: > > > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > > changetype: modify > > replace: nsds5task > > nsds5task:CLEANRUV11 > > > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > > changetype: modify > > replace: nsds5task > > nsds5task:CLEANRUV22 > > > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > > changetype: modify > > replace: nsds5task > > nsds5task:CLEANRUV37 > > ... > > > > 3. do a "ldapmodify -h 127.0.0.1 -D "cn=Directory Manager" -W -x -f > > $your-cleanruv-file.ldif" on all replicas AT THE SAME TIME :) we > > used terminator for it (https://launchpad.net/terminator). You can > > open multiple shell windows inside one window and send to all at the > > same time the same commands... > > > > 4. we have done a re-initialize of each IPA from our first master > > > > 5. restart of all replicas > > > > we are not sure about the point 3 and 4. Maybe they are not > > necessary, but we have done it. > > > > If something fails look at defect LDAP entries in whole ldap, we > > have had some entries with 'nsunique-$HASH' after the 'normal' name. > > We have deleted them. > > > > MfG > > Christoph Kaminski > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sjuhasz at chemaxon.com Fri Jun 19 09:37:12 2015 From: sjuhasz at chemaxon.com (Sandor Juhasz) Date: Fri, 19 Jun 2015 11:37:12 +0200 (CEST) Subject: [Freeipa-users] ipa schema-compat, DIT view and replication Message-ID: <1815684832.134478.1434706632484.JavaMail.zimbra@chemaxon.com> Hello, we migrated to centos7.1 and ipa server 4.1.0. DIT view using schema compat plugin is working on one instance - celebrations. We are using a 4 way cluster of ipa servers. The schema-compat-container does not get replicated. Is there a way - apart making the change on the replica - to make it work? S?ndor Juh?sz System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Fri Jun 19 09:48:37 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 19 Jun 2015 11:48:37 +0200 Subject: [Freeipa-users] Antwort: Re: WG: Re: Haunted servers? In-Reply-To: <5583E21D.9060503@redhat.com> References: <5583E21D.9060503@redhat.com> Message-ID: freeipa-users-bounces at redhat.com schrieb am 19.06.2015 11:34:21: > Von: Ludwig Krispenz > An: freeipa-users at redhat.com > Datum: 19.06.2015 11:35 > Betreff: Re: [Freeipa-users] WG: Re: Haunted servers? > Gesendet von: freeipa-users-bounces at redhat.com > > Hi Christoph, > > bad news. So to summarize, you have a procedure to cleanup your env, > but once you restart the master the ghosts are back. > > I really want to find out where they are coming from, so If you have > to restart your server, could you please lookup these data, after > the server is stopped: > > dbscan -f /var/lib/dirsrv/slapd-s/db/userRoot/ > nsuniqueid.db -k =ffffffff-ffffffff-ffffffff-ffffffff -r > =ffffffff-ffffffff-ffffffff-ffffffff > 3 > this gives you the RUVID and you can look it up in the database > [root at elkris scripts]# dbscan -f /var/lib/dirsrv/slapd-/ > db/userRoot/id2entry.db -K > id 3 > rdn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff > nsUniqueId: ffffffff-ffffffff-ffffffff-ffffffff > objectClass: top > objectClass: nsTombstone > objectClass: extensibleobject > nsds50ruv: {replicageneration} 51dc3bac000000640000 > nsds50ruv: {replica 100 ldap://localhost:30522} > 557fd541000000640000 557fd9d30 > 00000640000 > nsds50ruv: {replica 200 ldap://localhost:4945} > 557fd6e6000000c80000 557fda0e00 > ...... > > then check the contents of the changelog: > [root at elkris scripts]# dbscan -f /var/lib/dirsrv/slapd-/ > changelogdb/ec450682-7c0a11e2-aa0e8005-8430f734_51dc3bac000000640000.db | more > > the first entries contain th ruv data: > dbid: 0000006f000000000000 > entry count: 307 > > dbid: 000000de000000000000 > purge ruv: > {replicageneration} 51dc3bac000000640000 > {replica 100 ldap://localhost:30522} > {replica 200 ldap://localhost:30522} > > dbid: 0000014d000000000000 > max ruv: > {replicageneration} 51dc3bac000000640000 > {replica 100} 557fd541000000640000 557fd9d3000000640000 > {replica 200} 557fd6e6000000c80000 557fda0e000000c80000 > > meanwhile we have found an other place where can be a reason for this problem... se the ldapsearch result at the end of this post (2 ldapsearch outputs, in both there are dead entries) Info: we have only this IPA Hosts: ipa-2.mgmt.hss.int:389: 44 ipa-1.mgmt.testsystem-homemonitoring.int:389: 45 ipa-1.mgmt.biotronik-homemonitoring.int:389: 35 ipa-1.mgmt.hss.int:389: 38 ipa-1.mgmt.datacenter-homemonitoring.int:389: 40 Please pay attention at the rids. We have used the same names for new install of ipa. There are a lot of ghost/dead entries with the same name but an other rid (smaller)! The problem is, how can we delete them? A simple delete with an ldap browser doesnt work (server is unwilling to perform) 1. ldapsearch output: ldapsearch -LLL -o ldif-wrap=no -h localhost -p 389 -x -D "cn=directory manager" -W -b "cn=config" "objectclass=nsds5replicationagreement" dn: cn=meToipa-1.mgmt.datacenter-homemonitoring.int,cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config cn: meToipa-1.mgmt.datacenter-homemonitoring.int objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to ipa-1.mgmt.datacenter-homemonitoring.int nsDS5ReplicaRoot: dc=hso nsDS5ReplicaHost: ipa-1.mgmt.datacenter-homemonitoring.int nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaEnabled: on nsds50ruv: {replicageneration} 548eae68000000040000 nsds50ruv: {replica 40 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528dda5000000280000 55828339000000280000 nsds50ruv: {replica 35 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 55262588000400230000 55827e05000200230000 nsds50ruv: {replica 41 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554092ff000500290000 558275a7001000290000 nsds50ruv: {replica 33 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 55256822000000210000 5582727d000800210000 nsds50ruv: {replica 38 ldap://ipa-1.mgmt.hss.int:389} 55267752000100260000 55826bf8000300260000 nsds50ruv: {replica 43 ldap://ipa-2.mgmt.hss.int:389} 5575712e0003002b0000 558167720002002b0000 nsds50ruv: {replica 11} 55266adc000a000b0000 55266adc000a000b0000 nsds50ruv: {replica 22} 55268293001800160000 55268293001800160000 nsds50ruv: {replica 3} 552644f4000400030000 552644f4000400030000 nsds50ruv: {replica 34} 55682299000e00220000 55682299000e00220000 nsds50ruv: {replica 32} 5526ad3a000000200000 5526ad3a000100200000 nsds50ruv: {replica 37} 552bb156000800250000 552bb156000800250000 nsds50ruv: {replica 39} 552f9a40000000270000 552f9a40000000270000 nsds50ruv: {replica 36} 55781b04000f00240000 55781b04000f00240000 nsds50ruv: {replica 42} 555c97cb0002002a0000 555c97cb0002002a0000 nsruvReplicaLastModified: {replica 40 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 35 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 41 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 33 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 38 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 43 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 11} 00000000 nsruvReplicaLastModified: {replica 22} 00000000 nsruvReplicaLastModified: {replica 3} 00000000 nsruvReplicaLastModified: {replica 34} 00000000 nsruvReplicaLastModified: {replica 32} 00000000 nsruvReplicaLastModified: {replica 37} 00000000 nsruvReplicaLastModified: {replica 39} 00000000 nsruvReplicaLastModified: {replica 36} 00000000 nsruvReplicaLastModified: {replica 42} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065611Z nsds5replicaLastUpdateEnd: 20150619065613Z nsds5replicaChangesSentSinceStartup:: MzU6Mjc5LzEzMDI4NzQwOSAzMzoyLzE1MTIgNDE6NC8wIDQ0OjEzMy8wIDQ1OjE0NC8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 dn: cn=meToipa-1.mgmt.hss.int,cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config cn: meToipa-1.mgmt.hss.int objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to ipa-1.mgmt.hss.int nsDS5ReplicaRoot: dc=hso nsDS5ReplicaHost: ipa-1.mgmt.hss.int nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaEnabled: on nsds50ruv: {replicageneration} 548eae68000000040000 nsds50ruv: {replica 38 ldap://ipa-1.mgmt.hss.int:389} 55267752000100260000 558282f0000f00260000 nsds50ruv: {replica 35 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 55262588000400230000 55826e42000700230000 nsds50ruv: {replica 41 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554092ff000500290000 558275a7001000290000 nsds50ruv: {replica 40 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528dda5000000280000 55826bfb000000280000 nsds50ruv: {replica 33 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 55256822000000210000 5582727d000800210000 nsds50ruv: {replica 43 ldap://ipa-2.mgmt.hss.int:389} 5575712e0003002b0000 558167720002002b0000 nsds50ruv: {replica 3} 552644f4000400030000 552644f4000400030000 nsds50ruv: {replica 34} 55264533000100220000 55682299000e00220000 nsds50ruv: {replica 32} 5526511c000100200000 5526ad3a000100200000 nsds50ruv: {replica 22} 552666ef000800160000 55268293001800160000 nsds50ruv: {replica 11} 552666f10002000b0000 55266adc000a000b0000 nsds50ruv: {replica 37} 5526699a000000250000 552bb156000800250000 nsds50ruv: {replica 39} 5527a503000000270000 552f9a40000000270000 nsds50ruv: {replica 36} 556789b0000100240000 55781b04000f00240000 nsds50ruv: {replica 42} 5540ab460003002a0000 555c97cb0002002a0000 nsruvReplicaLastModified: {replica 38 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 35 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 41 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 40 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 33 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 43 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 3} 00000000 nsruvReplicaLastModified: {replica 34} 00000000 nsruvReplicaLastModified: {replica 32} 00000000 nsruvReplicaLastModified: {replica 22} 00000000 nsruvReplicaLastModified: {replica 11} 00000000 nsruvReplicaLastModified: {replica 37} 00000000 nsruvReplicaLastModified: {replica 39} 00000000 nsruvReplicaLastModified: {replica 36} 00000000 nsruvReplicaLastModified: {replica 42} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065543Z nsds5replicaLastUpdateEnd: 20150619065545Z nsds5replicaChangesSentSinceStartup:: MzU6Mjc0LzEwNzUyMzE0MiA0MDoyLzAgNDQ6MTM0LzAgNDU6MTQ0LzAg nsds5replicaLastUpdateStatus: 1 Can't acquire busy replica nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 dn: cn=meToipa-1.mgmt.testsystem-homemonitoring.int,cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config cn: meToipa-1.mgmt.testsystem-homemonitoring.int objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to ipa-1.mgmt.testsystem-homemonitoring.int nsDS5ReplicaRoot: dc=hso nsDS5ReplicaHost: ipa-1.mgmt.testsystem-homemonitoring.int nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065611Z nsds5replicaLastUpdateEnd: 20150619065613Z nsds5replicaChangesSentSinceStartup:: MzU6OC8xMTI2OTM0NDgg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150618105040Z nsds5replicaLastInitEnd: 20150618105045Z nsds5replicaLastInitStatus: 0 Total update succeeded dn: cn=meToipa-2.mgmt.hss.int,cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config cn: meToipa-2.mgmt.hss.int objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to ipa-2.mgmt.hss.int nsDS5ReplicaRoot: dc=hso nsDS5ReplicaHost: ipa-2.mgmt.hss.int nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065543Z nsds5replicaLastUpdateEnd: 20150619065545Z nsds5replicaChangesSentSinceStartup:: MzU6MTQ3LzEwNTgwMTM5OCA0NToxNDQvMCA= nsds5replicaLastUpdateStatus: 1 Can't acquire busy replica nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150618101443Z nsds5replicaLastInitEnd: 20150618101448Z nsds5replicaLastInitStatus: 0 Total update succeeded dn: cn=cloneAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: cloneAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: ipa-2.mgmt.biotronik-homemonitoring.int nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: cloneAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat nsDS5ReplicaCredentials: {DES}5KzfANQ4D19ObvXF7UM6ag== nsds50ruv: {replicageneration} 548eaeaf000000600000 nsds50ruv: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 552568780000063b0000 5526284d0000063b0000 nsds50ruv: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 552625f20000069a0000 55683c260000069a0000 nsds50ruv: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 55256ba40000069f0000 555b58ce0000069f0000 nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 55256008000005d20000 5525686e000205d20000 nsds50ruv: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 54eca6ed000005730000 55255ff9000105730000 nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 5523c7f1000005d70000 55250ae2000005d70000 nsds50ruv: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 54d350ab0000050f0000 552512a80001050f0000 nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 54bd18cd000004ab0000 551cd0b3000404ab0000 nsds50ruv: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 548eaeb8000000610000 551a8854000500610000 nsds50ruv: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 548eaeb9000100600000 5523b8fd000000600000 nsds50ruv: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 5492f60f0000005b0000 5509812d0006005b0000 nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 5493f9fe000004470000 551cd519000404470000 nsds50ruv: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 54ecb4d30000056e0000 552510e6000d056e0000 nsds50ruv: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 552512b4000005690000 55254886000405690000 nsds50ruv: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 55262cc3000007030000 552663f3000007030000 nsds50ruv: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 552669f2000006fe0000 552bb124000306fe0000 nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 552677b8000006f90000 555e1690000406f90000 nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 5527a56f000006f40000 5528f6a1000006f40000 nsds50ruv: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528ddd8000006ef0000 5528ddd9000106ef0000 nsds50ruv: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554093bb000806ea0000 555c9bcf000406ea0000 nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 5540aba6000506e50000 5540aba8000506e50000 nsruvReplicaLastModified: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150618094223Z nsds5replicaLastUpdateEnd: 20150618094223Z nsds5replicaChangesSentSinceStartup:: MTY5MDozLzAg nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 dn: cn=masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: ipa-1.mgmt.datacenter-homemonitoring.int nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat nsDS5ReplicaCredentials: {DES}dRtGWawlVRIa/e6mF9tMHA== nsds50ruv: {replicageneration} 548eaeaf000000600000 nsds50ruv: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528ddd8000006ef0000 5528ddd9000106ef0000 nsds50ruv: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 552625f20000069a0000 55683c260000069a0000 nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 5527a56f000006f40000 5528f6a1000006f40000 nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 552677b8000006f90000 555e1690000406f90000 nsds50ruv: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 552669f2000006fe0000 552bb124000306fe0000 nsds50ruv: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 55262cc3000007030000 552663f3000007030000 nsds50ruv: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 552568780000063b0000 5526284d0000063b0000 nsds50ruv: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 55256ba40000069f0000 555b58ce0000069f0000 nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 55256008000005d20000 5525686e000205d20000 nsds50ruv: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 54eca6ed000005730000 55255ff9000105730000 nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 5523c7f1000005d70000 55250ae2000005d70000 nsds50ruv: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 54d350ab0000050f0000 552512a80001050f0000 nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 54bd18cd000004ab0000 551cd0b3000404ab0000 nsds50ruv: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 548eaeb8000000610000 551a8854000500610000 nsds50ruv: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 548eaeb9000100600000 5523b8fd000000600000 nsds50ruv: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 5492f60f0000005b0000 5509812d0006005b0000 nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 5493f9fe000004470000 551cd519000404470000 nsds50ruv: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 54ecb4d30000056e0000 552510e6000d056e0000 nsds50ruv: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 552512b4000005690000 55254886000405690000 nsds50ruv: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554093bb000806ea0000 555c9bcf000406ea0000 nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 5540aba6000506e50000 5540aba8000506e50000 nsruvReplicaLastModified: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065221Z nsds5replicaLastUpdateEnd: 20150619065223Z nsds5replicaChangesSentSinceStartup:: MTY5MDoxMzQvMCAxNzU1OjQvMCAxNzUwOjE3LzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 dn: cn=masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: ipa-1.mgmt.hss.int nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat nsDS5ReplicaCredentials: {DES}BiZpuJ0lje0K8o5hzsHp6Q== nsds50ruv: {replicageneration} 548eaeaf000000600000 nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 552677b8000006f90000 555e1690000406f90000 nsds50ruv: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 552625f20000069a0000 55683c260000069a0000 nsds50ruv: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 552669f2000006fe0000 552bb124000306fe0000 nsds50ruv: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 55262cc3000007030000 552663f3000007030000 nsds50ruv: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 552568780000063b0000 5526284d0000063b0000 nsds50ruv: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 55256ba40000069f0000 555b58ce0000069f0000 nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 55256008000005d20000 5525686e000205d20000 nsds50ruv: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 54eca6ed000005730000 55255ff9000105730000 nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 5523c7f1000005d70000 55250ae2000005d70000 nsds50ruv: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 54d350ab0000050f0000 552512a80001050f0000 nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 54bd18cd000004ab0000 551cd0b3000404ab0000 nsds50ruv: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 548eaeb8000000610000 551a8854000500610000 nsds50ruv: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 548eaeb9000100600000 5523b8fd000000600000 nsds50ruv: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 5492f60f0000005b0000 5509812d0006005b0000 nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 5493f9fe000004470000 551cd519000404470000 nsds50ruv: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 54ecb4d30000056e0000 552510e6000d056e0000 nsds50ruv: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 552512b4000005690000 55254886000405690000 nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 5527a56f000006f40000 5528f6a1000006f40000 nsds50ruv: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528ddd8000006ef0000 5528ddd9000106ef0000 nsds50ruv: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554093bb000806ea0000 555c9bcf000406ea0000 nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 5540aba6000506e50000 5540aba8000506e50000 nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065221Z nsds5replicaLastUpdateEnd: 20150619065223Z nsds5replicaChangesSentSinceStartup:: MTY5MDoxMzQvMCAxNzU1OjQvMCAxNzUwOjE3LzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 dn: cn=masterAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: ipa-1.mgmt.testsystem-homemonitoring.int nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat nsDS5ReplicaCredentials: {DES}UNn/VNGrsA6tBLK8ooFpQg== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065221Z nsds5replicaLastUpdateEnd: 20150619065223Z nsds5replicaChangesSentSinceStartup:: MTY5MDo5Mi8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150618105218Z nsds5replicaLastInitEnd: 20150618105223Z nsds5replicaLastInitStatus: 0 Total update succeeded dn: cn=masterAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: ipa-2.mgmt.datacenter-homemonitoring.int nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat nsDS5ReplicaCredentials: {DES}7YD+qDoeFdnL6DtNoPcxpg== nsds50ruv: {replicageneration} 548eaeaf000000600000 nsds50ruv: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 55262cc3000007030000 5527c95f000007030000 nsds50ruv: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 552625f20000069a0000 55683c260000069a0000 nsds50ruv: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 552568780000063b0000 5526284d0000063b0000 nsds50ruv: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 55256ba40000069f0000 555b58ce0000069f0000 nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 55256008000005d20000 5525686e000205d20000 nsds50ruv: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 54eca6ed000005730000 55255ff9000105730000 nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 5523c7f1000005d70000 55250ae2000005d70000 nsds50ruv: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 54d350ab0000050f0000 552512a80001050f0000 nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 54bd18cd000004ab0000 551cd0b3000404ab0000 nsds50ruv: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 548eaeb8000000610000 551a8854000500610000 nsds50ruv: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 548eaeb9000100600000 5523b8fd000000600000 nsds50ruv: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 5492f60f0000005b0000 5509812d0006005b0000 nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 5493f9fe000004470000 551cd519000404470000 nsds50ruv: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 54ecb4d30000056e0000 552510e6000d056e0000 nsds50ruv: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 552512b4000005690000 55254886000405690000 nsds50ruv: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 552669f2000006fe0000 552bb124000306fe0000 nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 552677b8000006f90000 555e1690000406f90000 nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 5527a56f000006f40000 5528f6a1000006f40000 nsds50ruv: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528ddd8000006ef0000 5528ddd9000106ef0000 nsds50ruv: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554093bb000806ea0000 555c9bcf000406ea0000 nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 5540aba6000506e50000 5540aba8000506e50000 nsruvReplicaLastModified: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 dn: cn=masterAgreement1-ipa-2.mgmt.hss.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-ipa-2.mgmt.hss.int-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: ipa-2.mgmt.hss.int nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-ipa-2.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-ipa-2.mgmt.hss.int-pki-tomcat nsDS5ReplicaCredentials: {DES}Y99NDXt09Mdkm7jwqdEd7w== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150619065221Z nsds5replicaLastUpdateEnd: 20150619065223Z nsds5replicaChangesSentSinceStartup:: MTY5MDoxMTQvMCAxNzUwOjE3LzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150618101643Z nsds5replicaLastInitEnd: 20150618101649Z nsds5replicaLastInitStatus: 0 Total update succeeded 2. second ldapsearch output: ldapsearch -h -D "cn=Directory Manager" -W -b "" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff- ffffffff))" nscpentrywsi # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff)) # requesting: nscpentrywsi # # replica, dc\3Dhso, mapping tree, config dn: cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config nscpentrywsi: dn: cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config nscpentrywsi: cn: replica nscpentrywsi: nsDS5Flags: 1 nscpentrywsi: objectClass: nsds5replica nscpentrywsi: objectClass: top nscpentrywsi: objectClass: extensibleobject nscpentrywsi: nsDS5ReplicaType: 3 nscpentrywsi: nsDS5ReplicaRoot: dc=hso nscpentrywsi: nsds5ReplicaLegacyConsumer: off nscpentrywsi: nsDS5ReplicaId: 35 nscpentrywsi: nsDS5ReplicaBindDN: cn=replication manager,cn=config nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.biotronik-h omemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.hss.int at HSO ,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-1.mgmt.testsystem- homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-1.mgmt.datacenter- homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-1.mgmt.hss.int at HSO ,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.testsystem- homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.datacenter- homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: creatorsName: cn=directory manager nscpentrywsi: modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=c onfig nscpentrywsi: createTimestamp: 20150409070712Z nscpentrywsi: modifyTimestamp: 20150619065748Z nscpentrywsi: nsState:: IwAAAAAAAABsvYNVAAAAACYAAAAAAAAAYAAAAAAAAAAJAAAAAAAAAA == nscpentrywsi: nsDS5ReplicaName: 0abbf98b-de8711e4-8370f525-3004811f nscpentrywsi: numSubordinates: 4 nscpentrywsi: nsds50ruv: {replicageneration} 548eae68000000040000 nscpentrywsi: nsds50ruv: {replica 35 ldap://ipa-1.mgmt.biotronik-homemonitorin g.int:389} 55262588000400230000 5583bdf2000900230000 nscpentrywsi: nsds50ruv: {replica 45 ldap://ipa-1.mgmt.testsystem-homemonitori ng.int:389} 5582a30f0000002d0000 5582c7c40005002d0000 nscpentrywsi: nsds50ruv: {replica 40 ldap://ipa-1.mgmt.datacenter-homemonitori ng.int:389} 5528dda5000000280000 55829521000000280000 nscpentrywsi: nsds50ruv: {replica 38 ldap://ipa-1.mgmt.hss.int:389} 5526775200 0100260000 55826bf8000300260000 nscpentrywsi: nsds50ruv: {replica 44 ldap://ipa-2.mgmt.hss.int:389} 55829aa300 00002c0000 5582a01e0001002c0000 nscpentrywsi: nsds5agmtmaxcsn: dc=hso;meToipa-1.mgmt.datacenter-homemonitoring .int;ipa-1.mgmt.datacenter-homemonitoring.int;389;40;5582a3aa000d00230000 nscpentrywsi: nsds5agmtmaxcsn: dc=hso;meToipa-1.mgmt.hss.int;ipa-1.mgmt.hss.in t;389;38;5582a3aa000d00230000 nscpentrywsi: nsds5agmtmaxcsn: dc=hso;meToipa-2.mgmt.hss.int;ipa-2.mgmt.hss.in t;389;44;5582a3aa000d00230000 nscpentrywsi: nsds5agmtmaxcsn: dc=hso;meToipa-1.mgmt.testsystem-homemonitoring .int;ipa-1.mgmt.testsystem-homemonitoring.int;389;45;5582a3aa000d00230000 nscpentrywsi: nsruvReplicaLastModified: {replica 35 ldap://ipa-1.mgmt.biotroni k-homemonitoring.int:389} 5583bd6c nscpentrywsi: nsruvReplicaLastModified: {replica 45 ldap://ipa-1.mgmt.testsyst em-homemonitoring.int:389} 5582c73d nscpentrywsi: nsruvReplicaLastModified: {replica 40 ldap://ipa-1.mgmt.datacent er-homemonitoring.int:389} 55829499 nscpentrywsi: nsruvReplicaLastModified: {replica 38 ldap://ipa-1.mgmt.hss.int: 389} 00000000 nscpentrywsi: nsruvReplicaLastModified: {replica 44 ldap://ipa-2.mgmt.hss.int: 389} 55829f97 nscpentrywsi: nsds5ReplicaChangeCount: 713037 nscpentrywsi: nsds5replicareapactive: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Jun 19 10:08:19 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 19 Jun 2015 12:08:19 +0200 Subject: [Freeipa-users] Antwort: Re: WG: Re: Haunted servers? In-Reply-To: References: <5583E21D.9060503@redhat.com> Message-ID: <5583EA13.6060206@redhat.com> On 06/19/2015 11:48 AM, Christoph Kaminski wrote: > freeipa-users-bounces at redhat.com schrieb am 19.06.2015 11:34:21: > > > Von: Ludwig Krispenz > > An: freeipa-users at redhat.com > > Datum: 19.06.2015 11:35 > > Betreff: Re: [Freeipa-users] WG: Re: Haunted servers? > > Gesendet von: freeipa-users-bounces at redhat.com > > > > Hi Christoph, > > > > bad news. So to summarize, you have a procedure to cleanup your env, > > but once you restart the master the ghosts are back. > > > > I really want to find out where they are coming from, so If you have > > to restart your server, could you please lookup these data, after > > the server is stopped: > > > > dbscan -f /var/lib/dirsrv/slapd-s/db/userRoot/ > > nsuniqueid.db -k =ffffffff-ffffffff-ffffffff-ffffffff -r > > =ffffffff-ffffffff-ffffffff-ffffffff > > 3 > > this gives you the RUVID and you can look it up in the database > > [root at elkris scripts]# dbscan -f /var/lib/dirsrv/slapd-/ > > db/userRoot/id2entry.db -K > > id 3 > > rdn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff > > nsUniqueId: ffffffff-ffffffff-ffffffff-ffffffff > > objectClass: top > > objectClass: nsTombstone > > objectClass: extensibleobject > > nsds50ruv: {replicageneration} 51dc3bac000000640000 > > nsds50ruv: {replica 100 ldap://localhost:30522} > > 557fd541000000640000 557fd9d30 > > 00000640000 > > nsds50ruv: {replica 200 ldap://localhost:4945} > > 557fd6e6000000c80000 557fda0e00 > > ...... > > > > then check the contents of the changelog: > > [root at elkris scripts]# dbscan -f /var/lib/dirsrv/slapd-/ > > > changelogdb/ec450682-7c0a11e2-aa0e8005-8430f734_51dc3bac000000640000.db | > more > > > > the first entries contain th ruv data: > > dbid: 0000006f000000000000 > > entry count: 307 > > > > dbid: 000000de000000000000 > > purge ruv: > > {replicageneration} 51dc3bac000000640000 > > {replica 100 ldap://localhost:30522} > > {replica 200 ldap://localhost:30522} > > > > dbid: 0000014d000000000000 > > max ruv: > > {replicageneration} 51dc3bac000000640000 > > {replica 100} 557fd541000000640000 557fd9d3000000640000 > > {replica 200} 557fd6e6000000c80000 557fda0e000000c80000 > > > > > > meanwhile we have found an other place where can be a reason for this > problem... se the ldapsearch result at the end of this post (2 > ldapsearch outputs, in both there are dead entries) in the second search I don't see nsds50ruv attributes for dead entries, so the database ruv seems to be ok. the first search is for the replication agreements and they keep info about the consumer ruv, used in replication session. you cannot modify these, but they are maintained in the dse.ldif, you could edit the dse.ldif when the server is stopped. > > Info: > > we have only this IPA Hosts: > > ipa-2.mgmt.hss.int:389: 44 > ipa-1.mgmt.testsystem-homemonitoring.int:389: 45 > ipa-1.mgmt.biotronik-homemonitoring.int:389: 35 > ipa-1.mgmt.hss.int:389: 38 > ipa-1.mgmt.datacenter-homemonitoring.int:389: 40 > > Please pay attention at the rids. We have used the same names for new > install of ipa. There are a lot of ghost/dead entries with the same > name but an other rid (smaller)! > > The problem is, how can we delete them? A simple delete with an ldap > browser doesnt work (server is unwilling to perform) > > 1. ldapsearch output: > > ldapsearch -LLL -o ldif-wrap=no -h localhost -p 389 -x -D > "cn=directory manager" -W -b "cn=config" > "objectclass=nsds5replicationagreement" > > dn: > cn=meToipa-1.mgmt.datacenter-homemonitoring.int,cn=replica,cn=dc\3Dhso,cn=mappingtree,cn=config > > cn: meToipa-1.mgmt.datacenter-homemonitoring.int > objectClass: nsds5replicationagreement > objectClass: top > nsDS5ReplicaTransportInfo: LDAP > description: me to ipa-1.mgmt.datacenter-homemonitoring.int > nsDS5ReplicaRoot: dc=hso > nsDS5ReplicaHost: ipa-1.mgmt.datacenter-homemonitoring.int > nsds5replicaTimeout: 120 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindMethod: SASL/GSSAPI > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName internalModifyTimestamp > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsds5ReplicaEnabled: on > nsds50ruv: {replicageneration} 548eae68000000040000 > nsds50ruv: {replica 40 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 5528dda5000000280000 55828339000000280000 > nsds50ruv: {replica 35 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 55262588000400230000 55827e05000200230000 > nsds50ruv: {replica 41 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 554092ff000500290000 558275a7001000290000 > nsds50ruv: {replica 33 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 55256822000000210000 5582727d000800210000 > nsds50ruv: {replica 38 ldap://ipa-1.mgmt.hss.int:389} > 55267752000100260000 55826bf8000300260000 > nsds50ruv: {replica 43 ldap://ipa-2.mgmt.hss.int:389} > 5575712e0003002b0000 558167720002002b0000 > nsds50ruv: {replica 11} 55266adc000a000b0000 55266adc000a000b0000 > nsds50ruv: {replica 22} 55268293001800160000 55268293001800160000 > nsds50ruv: {replica 3} 552644f4000400030000 552644f4000400030000 > nsds50ruv: {replica 34} 55682299000e00220000 55682299000e00220000 > nsds50ruv: {replica 32} 5526ad3a000000200000 5526ad3a000100200000 > nsds50ruv: {replica 37} 552bb156000800250000 552bb156000800250000 > nsds50ruv: {replica 39} 552f9a40000000270000 552f9a40000000270000 > nsds50ruv: {replica 36} 55781b04000f00240000 55781b04000f00240000 > nsds50ruv: {replica 42} 555c97cb0002002a0000 555c97cb0002002a0000 > nsruvReplicaLastModified: {replica 40 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 35 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 41 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 33 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 38 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 43 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 11} 00000000 > nsruvReplicaLastModified: {replica 22} 00000000 > nsruvReplicaLastModified: {replica 3} 00000000 > nsruvReplicaLastModified: {replica 34} 00000000 > nsruvReplicaLastModified: {replica 32} 00000000 > nsruvReplicaLastModified: {replica 37} 00000000 > nsruvReplicaLastModified: {replica 39} 00000000 > nsruvReplicaLastModified: {replica 36} 00000000 > nsruvReplicaLastModified: {replica 42} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065611Z > nsds5replicaLastUpdateEnd: 20150619065613Z > nsds5replicaChangesSentSinceStartup:: > MzU6Mjc5LzEzMDI4NzQwOSAzMzoyLzE1MTIgNDE6NC8wIDQ0OjEzMy8wIDQ1OjE0NC8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > dn: cn=meToipa-1.mgmt.hss.int,cn=replica,cn=dc\3Dhso,cn=mapping > tree,cn=config > cn: meToipa-1.mgmt.hss.int > objectClass: nsds5replicationagreement > objectClass: top > nsDS5ReplicaTransportInfo: LDAP > description: me to ipa-1.mgmt.hss.int > nsDS5ReplicaRoot: dc=hso > nsDS5ReplicaHost: ipa-1.mgmt.hss.int > nsds5replicaTimeout: 120 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindMethod: SASL/GSSAPI > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName internalModifyTimestamp > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsds5ReplicaEnabled: on > nsds50ruv: {replicageneration} 548eae68000000040000 > nsds50ruv: {replica 38 ldap://ipa-1.mgmt.hss.int:389} > 55267752000100260000 558282f0000f00260000 > nsds50ruv: {replica 35 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 55262588000400230000 55826e42000700230000 > nsds50ruv: {replica 41 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 554092ff000500290000 558275a7001000290000 > nsds50ruv: {replica 40 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 5528dda5000000280000 55826bfb000000280000 > nsds50ruv: {replica 33 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 55256822000000210000 5582727d000800210000 > nsds50ruv: {replica 43 ldap://ipa-2.mgmt.hss.int:389} > 5575712e0003002b0000 558167720002002b0000 > nsds50ruv: {replica 3} 552644f4000400030000 552644f4000400030000 > nsds50ruv: {replica 34} 55264533000100220000 55682299000e00220000 > nsds50ruv: {replica 32} 5526511c000100200000 5526ad3a000100200000 > nsds50ruv: {replica 22} 552666ef000800160000 55268293001800160000 > nsds50ruv: {replica 11} 552666f10002000b0000 55266adc000a000b0000 > nsds50ruv: {replica 37} 5526699a000000250000 552bb156000800250000 > nsds50ruv: {replica 39} 5527a503000000270000 552f9a40000000270000 > nsds50ruv: {replica 36} 556789b0000100240000 55781b04000f00240000 > nsds50ruv: {replica 42} 5540ab460003002a0000 555c97cb0002002a0000 > nsruvReplicaLastModified: {replica 38 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 35 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 41 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 40 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 33 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 43 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 3} 00000000 > nsruvReplicaLastModified: {replica 34} 00000000 > nsruvReplicaLastModified: {replica 32} 00000000 > nsruvReplicaLastModified: {replica 22} 00000000 > nsruvReplicaLastModified: {replica 11} 00000000 > nsruvReplicaLastModified: {replica 37} 00000000 > nsruvReplicaLastModified: {replica 39} 00000000 > nsruvReplicaLastModified: {replica 36} 00000000 > nsruvReplicaLastModified: {replica 42} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065543Z > nsds5replicaLastUpdateEnd: 20150619065545Z > nsds5replicaChangesSentSinceStartup:: > MzU6Mjc0LzEwNzUyMzE0MiA0MDoyLzAgNDQ6MTM0LzAgNDU6MTQ0LzAg > nsds5replicaLastUpdateStatus: 1 Can't acquire busy replica > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > dn: > cn=meToipa-1.mgmt.testsystem-homemonitoring.int,cn=replica,cn=dc\3Dhso,cn=mappingtree,cn=config > > cn: meToipa-1.mgmt.testsystem-homemonitoring.int > objectClass: nsds5replicationagreement > objectClass: top > nsDS5ReplicaTransportInfo: LDAP > description: me to ipa-1.mgmt.testsystem-homemonitoring.int > nsDS5ReplicaRoot: dc=hso > nsDS5ReplicaHost: ipa-1.mgmt.testsystem-homemonitoring.int > nsds5replicaTimeout: 120 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindMethod: SASL/GSSAPI > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName internalModifyTimestamp > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065611Z > nsds5replicaLastUpdateEnd: 20150619065613Z > nsds5replicaChangesSentSinceStartup:: MzU6OC8xMTI2OTM0NDgg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 20150618105040Z > nsds5replicaLastInitEnd: 20150618105045Z > nsds5replicaLastInitStatus: 0 Total update succeeded > > dn: cn=meToipa-2.mgmt.hss.int,cn=replica,cn=dc\3Dhso,cn=mapping > tree,cn=config > cn: meToipa-2.mgmt.hss.int > objectClass: nsds5replicationagreement > objectClass: top > nsDS5ReplicaTransportInfo: LDAP > description: me to ipa-2.mgmt.hss.int > nsDS5ReplicaRoot: dc=hso > nsDS5ReplicaHost: ipa-2.mgmt.hss.int > nsds5replicaTimeout: 120 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindMethod: SASL/GSSAPI > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName internalModifyTimestamp > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065543Z > nsds5replicaLastUpdateEnd: 20150619065545Z > nsds5replicaChangesSentSinceStartup:: > MzU6MTQ3LzEwNTgwMTM5OCA0NToxNDQvMCA= > nsds5replicaLastUpdateStatus: 1 Can't acquire busy replica > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 20150618101443Z > nsds5replicaLastInitEnd: 20150618101448Z > nsds5replicaLastInitStatus: 0 Total update succeeded > > dn: > cn=cloneAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mappingtree,cn=config > > objectClass: top > objectClass: nsds5replicationagreement > cn: cloneAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: ipa-2.mgmt.biotronik-homemonitoring.int > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager > masterAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: > cloneAgreement1-ipa-1.mgmt.biotronik-homemonitoring.int-pki-tomcat > nsDS5ReplicaCredentials: {DES}5KzfANQ4D19ObvXF7UM6ag== > nsds50ruv: {replicageneration} 548eaeaf000000600000 > nsds50ruv: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 552568780000063b0000 5526284d0000063b0000 > nsds50ruv: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 552625f20000069a0000 55683c260000069a0000 > nsds50ruv: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 55256ba40000069f0000 555b58ce0000069f0000 > nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 55256008000005d20000 5525686e000205d20000 > nsds50ruv: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 54eca6ed000005730000 55255ff9000105730000 > nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 5523c7f1000005d70000 55250ae2000005d70000 > nsds50ruv: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 54d350ab0000050f0000 552512a80001050f0000 > nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 54bd18cd000004ab0000 551cd0b3000404ab0000 > nsds50ruv: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 548eaeb8000000610000 551a8854000500610000 > nsds50ruv: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 548eaeb9000100600000 5523b8fd000000600000 > nsds50ruv: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 5492f60f0000005b0000 5509812d0006005b0000 > nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 5493f9fe000004470000 551cd519000404470000 > nsds50ruv: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 54ecb4d30000056e0000 552510e6000d056e0000 > nsds50ruv: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 552512b4000005690000 55254886000405690000 > nsds50ruv: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 55262cc3000007030000 552663f3000007030000 > nsds50ruv: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 552669f2000006fe0000 552bb124000306fe0000 > nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 552677b8000006f90000 555e1690000406f90000 > nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 5527a56f000006f40000 5528f6a1000006f40000 > nsds50ruv: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 5528ddd8000006ef0000 5528ddd9000106ef0000 > nsds50ruv: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 554093bb000806ea0000 555c9bcf000406ea0000 > nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 5540aba6000506e50000 5540aba8000506e50000 > nsruvReplicaLastModified: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150618094223Z > nsds5replicaLastUpdateEnd: 20150618094223Z > nsds5replicaChangesSentSinceStartup:: MTY5MDozLzAg > nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: > Can't contact LDAP server > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > dn: > cn=masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mappingtree,cn=config > > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: ipa-1.mgmt.datacenter-homemonitoring.int > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager > cloneAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat > nsDS5ReplicaCredentials: {DES}dRtGWawlVRIa/e6mF9tMHA== > nsds50ruv: {replicageneration} 548eaeaf000000600000 > nsds50ruv: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 5528ddd8000006ef0000 5528ddd9000106ef0000 > nsds50ruv: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 552625f20000069a0000 55683c260000069a0000 > nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 5527a56f000006f40000 5528f6a1000006f40000 > nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 552677b8000006f90000 555e1690000406f90000 > nsds50ruv: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 552669f2000006fe0000 552bb124000306fe0000 > nsds50ruv: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 55262cc3000007030000 552663f3000007030000 > nsds50ruv: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 552568780000063b0000 5526284d0000063b0000 > nsds50ruv: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 55256ba40000069f0000 555b58ce0000069f0000 > nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 55256008000005d20000 5525686e000205d20000 > nsds50ruv: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 54eca6ed000005730000 55255ff9000105730000 > nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 5523c7f1000005d70000 55250ae2000005d70000 > nsds50ruv: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 54d350ab0000050f0000 552512a80001050f0000 > nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 54bd18cd000004ab0000 551cd0b3000404ab0000 > nsds50ruv: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 548eaeb8000000610000 551a8854000500610000 > nsds50ruv: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 548eaeb9000100600000 5523b8fd000000600000 > nsds50ruv: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 5492f60f0000005b0000 5509812d0006005b0000 > nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 5493f9fe000004470000 551cd519000404470000 > nsds50ruv: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 54ecb4d30000056e0000 552510e6000d056e0000 > nsds50ruv: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 552512b4000005690000 55254886000405690000 > nsds50ruv: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 554093bb000806ea0000 555c9bcf000406ea0000 > nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 5540aba6000506e50000 5540aba8000506e50000 > nsruvReplicaLastModified: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065221Z > nsds5replicaLastUpdateEnd: 20150619065223Z > nsds5replicaChangesSentSinceStartup:: > MTY5MDoxMzQvMCAxNzU1OjQvMCAxNzUwOjE3LzAg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > dn: > cn=masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mappingtree,cn=config > > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: ipa-1.mgmt.hss.int > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager > cloneAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat > nsDS5ReplicaCredentials: {DES}BiZpuJ0lje0K8o5hzsHp6Q== > nsds50ruv: {replicageneration} 548eaeaf000000600000 > nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 552677b8000006f90000 555e1690000406f90000 > nsds50ruv: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 552625f20000069a0000 55683c260000069a0000 > nsds50ruv: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 552669f2000006fe0000 552bb124000306fe0000 > nsds50ruv: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 55262cc3000007030000 552663f3000007030000 > nsds50ruv: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 552568780000063b0000 5526284d0000063b0000 > nsds50ruv: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 55256ba40000069f0000 555b58ce0000069f0000 > nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 55256008000005d20000 5525686e000205d20000 > nsds50ruv: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 54eca6ed000005730000 55255ff9000105730000 > nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 5523c7f1000005d70000 55250ae2000005d70000 > nsds50ruv: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 54d350ab0000050f0000 552512a80001050f0000 > nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 54bd18cd000004ab0000 551cd0b3000404ab0000 > nsds50ruv: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 548eaeb8000000610000 551a8854000500610000 > nsds50ruv: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 548eaeb9000100600000 5523b8fd000000600000 > nsds50ruv: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 5492f60f0000005b0000 5509812d0006005b0000 > nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 5493f9fe000004470000 551cd519000404470000 > nsds50ruv: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 54ecb4d30000056e0000 552510e6000d056e0000 > nsds50ruv: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 552512b4000005690000 55254886000405690000 > nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 5527a56f000006f40000 5528f6a1000006f40000 > nsds50ruv: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 5528ddd8000006ef0000 5528ddd9000106ef0000 > nsds50ruv: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 554093bb000806ea0000 555c9bcf000406ea0000 > nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 5540aba6000506e50000 5540aba8000506e50000 > nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065221Z > nsds5replicaLastUpdateEnd: 20150619065223Z > nsds5replicaChangesSentSinceStartup:: > MTY5MDoxMzQvMCAxNzU1OjQvMCAxNzUwOjE3LzAg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > dn: > cn=masterAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mappingtree,cn=config > > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: ipa-1.mgmt.testsystem-homemonitoring.int > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager > cloneAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: > masterAgreement1-ipa-1.mgmt.testsystem-homemonitoring.int-pki-tomcat > nsDS5ReplicaCredentials: {DES}UNn/VNGrsA6tBLK8ooFpQg== > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065221Z > nsds5replicaLastUpdateEnd: 20150619065223Z > nsds5replicaChangesSentSinceStartup:: MTY5MDo5Mi8wIA== > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 20150618105218Z > nsds5replicaLastInitEnd: 20150618105223Z > nsds5replicaLastInitStatus: 0 Total update succeeded > > dn: > cn=masterAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mappingtree,cn=config > > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: ipa-2.mgmt.datacenter-homemonitoring.int > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager > cloneAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: > masterAgreement1-ipa-2.mgmt.datacenter-homemonitoring.int-pki-tomcat > nsDS5ReplicaCredentials: {DES}7YD+qDoeFdnL6DtNoPcxpg== > nsds50ruv: {replicageneration} 548eaeaf000000600000 > nsds50ruv: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 55262cc3000007030000 5527c95f000007030000 > nsds50ruv: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 552625f20000069a0000 55683c260000069a0000 > nsds50ruv: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 552568780000063b0000 5526284d0000063b0000 > nsds50ruv: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 55256ba40000069f0000 555b58ce0000069f0000 > nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 55256008000005d20000 5525686e000205d20000 > nsds50ruv: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} > 54eca6ed000005730000 55255ff9000105730000 > nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 5523c7f1000005d70000 55250ae2000005d70000 > nsds50ruv: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} > 54d350ab0000050f0000 552512a80001050f0000 > nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 54bd18cd000004ab0000 551cd0b3000404ab0000 > nsds50ruv: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 548eaeb8000000610000 551a8854000500610000 > nsds50ruv: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} > 548eaeb9000100600000 5523b8fd000000600000 > nsds50ruv: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 5492f60f0000005b0000 5509812d0006005b0000 > nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 5493f9fe000004470000 551cd519000404470000 > nsds50ruv: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 54ecb4d30000056e0000 552510e6000d056e0000 > nsds50ruv: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} > 552512b4000005690000 55254886000405690000 > nsds50ruv: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 552669f2000006fe0000 552bb124000306fe0000 > nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 552677b8000006f90000 555e1690000406f90000 > nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 5527a56f000006f40000 5528f6a1000006f40000 > nsds50ruv: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} > 5528ddd8000006ef0000 5528ddd9000106ef0000 > nsds50ruv: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} > 554093bb000806ea0000 555c9bcf000406ea0000 > nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 5540aba6000506e50000 5540aba8000506e50000 > nsruvReplicaLastModified: {replica 1795 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1690 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1595 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1695 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1395 > ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1295 > ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 97 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 96 > ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 91 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1390 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1385 > ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1790 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsruvReplicaLastModified: {replica 1775 > ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1770 > ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 > nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} > 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 0 > nsds5replicaLastUpdateEnd: 0 > nsds5replicaChangesSentSinceStartup: > nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: > Can't contact LDAP server > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > dn: > cn=masterAgreement1-ipa-2.mgmt.hss.int-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mappingtree,cn=config > > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-ipa-2.mgmt.hss.int-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: ipa-2.mgmt.hss.int > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager > cloneAgreement1-ipa-2.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: masterAgreement1-ipa-2.mgmt.hss.int-pki-tomcat > nsDS5ReplicaCredentials: {DES}Y99NDXt09Mdkm7jwqdEd7w== > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20150619065221Z > nsds5replicaLastUpdateEnd: 20150619065223Z > nsds5replicaChangesSentSinceStartup:: MTY5MDoxMTQvMCAxNzUwOjE3LzAg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 20150618101643Z > nsds5replicaLastInitEnd: 20150618101649Z > nsds5replicaLastInitStatus: 0 Total update succeeded > > 2. second ldapsearch output: ldapsearch -h -D "cn=Directory > Manager" -W -b "" > "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff- > ffffffff))" nscpentrywsi > > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: > (&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff)) > # requesting: nscpentrywsi > # > > # replica, dc\3Dhso, mapping tree, config > dn: cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config > nscpentrywsi: dn: cn=replica,cn=dc\3Dhso,cn=mapping tree,cn=config > nscpentrywsi: cn: replica > nscpentrywsi: nsDS5Flags: 1 > nscpentrywsi: objectClass: nsds5replica > nscpentrywsi: objectClass: top > nscpentrywsi: objectClass: extensibleobject > nscpentrywsi: nsDS5ReplicaType: 3 > nscpentrywsi: nsDS5ReplicaRoot: dc=hso > nscpentrywsi: nsds5ReplicaLegacyConsumer: off > nscpentrywsi: nsDS5ReplicaId: 35 > nscpentrywsi: nsDS5ReplicaBindDN: cn=replication manager,cn=config > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.biotronik-h > omemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.hss.int at HSO > ,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-1.mgmt.testsystem- > homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-1.mgmt.datacenter- > homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-1.mgmt.hss.int at HSO > ,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.testsystem- > homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.datacenter- > homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: creatorsName: cn=directory manager > nscpentrywsi: modifiersName: cn=Multimaster Replication > Plugin,cn=plugins,cn=c > onfig > nscpentrywsi: createTimestamp: 20150409070712Z > nscpentrywsi: modifyTimestamp: 20150619065748Z > nscpentrywsi: nsState:: > IwAAAAAAAABsvYNVAAAAACYAAAAAAAAAYAAAAAAAAAAJAAAAAAAAAA > == > nscpentrywsi: nsDS5ReplicaName: 0abbf98b-de8711e4-8370f525-3004811f > nscpentrywsi: numSubordinates: 4 > nscpentrywsi: nsds50ruv: {replicageneration} 548eae68000000040000 > nscpentrywsi: nsds50ruv: {replica 35 > ldap://ipa-1.mgmt.biotronik-homemonitorin > g.int:389} 55262588000400230000 5583bdf2000900230000 > nscpentrywsi: nsds50ruv: {replica 45 > ldap://ipa-1.mgmt.testsystem-homemonitori > ng.int:389} 5582a30f0000002d0000 5582c7c40005002d0000 > nscpentrywsi: nsds50ruv: {replica 40 > ldap://ipa-1.mgmt.datacenter-homemonitori > ng.int:389} 5528dda5000000280000 55829521000000280000 > nscpentrywsi: nsds50ruv: {replica 38 ldap://ipa-1.mgmt.hss.int:389} > 5526775200 > 0100260000 55826bf8000300260000 > nscpentrywsi: nsds50ruv: {replica 44 ldap://ipa-2.mgmt.hss.int:389} > 55829aa300 > 00002c0000 5582a01e0001002c0000 > nscpentrywsi: nsds5agmtmaxcsn: > dc=hso;meToipa-1.mgmt.datacenter-homemonitoring > .int;ipa-1.mgmt.datacenter-homemonitoring.int;389;40;5582a3aa000d00230000 > > nscpentrywsi: nsds5agmtmaxcsn: > dc=hso;meToipa-1.mgmt.hss.int;ipa-1.mgmt.hss.in > t;389;38;5582a3aa000d00230000 > nscpentrywsi: nsds5agmtmaxcsn: > dc=hso;meToipa-2.mgmt.hss.int;ipa-2.mgmt.hss.in > t;389;44;5582a3aa000d00230000 > nscpentrywsi: nsds5agmtmaxcsn: > dc=hso;meToipa-1.mgmt.testsystem-homemonitoring > .int;ipa-1.mgmt.testsystem-homemonitoring.int;389;45;5582a3aa000d00230000 > > nscpentrywsi: nsruvReplicaLastModified: {replica 35 > ldap://ipa-1.mgmt.biotroni > k-homemonitoring.int:389} 5583bd6c > nscpentrywsi: nsruvReplicaLastModified: {replica 45 > ldap://ipa-1.mgmt.testsyst > em-homemonitoring.int:389} 5582c73d > nscpentrywsi: nsruvReplicaLastModified: {replica 40 > ldap://ipa-1.mgmt.datacent > er-homemonitoring.int:389} 55829499 > nscpentrywsi: nsruvReplicaLastModified: {replica 38 > ldap://ipa-1.mgmt.hss.int: > 389} 00000000 > nscpentrywsi: nsruvReplicaLastModified: {replica 44 > ldap://ipa-2.mgmt.hss.int: > 389} 55829f97 > nscpentrywsi: nsds5ReplicaChangeCount: 713037 > nscpentrywsi: nsds5replicareapactive: 0 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Fri Jun 19 10:32:40 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 19 Jun 2015 12:32:40 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: Re: WG: Re: Haunted servers? In-Reply-To: <5583EA13.6060206@redhat.com> References: <5583E21D.9060503@redhat.com> <5583EA13.6060206@redhat.com> Message-ID: > in the second search I don't see nsds50ruv attributes for dead > entries, so the database ruv seems to be ok. these are dead: nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.biotronik-h omemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.testsystem- homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso nscpentrywsi: nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-2.mgmt.datacenter- homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > the first search is for the replication agreements and they keep > info about the consumer ruv, used in replication session. you cannot > modify these, but they are maintained in the dse.ldif, you could > edit the dse.ldif when the server is stopped. big thx, we try it and I let you know if it works! -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Jun 19 11:23:43 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 19 Jun 2015 13:23:43 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: Re: WG: Re: Haunted servers? In-Reply-To: References: <5583E21D.9060503@redhat.com> <5583EA13.6060206@redhat.com> Message-ID: <5583FBBF.8030404@redhat.com> Hi, On 06/19/2015 12:32 PM, Christoph Kaminski wrote: > > in the second search I don't see nsds50ruv attributes for dead > > entries, so the database ruv seems to be ok. > > these are dead: > > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.biotronik-h > omemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.testsystem- > homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso > nscpentrywsi: nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-2.mgmt.datacenter- > homemonitoring.int at HSO,cn=services,cn=accounts,dc=hso but these are bind dns, ipa adds them when creating a new replica to be able to establish a gssapi replication, I don't know if and when they are removed, they are definitely not in the task of cleanallruv > > > the first search is for the replication agreements and they keep > > info about the consumer ruv, used in replication session. you cannot > > modify these, but they are maintained in the dse.ldif, you could > > edit the dse.ldif when the server is stopped. > > big thx, we try it and I let you know if it works! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Fri Jun 19 11:48:46 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 19 Jun 2015 13:48:46 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: Re: Antwort: Re: WG: Re: Haunted servers? In-Reply-To: <5583FBBF.8030404@redhat.com> References: <5583E21D.9060503@redhat.com> <5583EA13.6060206@redhat.com> <5583FBBF.8030404@redhat.com> Message-ID: Ludwig Krispenz schrieb am 19.06.2015 13:23:43: > > > the first search is for the replication agreements and they keep > > info about the consumer ruv, used in replication session. you cannot > > modify these, but they are maintained in the dse.ldif, you could > > edit the dse.ldif when the server is stopped. > > big thx, we try it and I let you know if it works! > one thing what I still dont understand: nsds50ruv: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 552568780000063b0000 5526284d0000063b0000 nsds50ruv: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 552625f20000069a0000 55683c260000069a0000 nsds50ruv: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 55256ba40000069f0000 555b58ce0000069f0000 nsds50ruv: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 55256008000005d20000 5525686e000205d20000 nsds50ruv: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 54eca6ed000005730000 55255ff9000105730000 nsds50ruv: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 5523c7f1000005d70000 55250ae2000005d70000 nsds50ruv: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 54d350ab0000050f0000 552512a80001050f0000 nsds50ruv: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 54bd18cd000004ab0000 551cd0b3000404ab0000 nsds50ruv: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389 } 548eaeb8000000610000 551a8854000500610000 nsds50ruv: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 548eaeb9000100600000 5523b8fd000000600000 nsds50ruv: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389 } 5492f60f0000005b0000 5509812d0006005b0000 nsds50ruv: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 5493f9fe000004470000 551cd519000404470000 nsds50ruv: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 54ecb4d30000056e0000 552510e6000d056e0000 nsds50ruv: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 552512b4000005690000 55254886000405690000 nsds50ruv: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 55262cc3000007030000 552663f3000007030000 nsds50ruv: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 552669f2000006fe0000 552bb124000306fe0000 nsds50ruv: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 552677b8000006f90000 555e1690000406f90000 nsds50ruv: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 5527a56f000006f40000 5528f6a1000006f40000 nsds50ruv: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 5528ddd8000006ef0000 5528ddd9000106ef0000 nsds50ruv: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 554093bb000806ea0000 555c9bcf000406ea0000 nsds50ruv: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 5540aba6000506e50000 5540aba8000506e50000 nsruvReplicaLastModified: {replica 1595 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1690 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1695 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1490 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1395 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1495 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1295 ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1195 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 97 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 96 ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 91 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1095 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1390 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1385 ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1795 ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1790 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1785 ldap://ipa-1.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1780 ldap://ipa-2.mgmt.hss.int:389} 00000000 nsruvReplicaLastModified: {replica 1775 ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1770 ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389} 00000000 nsruvReplicaLastModified: {replica 1765 ldap://ipa-2.mgmt.hss.int:389} 00000000 what are these entries? I mean here are dead entries to, some I can identify with name (all ipa-2 except ipa-2.mgmt.hss.int) but some not... How can I know what should I delete and what not? Dont see the right rids here Greetz -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Jun 19 12:19:32 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 19 Jun 2015 14:19:32 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: Re: Antwort: Re: WG: Re: Haunted servers? In-Reply-To: References: <5583E21D.9060503@redhat.com> <5583EA13.6060206@redhat.com> <5583FBBF.8030404@redhat.com> Message-ID: <558408D4.8020406@redhat.com> from an earlier post it looks like they are from the o=ipaca backend, did you clean the ruvs there ? to know which are the correct current rids for this backend you could do on each active server a search for ... -b "cn=config" "(&(objectclass=nsds5replica)(nsDS5ReplicaRoot=o=ipaca))" nsDS5ReplicaId then you could search ldapsearch -h -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff- ffffffff))" to see what you have in the ruv and eventually clean them On 06/19/2015 01:48 PM, Christoph Kaminski wrote: > Ludwig Krispenz schrieb am 19.06.2015 13:23:43: > > > > > > the first search is for the replication agreements and they keep > > > info about the consumer ruv, used in replication session. you cannot > > > modify these, but they are maintained in the dse.ldif, you could > > > edit the dse.ldif when the server is stopped. > > > > big thx, we try it and I let you know if it works! > > > > one thing what I still dont understand: > > nsds50ruv: {replica 1595 > _ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389_ > } > 552568780000063b0000 5526284d0000063b0000 > nsds50ruv: {replica 1690 > _ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389_ > } > 552625f20000069a0000 55683c260000069a0000 > nsds50ruv: {replica 1695 > _ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389_ > } > 55256ba40000069f0000 555b58ce0000069f0000 > nsds50ruv: {replica 1490 _ldap://ipa-2.mgmt.hss.int:389_ > } 55256008000005d20000 > 5525686e000205d20000 > nsds50ruv: {replica 1395 > _ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389_ > } > 54eca6ed000005730000 55255ff9000105730000 > nsds50ruv: {replica 1495 _ldap://ipa-2.mgmt.hss.int:389_ > } 5523c7f1000005d70000 > 55250ae2000005d70000 > nsds50ruv: {replica 1295 > _ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389_ > } > 54d350ab0000050f0000 552512a80001050f0000 > nsds50ruv: {replica 1195 _ldap://ipa-2.mgmt.hss.int:389_ > } 54bd18cd000004ab0000 > 551cd0b3000404ab0000 > nsds50ruv: {replica 97 > _ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389_ > } > 548eaeb8000000610000 551a8854000500610000 > nsds50ruv: {replica 96 > _ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389_ > } > 548eaeb9000100600000 5523b8fd000000600000 > nsds50ruv: {replica 91 > _ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389_ > } > 5492f60f0000005b0000 5509812d0006005b0000 > nsds50ruv: {replica 1095 _ldap://ipa-1.mgmt.hss.int:389_ > } 5493f9fe000004470000 > 551cd519000404470000 > nsds50ruv: {replica 1390 > _ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389_ > } > 54ecb4d30000056e0000 552510e6000d056e0000 > nsds50ruv: {replica 1385 > _ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389_ > } > 552512b4000005690000 55254886000405690000 > nsds50ruv: {replica 1795 > _ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389_ > } > 55262cc3000007030000 552663f3000007030000 > nsds50ruv: {replica 1790 > _ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389_ > } > 552669f2000006fe0000 552bb124000306fe0000 > nsds50ruv: {replica 1785 _ldap://ipa-1.mgmt.hss.int:389_ > } 552677b8000006f90000 > 555e1690000406f90000 > nsds50ruv: {replica 1780 _ldap://ipa-2.mgmt.hss.int:389_ > } 5527a56f000006f40000 > 5528f6a1000006f40000 > nsds50ruv: {replica 1775 > _ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389_ > } > 5528ddd8000006ef0000 5528ddd9000106ef0000 > nsds50ruv: {replica 1770 > _ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389_ > } > 554093bb000806ea0000 555c9bcf000406ea0000 > nsds50ruv: {replica 1765 _ldap://ipa-2.mgmt.hss.int:389_ > } 5540aba6000506e50000 > 5540aba8000506e50000 > nsruvReplicaLastModified: {replica 1595 > _ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1690 > _ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1695 > _ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1490 > _ldap://ipa-2.mgmt.hss.int:389_ } 00000000 > nsruvReplicaLastModified: {replica 1395 > _ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1495 > _ldap://ipa-2.mgmt.hss.int:389_ } 00000000 > nsruvReplicaLastModified: {replica 1295 > _ldap://ipa-2.mgmt.biotronik-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1195 > _ldap://ipa-2.mgmt.hss.int:389_ } 00000000 > nsruvReplicaLastModified: {replica 97 > _ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 96 > _ldap://ipa-1.mgmt.biotronik-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 91 > _ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1095 > _ldap://ipa-1.mgmt.hss.int:389_ } 00000000 > nsruvReplicaLastModified: {replica 1390 > _ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1385 > _ldap://ipa-2.mgmt.testsystem-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1795 > _ldap://ipa-2.mgmt.datacenter-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1790 > _ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1785 > _ldap://ipa-1.mgmt.hss.int:389_ } 00000000 > nsruvReplicaLastModified: {replica 1780 > _ldap://ipa-2.mgmt.hss.int:389_ } 00000000 > nsruvReplicaLastModified: {replica 1775 > _ldap://ipa-1.mgmt.datacenter-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1770 > _ldap://ipa-1.mgmt.testsystem-homemonitoring.int:389_ > } 00000000 > nsruvReplicaLastModified: {replica 1765 > _ldap://ipa-2.mgmt.hss.int:389_ } 00000000 > > what are these entries? > > I mean here are dead entries to, some I can identify with name (all > ipa-2 except ipa-2.mgmt.hss.int) but some not... How can I know what > should I delete and what not? Dont see the right rids here > > Greetz > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 19 12:40:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 19 Jun 2015 08:40:01 -0400 (EDT) Subject: [Freeipa-users] ipa schema-compat, DIT view and replication In-Reply-To: <1815684832.134478.1434706632484.JavaMail.zimbra@chemaxon.com> References: <1815684832.134478.1434706632484.JavaMail.zimbra@chemaxon.com> Message-ID: <37154838.5531534.1434717601474.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hello, > > we migrated to centos7.1 and ipa server 4.1.0. > DIT view using schema compat plugin is working on one instance - > celebrations. > > We are using a 4 way cluster of ipa servers. > The schema-compat-container does not get replicated. > Is there a way - apart making the change on the replica - to make it work? schema-compat is not replicated because it is not a real data container. Rather, it is a virtual view of some other data in the directory. -- / Alexander Bokovoy From simo at redhat.com Fri Jun 19 12:50:28 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 19 Jun 2015 08:50:28 -0400 Subject: [Freeipa-users] ipa schema-compat, DIT view and replication In-Reply-To: <37154838.5531534.1434717601474.JavaMail.zimbra@redhat.com> References: <1815684832.134478.1434706632484.JavaMail.zimbra@chemaxon.com> <37154838.5531534.1434717601474.JavaMail.zimbra@redhat.com> Message-ID: <1434718228.2716.82.camel@willson.usersys.redhat.com> On Fri, 2015-06-19 at 08:40 -0400, Alexander Bokovoy wrote: > > ----- Original Message ----- > > Hello, > > > > we migrated to centos7.1 and ipa server 4.1.0. > > DIT view using schema compat plugin is working on one instance - > > celebrations. > > > > We are using a 4 way cluster of ipa servers. > > The schema-compat-container does not get replicated. > > Is there a way - apart making the change on the replica - to make it work? > schema-compat is not replicated because it is not a real data container. > Rather, it is a virtual view of some other data in the directory. > > -- > / Alexander Bokovoy > What this means is that you need to explicitly turn on schema compat on each server you want to use to serve it. Simo. -- Simo Sorce * Red Hat, Inc * New York From aebruno2 at buffalo.edu Fri Jun 19 18:22:40 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Fri, 19 Jun 2015 14:22:40 -0400 Subject: [Freeipa-users] ipa replica failure Message-ID: <20150619182240.GA8365@dead.ccr.buffalo.edu> Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: - ipa-server-4.1.0-18.el7.centos.3.x86_64 - 389-ds-base-1.3.3.1-16.el7_1.x86_64 3 ipa-servers, 1 first master (rep1) and 2 (rep2, rep3) replicates. The replicates were setup to be ca's (i.e. ipa-replica-install --setup-ca...) We have ~3000 user accounts (~1000 active the rest disabled). We have ~700 hosts enrolled (all installed using ipa-client-install and running sssd). Hosts clients are a mix of centos 7 and centos 6.5. We recently discovered one of our replica servers (rep2) was not responding. A quick check of the dirsrv logs /var/log/dirsrv/slapd-XXXX/errors (sanitized): PR_Accept() failed, Netscape Portable Runtime error (Process open FD table is full.) ... The server was rebooted and after coming back up had these errors in the logs: 389-Directory/1.3.3.1 B2015.118.1941 replica2:636 (/etc/dirsrv/slapd-XXXX) [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to trickle, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery [16/Jun/2015:10:12:33 -0400] - checkpoint_threadmain: log archive failed - BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery (-30973) .... [16/Jun/2015:16:24:04 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [16/Jun/2015:16:24:04 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. ... [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=XXX. Check if DB RUV needs to be updated [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55770068000300030000 [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4632001400040000 [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4631004d00050000 [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 111 (Connection refused) [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2 (rep1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f46290005005b0000 [16/Jun/2015:16:24:15 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/rep2] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/Jun/2015:16:24:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [16/Jun/2015:16:24:15 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xxx--no CoS Templates found, which should be added before the CoS Definition. [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301438 (rc: 32) [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301439 (rc: 32) [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301440 (rc: 32) [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301441 (rc: 32) .... [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301443 (rc: 32) [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301444 (rc: 32) [16/Jun/2015:16:24:15 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Jun/2015:16:24:15 -0400] - Listening on All Interfaces port 636 for LDAPS requests [16/Jun/2015:16:24:15 -0400] - Listening on /var/run/slapd-CCR-BUFFALO-EDU.socket for LDAPI requests [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301445 (rc: 32) [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301446 (rc: 32) [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301447 (rc: 32) ... [16/Jun/2015:16:24:24 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 336362 (rc: 32) [16/Jun/2015:16:24:24 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [16/Jun/2015:16:24:24 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2-pki-tomcat" (rep1:389): Replication bind with SIMPLE auth resumed [16/Jun/2015:16:24:25 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth resumed [16/Jun/2015:16:27:28 -0400] - Operation error fetching Null DN (0ce19ce4-146611e5-8135a170-bd40e05c), error -30993. [16/Jun/2015:16:27:28 -0400] - dn2entry_ext: Failed to get id for changenumber=336746,cn=changelog from entryrdn index (-30993) [16/Jun/2015:16:27:28 -0400] - Operation error fetching changenumber=336746,cn=changelog (null), error -30993. [16/Jun/2015:16:27:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336746, dn = changenumber=336746,cn=changelog: Operations error. [16/Jun/2015:16:27:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] .. [16/Jun/2015:16:27:36 -0400] - Operation error fetching changenumber=336762,cn=changelog (null), error -30993. [16/Jun/2015:16:27:36 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336762, dn = changenumber=336762,cn=changelog: Operations error. [16/Jun/2015:16:27:36 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [17/Jun/2015:13:41:23 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3025 max work q stack size 5 [17/Jun/2015:13:41:23 -0400] - slapd shutting down - waiting for 30 threads to terminate Assuming we had a corrupted database we first attempted to remove the replicate by logging into the first master and running: # ipa-replica-manage del rep2 This process hung indefinitely. So we proceeded to shutdown all ipa services on rep2 (systemctl stop ipa).. then re-ran the command on the first master: # ipa-replica-manage -v --force del rep2 This appeared to work ok and rep2 appears to have been deleted: # ipa-replica-manage list rep3: master rep1: master However, when querying ldap nsDS5ReplicationAgreement we still see rep2 with a replica 97 id for the ipca: # ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-rep3-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: rep3 nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-rep3-pki-tomcat .. nsds50ruv: {replicageneration} 5527f74b000000600000 nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b 0000 5582c7e40004005b0000 nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 0000 5582cd19000000600000 nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 0000 556f462b000400610000 nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 0000000 nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 0000000 nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 0000000 nsds5replicaLastUpdateStart: 20150619173149Z nsds5replicaLastUpdateEnd: 20150619173149Z nsds5replicaChangesSentSinceStartup:: OTY6MTI0LzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 Questions: 0. Is it likely that after running out of file descriptors the dirsrv slapd database on rep2 was corrupted? 1. Do we have to run ipa-replica-manage del rep2 on *each* of the remaining replica servers (rep1 and rep3)? Or should it just be run on the first master? Do we need to run ipa-csreplicate-manage del as well? 2. Why does the rep2 server still appear when querying the nsDS5ReplicationAgreement in ldap? Is this benign or will this pose problems when we go to add rep2 back in? 3. What steps/commands can we take to verify rep2 was successfully removed and replication is behaving normally? We had tuned our servers according to the rhel Performance Tuning Guide: # cat /proc/sys/fs/file-max 6534908 # cat /etc/security/limits.d/40-freeipa.conf * soft nofile 8192 * hard nofile 8192 # cat /etc/sysctl.d/40-freeipa.conf net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_keepalive_time = 300 # cat /etc/sysconfig/dirsrv.systemd [Service] LimitNOFILE=8192 We're now considering increasing the nofile to something larger to prevent running out of file descriptors. Any guidance on what number to set this to? Many thanks in advance for any help. --Andrew From David.Fitzgerald at millersville.edu Fri Jun 19 18:23:46 2015 From: David.Fitzgerald at millersville.edu (David Fitzgerald) Date: Fri, 19 Jun 2015 18:23:46 +0000 Subject: [Freeipa-users] question on Active Directory and FreeIPA Message-ID: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it to manage about 200 users and 90 Scientific Linux workstations, and everything works great. Unfortunately I have been told that I must now use the University's Active Directory to authenticate all of my users. I have read the documentation on FreeIPA / AD integration and am not sure if that will meet my requirements. All my Linux users' home directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles etc. run off that mount. From what I have read it seems to me that FreeIPA / AD integration is more focused on getting Windows users to be able to log into a Linux machine with access to their Windows folders and profiles (oddjob creating a local home directory on the Linux box, etc.) I don't want this. All I need is to simply authenticate the user using AD (BTW their IPA usernames and AD usernames are the same other than the domain) then use the info from FreeIPA as I do now. I don't need any folders mounted from the Windows servers. Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. Thanks for your help! Dave ++++++++++++++++++++++++++++++ David Fitzgerald Department of Earth Science Millersville University Millersville, PA 17551 Phone: 717-871-7436 E-Mail: david.fitzgerald at millersville.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From nathan at nathanpeters.com Fri Jun 19 18:44:33 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 19 Jun 2015 11:44:33 -0700 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege Message-ID: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? From rmeggins at redhat.com Fri Jun 19 18:57:38 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Jun 2015 12:57:38 -0600 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <20150619182240.GA8365@dead.ccr.buffalo.edu> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> Message-ID: <55846622.2080401@redhat.com> On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: > Hello, > > First time trouble shooting an ipa server failure and looking for some > guidance on how best to proceed. > > First some background on our setup: > > Servers are running freeipa v4.1.0 on CentOS 7.1.1503: > > - ipa-server-4.1.0-18.el7.centos.3.x86_64 > - 389-ds-base-1.3.3.1-16.el7_1.x86_64 > > 3 ipa-servers, 1 first master (rep1) and 2 (rep2, rep3) replicates. The > replicates were setup to be ca's (i.e. ipa-replica-install --setup-ca...) > > We have ~3000 user accounts (~1000 active the rest disabled). We have > ~700 hosts enrolled (all installed using ipa-client-install and running > sssd). Hosts clients are a mix of centos 7 and centos 6.5. > > > We recently discovered one of our replica servers (rep2) was not > responding. A quick check of the dirsrv logs > /var/log/dirsrv/slapd-XXXX/errors (sanitized): > > PR_Accept() failed, Netscape Portable Runtime error (Process open > FD table is full.) > ... > > The server was rebooted and after coming back up had these errors in the logs: > > 389-Directory/1.3.3.1 B2015.118.1941 > replica2:636 (/etc/dirsrv/slapd-XXXX) > > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to trickle, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - checkpoint_threadmain: log archive failed - BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery (-30973) > .... > [16/Jun/2015:16:24:04 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up > [16/Jun/2015:16:24:04 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > ... > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=XXX. Check if DB RUV needs to be updated > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55770068000300030000 > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4632001400040000 > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4631004d00050000 > [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 111 (Connection refused) > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2 (rep1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f46290005005b0000 > [16/Jun/2015:16:24:15 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/rep2] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > [16/Jun/2015:16:24:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) > [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () > [16/Jun/2015:16:24:15 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xxx--no CoS Templates found, which should be added before the CoS Definition. > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301438 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301439 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301440 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301441 (rc: 32) > .... > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301443 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301444 (rc: 32) > [16/Jun/2015:16:24:15 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests > [16/Jun/2015:16:24:15 -0400] - Listening on All Interfaces port 636 for LDAPS requests > [16/Jun/2015:16:24:15 -0400] - Listening on /var/run/slapd-CCR-BUFFALO-EDU.socket for LDAPI requests > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301445 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301446 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301447 (rc: 32) > ... > [16/Jun/2015:16:24:24 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 336362 (rc: 32) > [16/Jun/2015:16:24:24 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) > [16/Jun/2015:16:24:24 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2-pki-tomcat" (rep1:389): Replication bind with SIMPLE auth resumed > [16/Jun/2015:16:24:25 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth resumed > [16/Jun/2015:16:27:28 -0400] - Operation error fetching Null DN (0ce19ce4-146611e5-8135a170-bd40e05c), error -30993. > [16/Jun/2015:16:27:28 -0400] - dn2entry_ext: Failed to get id for changenumber=336746,cn=changelog from entryrdn index (-30993) > [16/Jun/2015:16:27:28 -0400] - Operation error fetching changenumber=336746,cn=changelog (null), error -30993. > [16/Jun/2015:16:27:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336746, dn = changenumber=336746,cn=changelog: Operations error. > [16/Jun/2015:16:27:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > .. > [16/Jun/2015:16:27:36 -0400] - Operation error fetching changenumber=336762,cn=changelog (null), error -30993. > [16/Jun/2015:16:27:36 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336762, dn = changenumber=336762,cn=changelog: Operations error. > [16/Jun/2015:16:27:36 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > [17/Jun/2015:13:41:23 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3025 max work q stack size 5 > [17/Jun/2015:13:41:23 -0400] - slapd shutting down - waiting for 30 threads to terminate > > > Assuming we had a corrupted database we first attempted to remove the replicate > by logging into the first master and running: > > # ipa-replica-manage del rep2 > > This process hung indefinitely. So we proceeded to shutdown all ipa services on > rep2 (systemctl stop ipa).. then re-ran the command on the first master: > > # ipa-replica-manage -v --force del rep2 > > This appeared to work ok and rep2 appears to have been deleted: > > # ipa-replica-manage list > rep3: master > rep1: master > > However, when querying ldap nsDS5ReplicationAgreement we still see rep2 with a > replica 97 id for the ipca: > > # ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-rep3-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: rep3 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: masterAgreement1-rep3-pki-tomcat > .. > nsds50ruv: {replicageneration} 5527f74b000000600000 > nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b > 0000 5582c7e40004005b0000 > nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 > 0000 5582cd19000000600000 > nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 > 0000 556f462b000400610000 > nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 > 0000000 > nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 > 0000000 > nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 > 0000000 > nsds5replicaLastUpdateStart: 20150619173149Z > nsds5replicaLastUpdateEnd: 20150619173149Z > nsds5replicaChangesSentSinceStartup:: OTY6MTI0LzAg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > > Questions: > > 0. Is it likely that after running out of file descriptors the dirsrv > slapd database on rep2 was corrupted? That would appear to be the case based on correlation of events, although I've never seen that happen, and it is not supposed to happen. > > 1. Do we have to run ipa-replica-manage del rep2 on *each* of the > remaining replica servers (rep1 and rep3)? Or should it just be run on > the first master? I believe it should only be run on the first master, but it hung, so something is not right, and I'm not sure how to remedy the situation. > Do we need to run ipa-csreplicate-manage del as well? > > 2. Why does the rep2 server still appear when querying the > nsDS5ReplicationAgreement in ldap? Is this benign or will this pose problems > when we go to add rep2 back in? You should remove it. > > 3. What steps/commands can we take to verify rep2 was successfully removed and > replication is behaving normally? > > We had tuned our servers according to the rhel Performance Tuning > Guide: > > # cat /proc/sys/fs/file-max > 6534908 > > # cat /etc/security/limits.d/40-freeipa.conf > * soft nofile 8192 > * hard nofile 8192 > > # cat /etc/sysctl.d/40-freeipa.conf > net.ipv4.ip_local_port_range = 1024 65000 > net.ipv4.tcp_keepalive_time = 300 > > # cat /etc/sysconfig/dirsrv.systemd > [Service] > LimitNOFILE=8192 > > We're now considering increasing the nofile to something larger to > prevent running out of file descriptors. Any guidance on what number to > set this to? 8192 is extremely high. The fact that you ran out of file descriptors at 8192 seems like a bug/fd leak somewhere. I suppose you could, as a very temporary workaround, set the fd limit higher, but that is no guarantee that you won't run out again. Please file at least 1 ticket e.g. "database corrupted when server ran out of file descriptors", with as much information about that particular problem as you can provide. > > Many thanks in advance for any help. > > --Andrew > From jhrozek at redhat.com Fri Jun 19 19:15:07 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 19 Jun 2015 21:15:07 +0200 Subject: [Freeipa-users] question on Active Directory and FreeIPA In-Reply-To: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> References: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> Message-ID: <20150619191507.GE3006@hendrix> On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote: > Hello, > > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > it to manage about 200 users and 90 Scientific Linux workstations, and > everything works great. Unfortunately I have been told that I must now > use the University's Active Directory to authenticate all of my users. > I have read the documentation on FreeIPA / AD integration and am not sure if > that will meet my requirements. All my Linux users' home directories are > auto mounted on login from a CentOS 7 NFS server with their bash profiles > etc. run off that mount. From what I have read it seems to me that > FreeIPA / AD integration is more focused on getting Windows users to be > able to log into a Linux machine with access to their Windows folders and > profiles (oddjob creating a local home directory on the Linux box, etc.) > I don't want this. All I need is to simply authenticate the user using AD > (BTW their IPA usernames and AD usernames are the same other than the > domain) then use the info from FreeIPA as I do now. I don't need any > folders mounted from the Windows servers. > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. From rcritten at redhat.com Fri Jun 19 19:18:50 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Jun 2015 15:18:50 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <55846622.2080401@redhat.com> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> Message-ID: <55846B1A.90605@redhat.com> Rich Megginson wrote: > On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: >> Hello, >> >> First time trouble shooting an ipa server failure and looking for some >> guidance on how best to proceed. >> >> First some background on our setup: >> >> Servers are running freeipa v4.1.0 on CentOS 7.1.1503: >> >> - ipa-server-4.1.0-18.el7.centos.3.x86_64 >> - 389-ds-base-1.3.3.1-16.el7_1.x86_64 >> >> 3 ipa-servers, 1 first master (rep1) and 2 (rep2, rep3) replicates. The >> replicates were setup to be ca's (i.e. ipa-replica-install --setup-ca...) >> >> We have ~3000 user accounts (~1000 active the rest disabled). We have >> ~700 hosts enrolled (all installed using ipa-client-install and running >> sssd). Hosts clients are a mix of centos 7 and centos 6.5. >> >> >> We recently discovered one of our replica servers (rep2) was not >> responding. A quick check of the dirsrv logs >> /var/log/dirsrv/slapd-XXXX/errors (sanitized): >> >> PR_Accept() failed, Netscape Portable Runtime error (Process open >> FD table is full.) >> ... >> >> The server was rebooted and after coming back up had these errors in >> the logs: >> >> 389-Directory/1.3.3.1 B2015.118.1941 >> replica2:636 (/etc/dirsrv/slapd-XXXX) >> >> [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region >> error detected; run recovery >> [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to trickle, >> err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) >> [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region >> error detected; run recovery >> [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock >> detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal >> error, run database recovery) >> [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region >> error detected; run recovery >> [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock >> detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal >> error, run database recovery) >> [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region >> error detected; run recovery >> [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint >> database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run >> database recovery) >> [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region >> error detected; run recovery >> [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint >> database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run >> database recovery) >> [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region >> error detected; run recovery >> [16/Jun/2015:10:12:33 -0400] - checkpoint_threadmain: log archive >> failed - BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery >> (-30973) >> .... >> [16/Jun/2015:16:24:04 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 >> starting up >> [16/Jun/2015:16:24:04 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> ... >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - >> replica_check_for_data_reload: Warning: disordely shutdown for replica >> dc=XXX. Check if DB RUV needs to be updated >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of >> database RUV (from CL RUV) -> 55770068000300030000 >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of >> database RUV (from CL RUV) -> 556f4632001400040000 >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of >> database RUV (from CL RUV) -> 556f4631004d00050000 >> [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 111 >> (Connection refused) >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - >> agmt="cn=cloneAgreement1-rep2 (rep1:389): Replication bind with SIMPLE >> auth failed: LDAP error -1 (Can't contact LDAP server) () >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - >> replica_check_for_data_reload: Warning: disordely shutdown for replica >> o=ipaca. Check if DB RUV needs to be updated >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of >> database RUV (from CL RUV) -> 556f46290005005b0000 >> [16/Jun/2015:16:24:15 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/rep2] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for >> requested realm) >> [16/Jun/2015:16:24:15 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) >> [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - >> agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth >> failed: LDAP error -1 (Can't contact LDAP server) () >> [16/Jun/2015:16:24:15 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=xxx--no CoS Templates found, which should be >> added before the CoS Definition. >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301438 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301439 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301440 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301441 (rc: 32) >> .... >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301443 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301444 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [16/Jun/2015:16:24:15 -0400] - Listening on All Interfaces port 636 >> for LDAPS requests >> [16/Jun/2015:16:24:15 -0400] - Listening on >> /var/run/slapd-CCR-BUFFALO-EDU.socket for LDAPI requests >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301445 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301446 (rc: 32) >> [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 301447 (rc: 32) >> ... >> [16/Jun/2015:16:24:24 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 336362 (rc: 32) >> [16/Jun/2015:16:24:24 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint >> is not connected) >> [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 107 >> (Transport endpoint is not connected) >> [16/Jun/2015:16:24:24 -0400] NSMMReplicationPlugin - >> agmt="cn=cloneAgreement1-rep2-pki-tomcat" (rep1:389): Replication bind >> with SIMPLE auth resumed >> [16/Jun/2015:16:24:25 -0400] NSMMReplicationPlugin - >> agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth resumed >> [16/Jun/2015:16:27:28 -0400] - Operation error fetching Null DN >> (0ce19ce4-146611e5-8135a170-bd40e05c), error -30993. >> [16/Jun/2015:16:27:28 -0400] - dn2entry_ext: Failed to get id for >> changenumber=336746,cn=changelog from entryrdn index (-30993) >> [16/Jun/2015:16:27:28 -0400] - Operation error fetching >> changenumber=336746,cn=changelog (null), error -30993. >> [16/Jun/2015:16:27:28 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 336746, dn = >> changenumber=336746,cn=changelog: Operations error. >> [16/Jun/2015:16:27:28 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> .. >> [16/Jun/2015:16:27:36 -0400] - Operation error fetching >> changenumber=336762,cn=changelog (null), error -30993. >> [16/Jun/2015:16:27:36 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 336762, dn = >> changenumber=336762,cn=changelog: Operations error. >> [16/Jun/2015:16:27:36 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, >> err=0 BDB0062 Successful return: 0 >> [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, >> err=0 BDB0062 Successful return: 0 >> [17/Jun/2015:13:41:23 -0400] - slapd shutting down - signaling >> operation threads - op stack size 0 max work q size 3025 max work q >> stack size 5 >> [17/Jun/2015:13:41:23 -0400] - slapd shutting down - waiting for 30 >> threads to terminate >> >> >> Assuming we had a corrupted database we first attempted to remove the >> replicate >> by logging into the first master and running: >> >> # ipa-replica-manage del rep2 >> >> This process hung indefinitely. So we proceeded to shutdown all ipa >> services on >> rep2 (systemctl stop ipa).. then re-ran the command on the first master: >> >> # ipa-replica-manage -v --force del rep2 >> >> This appeared to work ok and rep2 appears to have been deleted: >> >> # ipa-replica-manage list >> rep3: master >> rep1: master >> >> However, when querying ldap nsDS5ReplicationAgreement we still see >> rep2 with a >> replica 97 id for the ipca: >> >> # ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" >> objectClass=nsDS5ReplicationAgreement -LL >> >> dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping >> tree,cn=config >> objectClass: top >> objectClass: nsds5replicationagreement >> cn: masterAgreement1-rep3-pki-tomcat >> nsDS5ReplicaRoot: o=ipaca >> nsDS5ReplicaHost: rep3 >> nsDS5ReplicaPort: 389 >> nsDS5ReplicaBindDN: cn=Replication Manager >> cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config >> nsDS5ReplicaBindMethod: Simple >> nsDS5ReplicaTransportInfo: TLS >> description: masterAgreement1-rep3-pki-tomcat >> .. >> nsds50ruv: {replicageneration} 5527f74b000000600000 >> nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b >> 0000 5582c7e40004005b0000 >> nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 >> 0000 5582cd19000000600000 >> nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 >> 0000 556f462b000400610000 >> nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 >> 0000000 >> nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 >> 0000000 >> nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 >> 0000000 >> nsds5replicaLastUpdateStart: 20150619173149Z >> nsds5replicaLastUpdateEnd: 20150619173149Z >> nsds5replicaChangesSentSinceStartup:: OTY6MTI0LzAg >> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: >> Incremental upd >> ate succeeded >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 0 >> nsds5replicaLastInitEnd: 0 >> >> >> Questions: >> >> 0. Is it likely that after running out of file descriptors the dirsrv >> slapd database on rep2 was corrupted? > > That would appear to be the case based on correlation of events, > although I've never seen that happen, and it is not supposed to happen. > >> >> 1. Do we have to run ipa-replica-manage del rep2 on *each* of the >> remaining replica servers (rep1 and rep3)? Or should it just be run on >> the first master? > > I believe it should only be run on the first master, but it hung, so > something is not right, and I'm not sure how to remedy the situation. How long did it hang, and where? >> Do we need to run ipa-csreplicate-manage del as well? >> >> 2. Why does the rep2 server still appear when querying the >> nsDS5ReplicationAgreement in ldap? Is this benign or will this pose >> problems >> when we go to add rep2 back in? > > You should remove it. And ipa-csreplica-manage is the tool to do it. >> >> 3. What steps/commands can we take to verify rep2 was successfully >> removed and >> replication is behaving normally? The ldapsearch you performed already will confirm that the CA agreement has been removed. >> >> We had tuned our servers according to the rhel Performance Tuning >> Guide: >> >> # cat /proc/sys/fs/file-max >> 6534908 >> >> # cat /etc/security/limits.d/40-freeipa.conf >> * soft nofile 8192 >> * hard nofile 8192 >> >> # cat /etc/sysctl.d/40-freeipa.conf >> net.ipv4.ip_local_port_range = 1024 65000 >> net.ipv4.tcp_keepalive_time = 300 >> >> # cat /etc/sysconfig/dirsrv.systemd >> [Service] >> LimitNOFILE=8192 >> >> We're now considering increasing the nofile to something larger to >> prevent running out of file descriptors. Any guidance on what number to >> set this to? > > 8192 is extremely high. The fact that you ran out of file descriptors > at 8192 seems like a bug/fd leak somewhere. I suppose you could, as a > very temporary workaround, set the fd limit higher, but that is no > guarantee that you won't run out again. > > Please file at least 1 ticket e.g. "database corrupted when server ran > out of file descriptors", with as much information about that particular > problem as you can provide. > >> >> Many thanks in advance for any help. >> >> --Andrew >> > From simo at redhat.com Fri Jun 19 19:30:38 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 19 Jun 2015 15:30:38 -0400 Subject: [Freeipa-users] question on Active Directory and FreeIPA In-Reply-To: <20150619191507.GE3006@hendrix> References: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> <20150619191507.GE3006@hendrix> Message-ID: <1434742238.2716.112.camel@willson.usersys.redhat.com> On Fri, 2015-06-19 at 21:15 +0200, Jakub Hrozek wrote: > On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > > it to manage about 200 users and 90 Scientific Linux workstations, and > > everything works great. Unfortunately I have been told that I must now > > use the University's Active Directory to authenticate all of my users. > > I have read the documentation on FreeIPA / AD integration and am not sure if > > that will meet my requirements. All my Linux users' home directories are > > auto mounted on login from a CentOS 7 NFS server with their bash profiles > > etc. run off that mount. From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to be > > able to log into a Linux machine with access to their Windows folders and > > profiles (oddjob creating a local home directory on the Linux box, etc.) > > I don't want this. All I need is to simply authenticate the user using AD > > (BTW their IPA usernames and AD usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD > trust, the AD users always authenticate against AD, even in case of > password authentication on an IPA box. The passwords are not > synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount > info, sudo rules etc would satisfy your requirements? > > With the recent 'views' feature, you can set POSIX attributes for IPA > users without touching the AD LDAP schema, even per-host. Just for clarity: note that use of these features will require an upgrade of your server to the latest Centos 7.2 (when it will be released). Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jun 19 19:38:16 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Jun 2015 15:38:16 -0400 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> Message-ID: <55846FA8.8090508@redhat.com> nathan at nathanpeters.com wrote: > FreeIPA server 4.1.3 on CentOS 7 > > I am trying to create a set of privileges or roles that will allow me to > create a user who has read-only access to as much of the FreeIPA web UI as > possible. Basically my manager want the type of view into FreeIPA that > they have in AD using the 'AD Users and Computers program). > > I note that there are quite a few read permission in the permissions list. > I tried creating a new privilege called Read Only Administrator and > giving them all the permission that have read only in the name. > > For some reason I can add all other system and full access permissions but > when I try to add a read only permission I get the following error : > invalid 'permission': cannot add permission "System: Read HBAC Rules" with > bindtype "all" to a privilege > > This applies not just the HBAC rule, but anything that has Read in the name. > > How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob From aebruno2 at buffalo.edu Fri Jun 19 19:57:38 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Fri, 19 Jun 2015 15:57:38 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <55846B1A.90605@redhat.com> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> <55846B1A.90605@redhat.com> Message-ID: <20150619195738.GB8858@dead.ccr.buffalo.edu> On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: > Rich Megginson wrote: > >On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: > >> > >>Questions: > >> > >>0. Is it likely that after running out of file descriptors the dirsrv > >>slapd database on rep2 was corrupted? > > > >That would appear to be the case based on correlation of events, > >although I've never seen that happen, and it is not supposed to happen. > > > >> > >>1. Do we have to run ipa-replica-manage del rep2 on *each* of the > >>remaining replica servers (rep1 and rep3)? Or should it just be run on > >>the first master? > > > >I believe it should only be run on the first master, but it hung, so > >something is not right, and I'm not sure how to remedy the situation. > > How long did it hang, and where? This command was run on rep1 (first master): [rep1]$ ipa-replica-manage del rep2 This command hung.. (~10 minutes..) until I Ctr-C. After noticing ldap queries were hanging on rep2 we ran this on rep2: [rep2]$ systemctl stop ipa (shutdown all ipa services on rep2) Then back on rep1 (first master) [rep1]$ ipa-replica-manage -v --force del rep2 Which appeared to work ok. > > >>Do we need to run ipa-csreplicate-manage del as well? > >> > >>2. Why does the rep2 server still appear when querying the > >>nsDS5ReplicationAgreement in ldap? Is this benign or will this pose > >>problems > >>when we go to add rep2 back in? > > > >You should remove it. > > And ipa-csreplica-manage is the tool to do it. When I run this on rep1 (first master): [rep1]$ ipa-csreplica-manage list Directory Manager password: rep3: master rep1: master [rep1]$ ipa-csreplica-manage del rep2 Directory Manager password: 'rep1' has no replication agreement for 'rep2' But seems to still be there: [rep1]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-rep3-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: rep3 nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-rep3-pki-tomcat nsds50ruv: {replicageneration} 5527f74b000000600000 nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b 0000 5582c7e40004005b0000 nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 0000 5582cd19000000600000 nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 0000 556f462b000400610000 nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 0000000 nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 0000000 nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 0000000 nsds5replicaLastUpdateStart: 20150619193149Z nsds5replicaLastUpdateEnd: 20150619193149Z nsds5replicaChangesSentSinceStartup:: OTY6MTMyLzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 However, when I run the ldapsearch on rep3 it's not there (the cn=ipaca,cn=mapping tree,cn=config is not listed): [rep3]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL dn: cn=meTorep1,cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2C dc\3Dedu,cn=mapping tree,cn=config cn: meTorep1 objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to rep1 nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu nsDS5ReplicaHost: rep1 > > >> > >>3. What steps/commands can we take to verify rep2 was successfully > >>removed and > >>replication is behaving normally? > > The ldapsearch you performed already will confirm that the CA agreement has > been removed. Still showing up.. Any thoughts? At this point we want to ensure both remaining masters are functional and operating normally. Any other commands you recommend running to check? > > > >8192 is extremely high. The fact that you ran out of file descriptors > >at 8192 seems like a bug/fd leak somewhere. I suppose you could, as a > >very temporary workaround, set the fd limit higher, but that is no > >guarantee that you won't run out again. > > > >Please file at least 1 ticket e.g. "database corrupted when server ran > >out of file descriptors", with as much information about that particular > >problem as you can provide. > > Will do. Thanks very much for all the help! --Andrew From David.Fitzgerald at millersville.edu Fri Jun 19 20:15:37 2015 From: David.Fitzgerald at millersville.edu (David Fitzgerald) Date: Fri, 19 Jun 2015 20:15:37 +0000 Subject: [Freeipa-users] question on Active Directory and FreeIPA In-Reply-To: <20150619191507.GE3006@hendrix> References: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> <20150619191507.GE3006@hendrix> Message-ID: <958EF916EB06874283F9B8F820726DD3BA0E9888@FSMB1.muad.local> -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 19, 2015 3:15 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote: > Hello, > > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it > to manage about 200 users and 90 Scientific Linux workstations, and > everything works great. Unfortunately I have been told that I must > now use the University's Active Directory to authenticate all of my users. > I have read the documentation on FreeIPA / AD integration and am not > sure if that will meet my requirements. All my Linux users' home > directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles > etc. run off that mount. From what I have read it seems to me that > FreeIPA / AD integration is more focused on getting Windows users to > be able to log into a Linux machine with access to their Windows > folders and profiles (oddjob creating a local home directory on the > Linux box, etc.) I don't want this. All I need is to simply > authenticate the user using AD (BTW their IPA usernames and AD > usernames are the same other than the > domain) then use the info from FreeIPA as I do now. I don't need any > folders mounted from the Windows servers. > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. This is exactly what I need. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From janellenicole80 at gmail.com Fri Jun 19 21:20:55 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 19 Jun 2015 14:20:55 -0700 Subject: [Freeipa-users] Installing replica w/o CA? Message-ID: <558487B7.1040406@gmail.com> Maybe this is an obvious question - but I am missign the simple answer. If you create a master and want to create 3 replicas -- creating the first replica works just fine, but I want the 2nd replica chained off the first, and NOT the master. But unless you install a CA on that first replica, you get an error. 1. install master 2. ipa-replica-prepare -- rep001 -- copy file to rep001 3. ipa-replica-install on rep001 4. ipa-replica-prepare rep002 --- does not work saying you can only create replica from "master"? ~J From rcritten at redhat.com Fri Jun 19 21:42:18 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Jun 2015 17:42:18 -0400 Subject: [Freeipa-users] Installing replica w/o CA? In-Reply-To: <558487B7.1040406@gmail.com> References: <558487B7.1040406@gmail.com> Message-ID: <55848CBA.3040004@redhat.com> Janelle wrote: > Maybe this is an obvious question - but I am missign the simple answer. > If you create a master and want to create 3 replicas -- creating the > first replica works just fine, but I want the 2nd replica chained off > the first, and NOT the master. But unless you install a CA on that first > replica, you get an error. > > 1. install master > 2. ipa-replica-prepare -- rep001 -- copy file to rep001 > 3. ipa-replica-install on rep001 > 4. ipa-replica-prepare rep002 --- does not work saying you can only > create replica from "master"? Seems like poor language in the error message. The issue would come if you tried to stand up a CA on the new replica during install it would have no CA to talk to. I think otherwise a master without a CA would be able to provide everything else necessary for the prepare file. You can use ipa-replica-manage connect/disconnect to tweak your replication topology. So create the replicas from a master that has a CA then add/delete connections as needed. 4.2 is going to introduce a new ay to manage topology: http://www.freeipa.org/page/V4/Manage_replication_topology rob From simo at redhat.com Fri Jun 19 21:44:25 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 19 Jun 2015 17:44:25 -0400 Subject: [Freeipa-users] Installing replica w/o CA? In-Reply-To: <558487B7.1040406@gmail.com> References: <558487B7.1040406@gmail.com> Message-ID: <1434750265.2716.126.camel@willson.usersys.redhat.com> On Fri, 2015-06-19 at 14:20 -0700, Janelle wrote: > Maybe this is an obvious question - but I am missign the simple answer. > If you create a master and want to create 3 replicas -- creating the > first replica works just fine, but I want the 2nd replica chained off > the first, and NOT the master. But unless you install a CA on that first > replica, you get an error. > > 1. install master > 2. ipa-replica-prepare -- rep001 -- copy file to rep001 > 3. ipa-replica-install on rep001 > 4. ipa-replica-prepare rep002 --- does not work saying you can only > create replica from "master"? For now you can create replica files only on servers that have the CA, we may lift this restriction in future once we complete the replica promotion feature. Keep in mind that you can change replication topology after the install, so you do not have to keep the 3rd replica agreements with the first after you create agreements that connect the third to the second. Simo. -- Simo Sorce * Red Hat, Inc * New York From nathan at nathanpeters.com Fri Jun 19 22:09:40 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 19 Jun 2015 15:09:40 -0700 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <55846FA8.8090508@redhat.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> Message-ID: <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> > nathan at nathanpeters.com wrote: >> FreeIPA server 4.1.3 on CentOS 7 >> >> I am trying to create a set of privileges or roles that will allow me to >> create a user who has read-only access to as much of the FreeIPA web UI >> as >> possible. Basically my manager want the type of view into FreeIPA that >> they have in AD using the 'AD Users and Computers program). >> >> I note that there are quite a few read permission in the permissions >> list. >> I tried creating a new privilege called Read Only Administrator and >> giving them all the permission that have read only in the name. >> >> For some reason I can add all other system and full access permissions >> but >> when I try to add a read only permission I get the following error : >> invalid 'permission': cannot add permission "System: Read HBAC Rules" >> with >> bindtype "all" to a privilege >> >> This applies not just the HBAC rule, but anything that has Read in the >> name. >> >> How do I create a read only user without getting this error message? > > You can't add a rule with bindtype all because this bindtype already > allows all authenticated users the rights granted by the rule, in this > case read access. > > rob > > That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. From rcritten at redhat.com Fri Jun 19 22:38:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Jun 2015 18:38:25 -0400 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> Message-ID: <558499E1.6080408@redhat.com> nathan at nathanpeters.com wrote: >> nathan at nathanpeters.com wrote: >>> FreeIPA server 4.1.3 on CentOS 7 >>> >>> I am trying to create a set of privileges or roles that will allow me to >>> create a user who has read-only access to as much of the FreeIPA web UI >>> as >>> possible. Basically my manager want the type of view into FreeIPA that >>> they have in AD using the 'AD Users and Computers program). >>> >>> I note that there are quite a few read permission in the permissions >>> list. >>> I tried creating a new privilege called Read Only Administrator and >>> giving them all the permission that have read only in the name. >>> >>> For some reason I can add all other system and full access permissions >>> but >>> when I try to add a read only permission I get the following error : >>> invalid 'permission': cannot add permission "System: Read HBAC Rules" >>> with >>> bindtype "all" to a privilege >>> >>> This applies not just the HBAC rule, but anything that has Read in the >>> name. >>> >>> How do I create a read only user without getting this error message? >> >> You can't add a rule with bindtype all because this bindtype already >> allows all authenticated users the rights granted by the rule, in this >> case read access. >> >> rob >> >> > > That doesn't sound right. When I login to FreeIPA web ui with a user who > is not part of any group, the only thing he can do is browse other users > and update his own password and SSH key. He does not get the HBAC menu > and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com > > Also, If I do this step backward and go directly to the RBAC -> > Permissions menu and choose a permission and edit it, I can add it to a > privilege, but if I go to the privilege and try to add the permission it > fails. This makes zero sense. > > I can post screenshots if that helps. > This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob From nathan at nathanpeters.com Sat Jun 20 00:09:46 2015 From: nathan at nathanpeters.com (Nathan Peters) Date: Fri, 19 Jun 2015 17:09:46 -0700 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <558499E1.6080408@redhat.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> <558499E1.6080408@redhat.com> Message-ID: -----Original Message----- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nathan at nathanpeters.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nathan at nathanpeters.com wrote: >> nathan at nathanpeters.com wrote: >>> FreeIPA server 4.1.3 on CentOS 7 >>> >>> I am trying to create a set of privileges or roles that will allow me to >>> create a user who has read-only access to as much of the FreeIPA web UI >>> as >>> possible. Basically my manager want the type of view into FreeIPA that >>> they have in AD using the 'AD Users and Computers program). >>> >>> I note that there are quite a few read permission in the permissions >>> list. >>> I tried creating a new privilege called Read Only Administrator and >>> giving them all the permission that have read only in the name. >>> >>> For some reason I can add all other system and full access permissions >>> but >>> when I try to add a read only permission I get the following error : >>> invalid 'permission': cannot add permission "System: Read HBAC Rules" >>> with >>> bindtype "all" to a privilege >>> >>> This applies not just the HBAC rule, but anything that has Read in the >>> name. >>> >>> How do I create a read only user without getting this error message? >> >> You can't add a rule with bindtype all because this bindtype already >> allows all authenticated users the rights granted by the rule, in this >> case read access. >> >> rob >> >> > > That doesn't sound right. When I login to FreeIPA web ui with a user who > is not part of any group, the only thing he can do is browse other users > and update his own password and SSH key. He does not get the HBAC menu > and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com > > Also, If I do this step backward and go directly to the RBAC -> > Permissions menu and choose a permission and edit it, I can add it to a > privilege, but if I go to the privilege and try to add the permission it > fails. This makes zero sense. > > I can post screenshots if that helps. > This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. From janellenicole80 at gmail.com Sat Jun 20 04:08:15 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 19 Jun 2015 21:08:15 -0700 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <20150619182240.GA8365@dead.ccr.buffalo.edu> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> Message-ID: <5584E72F.40906@gmail.com> On 6/19/15 11:22 AM, Andrew E. Bruno wrote: > Hello, > > First time trouble shooting an ipa server failure and looking for some > guidance on how best to proceed. > > First some background on our setup: > > Servers are running freeipa v4.1.0 on CentOS 7.1.1503: > > - ipa-server-4.1.0-18.el7.centos.3.x86_64 > - 389-ds-base-1.3.3.1-16.el7_1.x86_64 > > 3 ipa-servers, 1 first master (rep1) and 2 (rep2, rep3) replicates. The > replicates were setup to be ca's (i.e. ipa-replica-install --setup-ca...) > > We have ~3000 user accounts (~1000 active the rest disabled). We have > ~700 hosts enrolled (all installed using ipa-client-install and running > sssd). Hosts clients are a mix of centos 7 and centos 6.5. > > > We recently discovered one of our replica servers (rep2) was not > responding. A quick check of the dirsrv logs > /var/log/dirsrv/slapd-XXXX/errors (sanitized): > > PR_Accept() failed, Netscape Portable Runtime error (Process open > FD table is full.) > ... > > The server was rebooted and after coming back up had these errors in the logs: > > 389-Directory/1.3.3.1 B2015.118.1941 > replica2:636 (/etc/dirsrv/slapd-XXXX) > > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to trickle, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > [16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > [16/Jun/2015:10:12:33 -0400] - checkpoint_threadmain: log archive failed - BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery (-30973) > .... > [16/Jun/2015:16:24:04 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up > [16/Jun/2015:16:24:04 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > ... > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=XXX. Check if DB RUV needs to be updated > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55770068000300030000 > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4632001400040000 > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4631004d00050000 > [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 111 (Connection refused) > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2 (rep1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f46290005005b0000 > [16/Jun/2015:16:24:15 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/rep2] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > [16/Jun/2015:16:24:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) > [16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > [16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () > [16/Jun/2015:16:24:15 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xxx--no CoS Templates found, which should be added before the CoS Definition. > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301438 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301439 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301440 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301441 (rc: 32) > .... > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301443 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301444 (rc: 32) > [16/Jun/2015:16:24:15 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests > [16/Jun/2015:16:24:15 -0400] - Listening on All Interfaces port 636 for LDAPS requests > [16/Jun/2015:16:24:15 -0400] - Listening on /var/run/slapd-CCR-BUFFALO-EDU.socket for LDAPI requests > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301445 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301446 (rc: 32) > [16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301447 (rc: 32) > ... > [16/Jun/2015:16:24:24 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 336362 (rc: 32) > [16/Jun/2015:16:24:24 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > [16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) > [16/Jun/2015:16:24:24 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2-pki-tomcat" (rep1:389): Replication bind with SIMPLE auth resumed > [16/Jun/2015:16:24:25 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth resumed > [16/Jun/2015:16:27:28 -0400] - Operation error fetching Null DN (0ce19ce4-146611e5-8135a170-bd40e05c), error -30993. > [16/Jun/2015:16:27:28 -0400] - dn2entry_ext: Failed to get id for changenumber=336746,cn=changelog from entryrdn index (-30993) > [16/Jun/2015:16:27:28 -0400] - Operation error fetching changenumber=336746,cn=changelog (null), error -30993. > [16/Jun/2015:16:27:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336746, dn = changenumber=336746,cn=changelog: Operations error. > [16/Jun/2015:16:27:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > .. > [16/Jun/2015:16:27:36 -0400] - Operation error fetching changenumber=336762,cn=changelog (null), error -30993. > [16/Jun/2015:16:27:36 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336762, dn = changenumber=336762,cn=changelog: Operations error. > [16/Jun/2015:16:27:36 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > [16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > [17/Jun/2015:13:41:23 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3025 max work q stack size 5 > [17/Jun/2015:13:41:23 -0400] - slapd shutting down - waiting for 30 threads to terminate > > > Assuming we had a corrupted database we first attempted to remove the replicate > by logging into the first master and running: > > # ipa-replica-manage del rep2 > > This process hung indefinitely. So we proceeded to shutdown all ipa services on > rep2 (systemctl stop ipa).. then re-ran the command on the first master: > > # ipa-replica-manage -v --force del rep2 > > This appeared to work ok and rep2 appears to have been deleted: > > # ipa-replica-manage list > rep3: master > rep1: master > > However, when querying ldap nsDS5ReplicationAgreement we still see rep2 with a > replica 97 id for the ipca: > > # ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-rep3-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: rep3 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: masterAgreement1-rep3-pki-tomcat > .. > nsds50ruv: {replicageneration} 5527f74b000000600000 > nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b > 0000 5582c7e40004005b0000 > nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 > 0000 5582cd19000000600000 > nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 > 0000 556f462b000400610000 > nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 > 0000000 > nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 > 0000000 > nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 > 0000000 > nsds5replicaLastUpdateStart: 20150619173149Z > nsds5replicaLastUpdateEnd: 20150619173149Z > nsds5replicaChangesSentSinceStartup:: OTY6MTI0LzAg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > > Questions: > > 0. Is it likely that after running out of file descriptors the dirsrv > slapd database on rep2 was corrupted? I have increased FDs to 32768, although have a somewhat larger environment and the bulk of logins occur via LDAP, so that uses up more FDs. From looking at your numbers, I don't think 16K would be unreasonable. Remember to set /etc/sysconfig/dirsrv.systemd as well as the ldapmodify settings and finally /etc/security/limits.conf > > 1. Do we have to run ipa-replica-manage del rep2 on *each* of the > remaining replica servers (rep1 and rep3)? Or should it just be run on > the first master? Do we need to run ipa-csreplicate-manage del as well? You mentioned it was a CA -- ipa-csreplica-manage and run the same "delete" options to remove it. > > 2. Why does the rep2 server still appear when querying the > nsDS5ReplicationAgreement in ldap? Is this benign or will this pose problems > when we go to add rep2 back in? See above > 3. What steps/commands can we take to verify rep2 was successfully removed and > replication is behaving normally? After above - it should be gone > > We had tuned our servers according to the rhel Performance Tuning > Guide: > > # cat /proc/sys/fs/file-max > 6534908 > > # cat /etc/security/limits.d/40-freeipa.conf > * soft nofile 8192 > * hard nofile 8192 > > # cat /etc/sysctl.d/40-freeipa.conf > net.ipv4.ip_local_port_range = 1024 65000 > net.ipv4.tcp_keepalive_time = 300 > > # cat /etc/sysconfig/dirsrv.systemd > [Service] > LimitNOFILE=8192 Do it. Also, have you run an lsof of the PID of ns-slapd to see what the connections are? This is a very simply thing to increase. You mention all your logins are via ipa-client-install, which implies Kerberos. However, I wonder if this is the case. Check the lsof output, but I would also consider running logconv.pl against your access logs in /var/log/dirsrv/slapd-INSTANCE to really see what is going on behind the scenes. ~J From aebruno2 at buffalo.edu Sat Jun 20 04:53:40 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Sat, 20 Jun 2015 00:53:40 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <5584E72F.40906@gmail.com> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <5584E72F.40906@gmail.com> Message-ID: <20150620045340.GA12000@dead.ccr.buffalo.edu> On Fri, Jun 19, 2015 at 09:08:15PM -0700, Janelle wrote: > On 6/19/15 11:22 AM, Andrew E. Bruno wrote: > >Hello, > > > >First time trouble shooting an ipa server failure and looking for some > >guidance on how best to proceed. > > > >First some background on our setup: > > > >Servers are running freeipa v4.1.0 on CentOS 7.1.1503: > > > >- ipa-server-4.1.0-18.el7.centos.3.x86_64 > >- 389-ds-base-1.3.3.1-16.el7_1.x86_64 > > > >3 ipa-servers, 1 first master (rep1) and 2 (rep2, rep3) replicates. The > >replicates were setup to be ca's (i.e. ipa-replica-install --setup-ca...) > > > >We have ~3000 user accounts (~1000 active the rest disabled). We have > >~700 hosts enrolled (all installed using ipa-client-install and running > >sssd). Hosts clients are a mix of centos 7 and centos 6.5. > > > > > >We recently discovered one of our replica servers (rep2) was not > >responding. A quick check of the dirsrv logs > >/var/log/dirsrv/slapd-XXXX/errors (sanitized): > > > > PR_Accept() failed, Netscape Portable Runtime error (Process open > > FD table is full.) > > ... > > > >The server was rebooted and after coming back up had these errors in the logs: > > > > 389-Directory/1.3.3.1 B2015.118.1941 > > replica2:636 (/etc/dirsrv/slapd-XXXX) > > > >[16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > >[16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to trickle, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > >[16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > >[16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > >[16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > >[16/Jun/2015:10:12:33 -0400] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > >[16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > >[16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > >[16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > >[16/Jun/2015:10:12:33 -0400] - Serious Error---Failed to checkpoint database, err=-30973 (BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery) > >[16/Jun/2015:10:12:33 -0400] - libdb: BDB0060 PANIC: fatal region error detected; run recovery > >[16/Jun/2015:10:12:33 -0400] - checkpoint_threadmain: log archive failed - BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery (-30973) > >.... > >[16/Jun/2015:16:24:04 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up > >[16/Jun/2015:16:24:04 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > >... > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=XXX. Check if DB RUV needs to be updated > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 55770068000300030000 > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4632001400040000 > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f4631004d00050000 > >[16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 111 (Connection refused) > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2 (rep1:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 556f46290005005b0000 > >[16/Jun/2015:16:24:15 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/rep2] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > >[16/Jun/2015:16:24:15 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) > >[16/Jun/2015:16:24:15 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > >[16/Jun/2015:16:24:15 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () > >[16/Jun/2015:16:24:15 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xxx--no CoS Templates found, which should be added before the CoS Definition. > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301438 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301439 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301440 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301441 (rc: 32) > >.... > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301443 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301444 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests > >[16/Jun/2015:16:24:15 -0400] - Listening on All Interfaces port 636 for LDAPS requests > >[16/Jun/2015:16:24:15 -0400] - Listening on /var/run/slapd-CCR-BUFFALO-EDU.socket for LDAPI requests > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301445 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301446 (rc: 32) > >[16/Jun/2015:16:24:15 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 301447 (rc: 32) > >... > >[16/Jun/2015:16:24:24 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 336362 (rc: 32) > >[16/Jun/2015:16:24:24 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > >[16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > >[16/Jun/2015:16:24:24 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) > >[16/Jun/2015:16:24:24 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-rep2-pki-tomcat" (rep1:389): Replication bind with SIMPLE auth resumed > >[16/Jun/2015:16:24:25 -0400] NSMMReplicationPlugin - agmt="cn=meTorep1" (rep1:389): Replication bind with GSSAPI auth resumed > >[16/Jun/2015:16:27:28 -0400] - Operation error fetching Null DN (0ce19ce4-146611e5-8135a170-bd40e05c), error -30993. > >[16/Jun/2015:16:27:28 -0400] - dn2entry_ext: Failed to get id for changenumber=336746,cn=changelog from entryrdn index (-30993) > >[16/Jun/2015:16:27:28 -0400] - Operation error fetching changenumber=336746,cn=changelog (null), error -30993. > >[16/Jun/2015:16:27:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336746, dn = changenumber=336746,cn=changelog: Operations error. > >[16/Jun/2015:16:27:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >.. > >[16/Jun/2015:16:27:36 -0400] - Operation error fetching changenumber=336762,cn=changelog (null), error -30993. > >[16/Jun/2015:16:27:36 -0400] DSRetroclPlugin - replog: an error occured while adding change number 336762, dn = changenumber=336762,cn=changelog: Operations error. > >[16/Jun/2015:16:27:36 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > >[16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > >[16/Jun/2015:16:27:36 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > >[17/Jun/2015:13:41:23 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3025 max work q stack size 5 > >[17/Jun/2015:13:41:23 -0400] - slapd shutting down - waiting for 30 threads to terminate > > > > > >Assuming we had a corrupted database we first attempted to remove the replicate > >by logging into the first master and running: > > > > # ipa-replica-manage del rep2 > > > >This process hung indefinitely. So we proceeded to shutdown all ipa services on > >rep2 (systemctl stop ipa).. then re-ran the command on the first master: > > > > # ipa-replica-manage -v --force del rep2 > > > >This appeared to work ok and rep2 appears to have been deleted: > > > > # ipa-replica-manage list > > rep3: master > > rep1: master > > > >However, when querying ldap nsDS5ReplicationAgreement we still see rep2 with a > >replica 97 id for the ipca: > > > ># ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > > >dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config > >objectClass: top > >objectClass: nsds5replicationagreement > >cn: masterAgreement1-rep3-pki-tomcat > >nsDS5ReplicaRoot: o=ipaca > >nsDS5ReplicaHost: rep3 > >nsDS5ReplicaPort: 389 > >nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config > >nsDS5ReplicaBindMethod: Simple > >nsDS5ReplicaTransportInfo: TLS > >description: masterAgreement1-rep3-pki-tomcat > >.. > >nsds50ruv: {replicageneration} 5527f74b000000600000 > >nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b > > 0000 5582c7e40004005b0000 > >nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 > > 0000 5582cd19000000600000 > >nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 > > 0000 556f462b000400610000 > >nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 > > 0000000 > >nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 > > 0000000 > >nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 > > 0000000 > >nsds5replicaLastUpdateStart: 20150619173149Z > >nsds5replicaLastUpdateEnd: 20150619173149Z > >nsds5replicaChangesSentSinceStartup:: OTY6MTI0LzAg > >nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd > > ate succeeded > >nsds5replicaUpdateInProgress: FALSE > >nsds5replicaLastInitStart: 0 > >nsds5replicaLastInitEnd: 0 > > > > > >Questions: > > > >0. Is it likely that after running out of file descriptors the dirsrv > >slapd database on rep2 was corrupted? > I have increased FDs to 32768, although have a somewhat larger environment > and the bulk of logins occur via LDAP, so that uses up more FDs. From > looking at your numbers, I don't think 16K would be unreasonable. Remember > to set /etc/sysconfig/dirsrv.systemd as well as the ldapmodify settings and > finally /etc/security/limits.conf Excellent, thanks for the tip. In regards to the ldapmodify settings, is safe to run "systemctl restart dirsrv at DOMAIN" or should "systemctl restart ipa" be run, i.e. can you restart dirsrv without restarting other ipa services? Also, curious if you updated nsslapd-reservedescriptors as well? > > > >1. Do we have to run ipa-replica-manage del rep2 on *each* of the > >remaining replica servers (rep1 and rep3)? Or should it just be run on > >the first master? Do we need to run ipa-csreplicate-manage del as well? > You mentioned it was a CA -- > ipa-csreplica-manage and run the same "delete" options to remove it. I ran ipa-csreplica-manage del but got an error: 'rep1' has no replication agreement for 'rep2' It almost seems like the ipaca replica agreement between rep3 and rep2 is orphaned. It still exists in ldap but ipa-csreplica-manage list commands don't show it? And I can't seem to delete it using the ipa-replica commands. I'm anticipating issues when trying to add my failed replicate back in without resolving this. > > > >2. Why does the rep2 server still appear when querying the > >nsDS5ReplicationAgreement in ldap? Is this benign or will this pose problems > >when we go to add rep2 back in? > See above > >3. What steps/commands can we take to verify rep2 was successfully removed and > >replication is behaving normally? > After above - it should be gone No luck.. ipa-csreplica-manage list shows only 2 masters (rep3 and rep1). But ldapsearch still shows references to the deleted replicate rep2. > > > >We had tuned our servers according to the rhel Performance Tuning > >Guide: > > > > # cat /proc/sys/fs/file-max > > 6534908 > > > > # cat /etc/security/limits.d/40-freeipa.conf > > * soft nofile 8192 > > * hard nofile 8192 > > > > # cat /etc/sysctl.d/40-freeipa.conf > > net.ipv4.ip_local_port_range = 1024 65000 > > net.ipv4.tcp_keepalive_time = 300 > > > > # cat /etc/sysconfig/dirsrv.systemd > > [Service] > > LimitNOFILE=8192 > > Do it. Also, have you run an lsof of the PID of ns-slapd to see what the > connections are? $ lsof -a -p 2868 | wc -l 586 $ cat /proc/sys/fs/file-nr 3232 0 6534908 $ ls -alh /proc/2868/fd | wc -l 466 $ ldapsearch "cn=monitor" "(objectclass=*)" currentconnections: 339 totalconnections: 51585 currentconnectionsatmaxthreads: 0 maxthreadsperconnhits: 485 dtablesize: 8192 readwaiters: 0 opsinitiated: 2309677 opscompleted: 2309676 entriessent: 1526462 bytessent: 24606941647 currenttime: 20150620044615Z starttime: 20150618141112Z nbackends: 3 > This is a very simply thing to increase. > > You mention all your logins are via ipa-client-install, which implies > Kerberos. However, I wonder if this is the case. Check the lsof output, but > I would also consider running logconv.pl against your access logs in > /var/log/dirsrv/slapd-INSTANCE to really see what is going on behind the > scenes. Thanks again for the tip.. I'll checkout logconv.pl > > ~J > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > From prashant at apigee.com Sat Jun 20 12:09:37 2015 From: prashant at apigee.com (Prashant Bapat) Date: Sat, 20 Jun 2015 17:39:37 +0530 Subject: [Freeipa-users] Changing the SSL certificate for the WebUI In-Reply-To: <5582C8C2.8040605@redhat.com> References: <5582C8C2.8040605@redhat.com> Message-ID: I tried the steps documented on a test VM. Looks like I ended up in the situation described here https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html. I have one more question. Is there a way to disable HTTPS completely on the WebUI. I can add HTTPS on a load balancer in front of the UI to handle SSL. On 18 June 2015 at 19:03, Rob Crittenden wrote: > Prashant Bapat wrote: > >> Hi All, >> >> There is a way to change the certificate for the web UI. >> >> I went with a standard install with a self signed CA etc. Now I want to >> install a cert from a commercial CA. I don't mind using the IPA CA certs >> for the 389 DS, just want to change the cert for the UI. >> >> Any pointers on how to do this ? >> > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Jun 20 20:17:28 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 20 Jun 2015 16:17:28 -0400 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> <558499E1.6080408@redhat.com> Message-ID: <5585CA58.7020409@redhat.com> Nathan Peters wrote: > > > -----Original Message----- From: Rob Crittenden > Sent: Friday, June 19, 2015 3:38 PM > To: nathan at nathanpeters.com > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission > "System: Read HBAC Rules" with bindtype "all" to a privilege > > nathan at nathanpeters.com wrote: >>> nathan at nathanpeters.com wrote: >>>> FreeIPA server 4.1.3 on CentOS 7 >>>> >>>> I am trying to create a set of privileges or roles that will allow >>>> me to >>>> create a user who has read-only access to as much of the FreeIPA web UI >>>> as >>>> possible. Basically my manager want the type of view into FreeIPA that >>>> they have in AD using the 'AD Users and Computers program). >>>> >>>> I note that there are quite a few read permission in the permissions >>>> list. >>>> I tried creating a new privilege called Read Only Administrator and >>>> giving them all the permission that have read only in the name. >>>> >>>> For some reason I can add all other system and full access permissions >>>> but >>>> when I try to add a read only permission I get the following error : >>>> invalid 'permission': cannot add permission "System: Read HBAC Rules" >>>> with >>>> bindtype "all" to a privilege >>>> >>>> This applies not just the HBAC rule, but anything that has Read in the >>>> name. >>>> >>>> How do I create a read only user without getting this error message? >>> >>> You can't add a rule with bindtype all because this bindtype already >>> allows all authenticated users the rights granted by the rule, in this >>> case read access. >>> >>> rob >>> >>> >> >> That doesn't sound right. When I login to FreeIPA web ui with a user who >> is not part of any group, the only thing he can do is browse other users >> and update his own password and SSH key. He does not get the HBAC menu >> and definitely cannot browse HBAC rules. > > The UI handles those permissions differently. > > $ kinit someuser > $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com > >> >> Also, If I do this step backward and go directly to the RBAC -> >> Permissions menu and choose a permission and edit it, I can add it to a >> privilege, but if I go to the privilege and try to add the permission it >> fails. This makes zero sense. >> >> I can post screenshots if that helps. >> > > This is a bug. There is a function not available on the command line, > permission_add_member, which incorrectly allows this. I opened > https://fedorahosted.org/freeipa/ticket/5075 > > Regardless of whether it is added or not, it is a no-op because the > whole idea of permissions is to grant access via groups and there is no > group in this permission. It allows all authenticated users. > > rob > > What do you mean by it is a no-op? > > Here is what I did that worked: > > 1)Create privilege called "Read only privilege" > > 2)Go to each permission individually that has the world "Read" in it and > add them to the "read only privilege" privilege one at a time. There > was about 65 of them. This is fine because we are not apply this to > users, only apply the permissions to the privilege. > > 3)Next, go back to the read-only privilege and add some group that > contains users. > > 4)Login to the webui as a user that is in the group that was added to > the privilege and now you can see all menu options just like an admin, > but everything is read only and any attempt to make changes results in a > message that you don't have permission to make that change. This is > currently working exactly as I expect it to once I set it up the long way. > > Result : Member can now browse the entire web ui and see everything, > hosts, users, rbac rules, hbac rules, groups etc but in read only mode > as expected. I'm talking only about the issue where a permission with a bindrule of all cannot be added to a privilege. The fact that it can be added in the UI is a bug. It is the data in LDAP we really care about and a permission with a bindrule of all grants all authenticated users read access to that data, regardless of what you might or might not see in the UI. I'm not entirely sure how Petr does that though I always thought it was through LDAP effective rights which in effect should grant all users HBAC read access, so perhaps he determines it based on other things as well. rob From rcritten at redhat.com Sat Jun 20 20:21:55 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 20 Jun 2015 16:21:55 -0400 Subject: [Freeipa-users] Changing the SSL certificate for the WebUI In-Reply-To: References: <5582C8C2.8040605@redhat.com> Message-ID: <5585CB63.4010706@redhat.com> Prashant Bapat wrote: > I tried the steps documented on a test VM. Looks like I ended up in the > situation described here > https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html. Please be careful when pointing back at old threads. This issue was about expired certs. I suspect you found it because of a similar error message, but the underlying cause is completely unrelated. You probably just need to add in the CA cert that issued the server certificate. I'd have thought that ipa-server-certinstall would enforce that but perhaps not. > I have one more question. Is there a way to disable HTTPS completely on > the WebUI. I can add HTTPS on a load balancer in front of the UI to > handle SSL. It would be a rather terrible idea. You'd still have a lot of in-the-clear messaging between the IPA web server and the load balancer. I wouldn't recommend that there are real replay issues possible. You should re-encrypt, so terminate SSL at the load balancer and then open a new SSL session to IPA. rob > > > > On 18 June 2015 at 19:03, Rob Crittenden > wrote: > > Prashant Bapat wrote: > > Hi All, > > There is a way to change the certificate for the web UI. > > I went with a standard install with a self signed CA etc. Now I > want to > install a cert from a commercial CA. I don't mind using the IPA > CA certs > for the 389 DS, just want to change the cert for the UI. > > Any pointers on how to do this ? > > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > From janellenicole80 at gmail.com Sat Jun 20 21:03:02 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 20 Jun 2015 14:03:02 -0700 Subject: [Freeipa-users] blank user screen? (web UI) Message-ID: <5585D506.5080109@gmail.com> Just wondering if others have run into the user login to the web-UI and with the exception of the top part of the screen and menu, all the user details go blank. This makes it hard for a user to "click on add ssh key" since they can't see it. Have reproduced this dozens of times on all browsers. Very confusing. There must be an answer or known fix? ~Janelle From prashant at apigee.com Sun Jun 21 04:25:10 2015 From: prashant at apigee.com (Prashant Bapat) Date: Sun, 21 Jun 2015 09:55:10 +0530 Subject: [Freeipa-users] Changing the SSL certificate for the WebUI In-Reply-To: <5585CB63.4010706@redhat.com> References: <5582C8C2.8040605@redhat.com> <5585CB63.4010706@redhat.com> Message-ID: Hi Rob, Thanks for the reply. The ipa-server-certinstall did require that I have the cert and the CA cert in PEM file and the key in another PEM file. And the command went thru successfully. But afterwards the HTTP service stopped working. Only way I could get it to start again was to set NSSEnforceValidCerts off in /etc/httpd/conf.d/nss.conf. Below is the error message from the logs. [Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG with 144 bytes of entropy [Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing (virtual) servers for SSL [Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error: -8102 Certificate key usage inadequate for attempted operation. [Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. On the turning off SSL, I did try with what you are suggesting. A load balancer with the commercial CA and HTTPS from LB to the server behind it and it work! Only problem is, I will have to have have 1 each load balancer for each of the servers. This is because I used naming like ipa.example.com and ipa2.example.com etc for the IPA servers. These are all replicas and their name has to match whats on the LB. Thanks again! --Prashant On 21 June 2015 at 01:51, Rob Crittenden wrote: > Prashant Bapat wrote: > >> I tried the steps documented on a test VM. Looks like I ended up in the >> situation described here >> https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html. >> > > Please be careful when pointing back at old threads. This issue was about > expired certs. I suspect you found it because of a similar error message, > but the underlying cause is completely unrelated. > > You probably just need to add in the CA cert that issued the server > certificate. I'd have thought that ipa-server-certinstall would enforce > that but perhaps not. > > I have one more question. Is there a way to disable HTTPS completely on >> the WebUI. I can add HTTPS on a load balancer in front of the UI to >> handle SSL. >> > > It would be a rather terrible idea. You'd still have a lot of in-the-clear > messaging between the IPA web server and the load balancer. I wouldn't > recommend that there are real replay issues possible. You should > re-encrypt, so terminate SSL at the load balancer and then open a new SSL > session to IPA. > > rob > > >> >> >> On 18 June 2015 at 19:03, Rob Crittenden > > wrote: >> >> Prashant Bapat wrote: >> >> Hi All, >> >> There is a way to change the certificate for the web UI. >> >> I went with a standard install with a self signed CA etc. Now I >> want to >> install a cert from a commercial CA. I don't mind using the IPA >> CA certs >> for the 389 DS, just want to change the cert for the UI. >> >> Any pointers on how to do this ? >> >> >> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Sun Jun 21 06:21:09 2015 From: prashant at apigee.com (Prashant Bapat) Date: Sun, 21 Jun 2015 11:51:09 +0530 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <5585D506.5080109@gmail.com> References: <5585D506.5080109@gmail.com> Message-ID: Can you share the steps to reproduce this and the error message? On 21 June 2015 at 02:33, Janelle wrote: > Just wondering if others have run into the user login to the web-UI and > with the exception of the top part of the screen and menu, all the user > details go blank. This makes it hard for a user to "click on add ssh key" > since they can't see it. > > Have reproduced this dozens of times on all browsers. Very confusing. > There must be an answer or known fix? > > ~Janelle > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Sun Jun 21 06:35:17 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 20 Jun 2015 23:35:17 -0700 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: References: <5585D506.5080109@gmail.com> Message-ID: <55865B25.5090607@gmail.com> Hi, Sure. Just login as a normal user to the WEB UI. screen is blank: Of course, if you click on Actions - you will see those and you can click on them, but you can't do anything else. This is a vanilla server install, nothing fancy. Oh and there is no error message at all. Any browser = same results. Tried clearing cache, history, web data.. Everything. Many of my users report the same thing. This is 7.1 with IPA 4.1.7 Now the funny part - login as "admin" and everything works fine. But I certainly can't have everyone logging in as admin. :-) ~Janelle On 6/20/15 11:21 PM, Prashant Bapat wrote: > Can you share the steps to reproduce this and the error message? > > On 21 June 2015 at 02:33, Janelle > wrote: > > Just wondering if others have run into the user login to the > web-UI and with the exception of the top part of the screen and > menu, all the user details go blank. This makes it hard for a user > to "click on add ssh key" since they can't see it. > > Have reproduced this dozens of times on all browsers. Very > confusing. There must be an answer or known fix? > > ~Janelle > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ecgffbjg. Type: image/png Size: 50296 bytes Desc: not available URL: From gjn at gjn.priv.at Sun Jun 21 12:47:33 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 21 Jun 2015 14:47:33 +0200 Subject: [Freeipa-users] Kerberos principal add / create Message-ID: <3683162.hBkUp0eKiM@techz> Hello, I have a long way to found out the way to read from IPA the EMail addresses :-( Now the way is read direct from the 386 server. sssd don't found more the one address. OK. I found a readme that tell me to create a "special User" # dovecota, sysaccounts, etc, 4gjn.prv dn: uid=dovecota,cn=sysaccounts,cn=etc,dc=xxxx,dc=xxxx objectClass: account objectClass: simplesecurityobject objectClass: top uid: dovecota userPassword:: e1NTSEF9TWlKY0FWZkxTd3ZkS2dUZ0xyamV3bUJJbm9TLzRORTlwdU14c1E9PQ= with this user now I can read passwd, uid, mail ,,,, but the question is, is it possible to add a kerberos principal to this user with IPA ? thanks for a answer, -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer From christoph.kaminski at biotronik.com Mon Jun 22 07:48:19 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Mon, 22 Jun 2015 09:48:19 +0200 Subject: [Freeipa-users] WG: Re: Haunted servers? In-Reply-To: <558408D4.8020406@redhat.com> References: <5583E21D.9060503@redhat.com> <5583EA13.6060206@redhat.com> <5583FBBF.8030404@redhat.com> <558408D4.8020406@redhat.com> Message-ID: > > from an earlier post it looks like they are from the o=ipaca > backend, did you clean the ruvs there ? we have only done a 'normal' cleanruv... How can I clean them there? > > to know which are the correct current rids for this backend you > could do on each active server a search for > ... -b "cn=config" "(&(objectclass=nsds5replica)( > nsDS5ReplicaRoot=o=ipaca))" nsDS5ReplicaId > > then you could search > > ldapsearch -h -D "cn=Directory Manager" -W -b "o=ipaca" > "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff- > ffffffff))" > to see what you have in the ruv and eventually clean them > On 06/19/2015 01:48 PM, Christoph Kaminski wrote: > Ludwig Krispenz schrieb am 19.06.2015 13:23:43: > > > > > > the first search is for the replication agreements and they keep > > > info about the consumer ruv, used in replication session. you cannot > > > modify these, but they are maintained in the dse.ldif, you could > > > edit the dse.ldif when the server is stopped. > > > > big thx, we try it and I let you know if it works! > > > Greetz -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Mon Jun 22 08:19:57 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 22 Jun 2015 10:19:57 +0200 Subject: [Freeipa-users] WG: Re: Haunted servers? In-Reply-To: References: <5583E21D.9060503@redhat.com> <5583EA13.6060206@redhat.com> <5583FBBF.8030404@redhat.com> <558408D4.8020406@redhat.com> Message-ID: <5587C52D.5000007@redhat.com> Hi, On 06/22/2015 09:48 AM, Christoph Kaminski wrote: > > > > from an earlier post it looks like they are from the o=ipaca > > backend, did you clean the ruvs there ? > > we have only done a 'normal' cleanruv... How can I clean them there? either you try the cleanallruv: # ldapmodify -D "cn=directory manager" -W -a dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config objectclass: extensibleObject replica-base-dn:*o=ipaca* replica-id: 8 cn: clean 8 you have to set the replicabase dn. or, if you want to go to the method of running cleanruv individually on all servers you have to use the dn of the ipaca replica: > dn: cn=replica,cn=*o**\3Dipaca*,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task:CLEANRUV11 > > > > > to know which are the correct current rids for this backend you > > could do on each active server a search for > > ... -b "cn=config" "(&(objectclass=nsds5replica)( > > nsDS5ReplicaRoot=o=ipaca))" nsDS5ReplicaId > > > > then you could search > > > > ldapsearch -h -D "cn=Directory Manager" -W -b "o=ipaca" > > "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff- > > ffffffff))" > > to see what you have in the ruv and eventually clean them > > > On 06/19/2015 01:48 PM, Christoph Kaminski wrote: > > Ludwig Krispenz schrieb am 19.06.2015 13:23:43: > > > > > > > > > the first search is for the replication agreements and they keep > > > > info about the consumer ruv, used in replication session. you cannot > > > > modify these, but they are maintained in the dse.ldif, you could > > > > edit the dse.ldif when the server is stopped. > > > > > > big thx, we try it and I let you know if it works! > > > > > > > Greetz > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Mon Jun 22 08:22:08 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 22 Jun 2015 10:22:08 +0200 Subject: [Freeipa-users] Antwort: clean-run doesn't work In-Reply-To: References: <5583DAB8.60002@martos.bme.hu> Message-ID: <5587C5B0.80903@martos.bme.hu> On 06/19/2015 11:12 AM, Christoph Kaminski wrote: > > for this problem you can see the thread "Haunted servers?" here on ml. > There is a solution from me for this but it doesnt work 100% :/ I would rather rerun the replication. > we have a Ticket @Red Hat for this problem, > (https://access.redhat.com/support/cases/#/case/01429034if you have rh > support) > But is really sad/silly how RH support works (read the whole ticket). Unfortunately I don't have access there. In fact we have a bigger issue here, but I don't know, if it's related. The whole story is the following: I migrated (ipa migrate-ds) about 150 users between two ldap databases. Old one was v3.0 (centos 6.6), the new one is v4.1 (centos 7.1). After migrating users I switched off old servers and replaced centos 6.6 machines with centos 7.1. Than replica servers was installed. One replicas had to be reinstalled one time, because the replica process was hanged up for some reason. Now two servers (not the reinstalled one, but the original master and one other) crash quite frequently with sigsegv. It's like something is leaking. I tuned the the nsslapd-cachememsize value of the following config entries: dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config dn: cn=config, cn=ldbm database, cn=plugins, cn=config dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config It helped a lot, but not enough. I had seen this before years ago, when I started using ipa. It was on Fedora and the bleeding edge Freeipa version. At that time I switched to CentOS because I trusted more in the well tested enterprise distribution. But now it's not an option:) Any suggestion? Thanks, tamas -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jun 22 08:27:21 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Jun 2015 10:27:21 +0200 Subject: [Freeipa-users] question on Active Directory and FreeIPA In-Reply-To: <958EF916EB06874283F9B8F820726DD3BA0E9888@FSMB1.muad.local> References: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> <20150619191507.GE3006@hendrix> <958EF916EB06874283F9B8F820726DD3BA0E9888@FSMB1.muad.local> Message-ID: <20150622082721.GF3006@hendrix> On Fri, Jun 19, 2015 at 08:15:37PM +0000, David Fitzgerald wrote: > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Friday, June 19, 2015 3:15 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA > > On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it > > to manage about 200 users and 90 Scientific Linux workstations, and > > everything works great. Unfortunately I have been told that I must > > now use the University's Active Directory to authenticate all of my users. > > I have read the documentation on FreeIPA / AD integration and am not > > sure if that will meet my requirements. All my Linux users' home > > directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles > > etc. run off that mount. From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to > > be able to log into a Linux machine with access to their Windows > > folders and profiles (oddjob creating a local home directory on the > > Linux box, etc.) I don't want this. All I need is to simply > > authenticate the user using AD (BTW their IPA usernames and AD > > usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? > > > With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. > > > This is exactly what I need. If you are going to experiment with the views, then please note that unfortunately some bugs slipped into the 7.1 release. If you encounter problems, please either try installing latest packages for SSSD and IPA, make sure SSSD is updated also on the server side. Some SSSD bugs are not planned for patching until 7.2, in that case you might need to install upstream packages such as: https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ Some of the bugs are: - https://bugzilla.redhat.com/show_bug.cgi?id=1217127 - https://bugzilla.redhat.com/show_bug.cgi?id=1214719 - https://bugzilla.redhat.com/show_bug.cgi?id=1214718 - https://bugzilla.redhat.com/show_bug.cgi?id=1214716 - https://bugzilla.redhat.com/show_bug.cgi?id=1214337 From christoph.kaminski at biotronik.com Mon Jun 22 08:31:10 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Mon, 22 Jun 2015 10:31:10 +0200 Subject: [Freeipa-users] Antwort: clean-run doesn't work In-Reply-To: <5587C5B0.80903@martos.bme.hu> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> Message-ID: > Unfortunately I don't have access there. > > > In fact we have a bigger issue here, but I don't know, if it's related. > > The whole story is the following: > > I migrated (ipa migrate-ds) about 150 users between two ldap > databases. Old one was v3.0 (centos 6.6), the new one is v4.1 (centos 7.1). > After migrating users I switched off old servers and replaced centos > 6.6 machines with centos 7.1. Than replica servers was installed. > One replicas had to be reinstalled one time, because the replica > process was hanged up for some reason. > Now two servers (not the reinstalled one, but the original master > and one other) crash quite frequently with sigsegv. It's like > something is leaking. > > I tuned the the nsslapd-cachememsize value of the following config entries: > > dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config > dn: cn=config, cn=ldbm database, cn=plugins, cn=config > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > > It helped a lot, but not enough. > > > I had seen this before years ago, when I started using ipa. It was > on Fedora and the bleeding edge Freeipa version. At that time I > switched to CentOS because I trusted more in the well tested > enterprise distribution. > But now it's not an option:) > > > Any suggestion? > > As I have mentioned above, see at the "Haunted servers?" thread here on list. There are solutions etc for a similiar problem. This is all there what I know about this problem. (The RH Ticket has far less informations and not really a solution for it (sad :/ )) Greetz -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 22 08:34:25 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 22 Jun 2015 10:34:25 +0200 Subject: [Freeipa-users] Antwort: clean-run doesn't work In-Reply-To: <5587C5B0.80903@martos.bme.hu> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> Message-ID: <5587C891.7000003@redhat.com> On 06/22/2015 10:22 AM, Tamas Papp wrote: > > > On 06/19/2015 11:12 AM, Christoph Kaminski wrote: >> >> for this problem you can see the thread "Haunted servers?" here on >> ml. There is a solution from me for this but it doesnt work 100% :/ > > I would rather rerun the replication. > >> we have a Ticket @Red Hat for this problem, >> (https://access.redhat.com/support/cases/#/case/01429034if you have >> rh support) >> But is really sad/silly how RH support works (read the whole ticket). > > Unfortunately I don't have access there. > > > In fact we have a bigger issue here, but I don't know, if it's related. > > The whole story is the following: > > I migrated (ipa migrate-ds) about 150 users between two ldap > databases. Old one was v3.0 (centos 6.6), the new one is v4.1 (centos > 7.1). > After migrating users I switched off old servers and replaced centos > 6.6 machines with centos 7.1. Than replica servers was installed. One > replicas had to be reinstalled one time, because the replica process > was hanged up for some reason. > Now two servers (not the reinstalled one, but the original master and > one other) crash quite frequently with sigsegv. It's like something is > leaking. > > I tuned the the nsslapd-cachememsize value of the following config > entries: > > dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config > dn: cn=config, cn=ldbm database, cn=plugins, cn=config > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > > It helped a lot, but not enough. Hello Tamas, You get some sigsegv and you may hit a real bug. Please try to capture a core (http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes) then you may attach a pstack of it. thanks thierry > > > I had seen this before years ago, when I started using ipa. It was on > Fedora and the bleeding edge Freeipa version. At that time I switched > to CentOS because I trusted more in the well tested enterprise > distribution. > But now it's not an option:) > > > Any suggestion? > > > > Thanks, > tamas > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Mon Jun 22 08:43:53 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 22 Jun 2015 10:43:53 +0200 Subject: [Freeipa-users] Antwort: clean-run doesn't work In-Reply-To: References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> Message-ID: <5587CAC9.60500@martos.bme.hu> On 06/22/2015 10:31 AM, Christoph Kaminski wrote: > > Unfortunately I don't have access there. > > > > > > In fact we have a bigger issue here, but I don't know, if it's related. > > > > The whole story is the following: > > > > I migrated (ipa migrate-ds) about 150 users between two ldap > > databases. Old one was v3.0 (centos 6.6), the new one is v4.1 > (centos 7.1). > > After migrating users I switched off old servers and replaced centos > > 6.6 machines with centos 7.1. Than replica servers was installed. > > One replicas had to be reinstalled one time, because the replica > > process was hanged up for some reason. > > Now two servers (not the reinstalled one, but the original master > > and one other) crash quite frequently with sigsegv. It's like > > something is leaking. > > > > I tuned the the nsslapd-cachememsize value of the following config > entries: > > > > dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config > > dn: cn=config, cn=ldbm database, cn=plugins, cn=config > > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > > > > It helped a lot, but not enough. > > > > > > I had seen this before years ago, when I started using ipa. It was > > on Fedora and the bleeding edge Freeipa version. At that time I > > switched to CentOS because I trusted more in the well tested > > enterprise distribution. > > But now it's not an option:) > > > > > > Any suggestion? > > > > > > As I have mentioned above, see at the "Haunted servers?" thread here > on list. There are solutions etc for a similiar problem. This is all > there what I know about this problem. > (The RH Ticket has far less informations and not really a solution for > it (sad :/ )) In my particular case I'm interested, whether it can crash servers. Does it for you? I don't see it in that thread. tamas -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Mon Jun 22 08:49:55 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Mon, 22 Jun 2015 10:49:55 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <5587CAC9.60500@martos.bme.hu> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> Message-ID: > > In my particular case I'm interested, whether it can crash servers. > Does it for you? I don't see it in that thread. > > tamas yes... we has had a really often a crash on virtual machines installations. On bare metal we had 2-3x a crash. That was the reason for us to destroy all IPA VM's. There seems to be an IO issue on VM's with IPA (rhev virtualisation here). You can see it extremly if you turn the debug level higher. Greetz -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Mon Jun 22 08:51:56 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 22 Jun 2015 10:51:56 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> Message-ID: <5587CCAC.2060605@martos.bme.hu> On 06/22/2015 10:49 AM, Christoph Kaminski wrote: > > > > In my particular case I'm interested, whether it can crash servers. > > Does it for you? I don't see it in that thread. > > > > tamas > > yes... we has had a really often a crash on virtual machines > installations. On bare metal we had 2-3x a crash. > > That was the reason for us to destroy all IPA VM's. There seems to be > an IO issue on VM's with IPA (rhev virtualisation here). You can see > it extremly if you turn the debug level higher. Thanks! tamas -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Mon Jun 22 09:36:49 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Mon, 22 Jun 2015 09:36:49 +0000 Subject: [Freeipa-users] question on Active Directory and FreeIPA In-Reply-To: <20150622082721.GF3006@hendrix> References: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> <20150619191507.GE3006@hendrix> <958EF916EB06874283F9B8F820726DD3BA0E9888@FSMB1.muad.local> <20150622082721.GF3006@hendrix> Message-ID: <561e544a4aaf4720941ec2474b3005e6@sib-ums03.Megafon.ru> Hello, Jakub! Could you please tell, what about sssd package in RHEL 6, when we can expect the fixes in official updates? Especially with our sensitive fixes (parentheses in AD groups names)? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Monday, June 22, 2015 2:27 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA On Fri, Jun 19, 2015 at 08:15:37PM +0000, David Fitzgerald wrote: > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Friday, June 19, 2015 3:15 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA > > On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > > it to manage about 200 users and 90 Scientific Linux workstations, > > and everything works great. Unfortunately I have been told that I > > must now use the University's Active Directory to authenticate all of my users. > > I have read the documentation on FreeIPA / AD integration and am not > > sure if that will meet my requirements. All my Linux users' home > > directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles > > etc. run off that mount. From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to > > be able to log into a Linux machine with access to their Windows > > folders and profiles (oddjob creating a local home directory on the > > Linux box, etc.) I don't want this. All I need is to simply > > authenticate the user using AD (BTW their IPA usernames and AD > > usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? > > > With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. > > > This is exactly what I need. If you are going to experiment with the views, then please note that unfortunately some bugs slipped into the 7.1 release. If you encounter problems, please either try installing latest packages for SSSD and IPA, make sure SSSD is updated also on the server side. Some SSSD bugs are not planned for patching until 7.2, in that case you might need to install upstream packages such as: https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ Some of the bugs are: - https://bugzilla.redhat.com/show_bug.cgi?id=1217127 - https://bugzilla.redhat.com/show_bug.cgi?id=1214719 - https://bugzilla.redhat.com/show_bug.cgi?id=1214718 - https://bugzilla.redhat.com/show_bug.cgi?id=1214716 - https://bugzilla.redhat.com/show_bug.cgi?id=1214337 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From Alexander.Frolushkin at megafon.ru Mon Jun 22 09:42:07 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Mon, 22 Jun 2015 09:42:07 +0000 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> Message-ID: <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> Hello everyone. I can confirm this on VMWare, recently we have the similar issue when enabled dirsrv debug on 4 of our 19 IPA servers :( WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christoph Kaminski Sent: Monday, June 22, 2015 2:50 PM To: Tamas Papp Cc: freeipa-users at redhat.com Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work > > In my particular case I'm interested, whether it can crash servers. > Does it for you? I don't see it in that thread. > > tamas yes... we has had a really often a crash on virtual machines installations. On bare metal we had 2-3x a crash. That was the reason for us to destroy all IPA VM's. There seems to be an IO issue on VM's with IPA (rhev virtualisation here). You can see it extremly if you turn the debug level higher. Greetz ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Mon Jun 22 09:50:15 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 22 Jun 2015 11:50:15 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> Message-ID: <5587DA57.9020307@martos.bme.hu> Fascinating. Can you Red Hat guys reproduce this in you test environment? Thanks, tamas On 06/22/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello everyone. > > I can confirm this on VMWare, recently we have the similar issue when > enabled dirsrv debug on 4 of our 19 IPA servers L > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Christoph > Kaminski > *Sent:* Monday, June 22, 2015 2:50 PM > *To:* Tamas Papp > *Cc:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work > > > > > In my particular case I'm interested, whether it can crash servers. > > Does it for you? I don't see it in that thread. > > > > tamas > > yes... we has had a really often a crash on virtual machines > installations. On bare metal we had 2-3x a crash. > > That was the reason for us to destroy all IPA VM's. There seems to be > an IO issue on VM's with IPA (rhev virtualisation here). You can see > it extremly if you turn the debug level higher. > > Greetz > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jun 22 09:55:23 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Jun 2015 11:55:23 +0200 Subject: [Freeipa-users] question on Active Directory and FreeIPA In-Reply-To: <561e544a4aaf4720941ec2474b3005e6@sib-ums03.Megafon.ru> References: <958EF916EB06874283F9B8F820726DD3BA0E946E@FSMB1.muad.local> <20150619191507.GE3006@hendrix> <958EF916EB06874283F9B8F820726DD3BA0E9888@FSMB1.muad.local> <20150622082721.GF3006@hendrix> <561e544a4aaf4720941ec2474b3005e6@sib-ums03.Megafon.ru> Message-ID: <20150622095523.GN3006@hendrix> On Mon, Jun 22, 2015 at 09:36:49AM +0000, Alexander Frolushkin wrote: > Hello, Jakub! > Could you please tell, what about sssd package in RHEL 6, when we can expect the fixes in official updates? Especially with our sensitive fixes (parentheses in AD groups names)? Hi, in RHEL-6, only the client-side of the views will be supported, not the server. The client-side is coming to 6.7 btw as I said, there are still bugs wrt views on the server side. We can't backport them to RHEL-7.1.z until there is a customer request...hence so far they are planned for 7.2 From yamakasi.014 at gmail.com Mon Jun 22 10:10:15 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 22 Jun 2015 12:10:15 +0200 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) Message-ID: Hi Guys, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. Some other question is that my hostnames are now like ipa-01 and ipa-02 where I make one replica ipa-01-1 and finally go from there. But what is the best way to set my hostnames back to ipa-01 from ipa-01-1 (and maybe ipa-02-1) ? I hope for some good suggestions. Thanks! Matt From jhrozek at redhat.com Mon Jun 22 10:39:32 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Jun 2015 12:39:32 +0200 Subject: [Freeipa-users] Announcing SSSD 1.13 Alpha Message-ID: <20150622103931.GO3006@hendrix> === SSSD 1.13 Alpha === The SSSD team is proud to announce the release of version 1.13 Alpha of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type. * Group Policy objects defined in a different AD domain that the computer object is defined in are now supported. * Support for separate prompts when using two-factor authentication was added * Credential caching and Offline authentication are also available when using two-factor authentication * Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version * Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output * The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD. * The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task * The Python bindings are now built for both Python2 and Python3 * The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option == Packaging Changes == * A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service. * Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging * All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme * The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu? libssl-dev is now required to support certificate operations * A new internal library libsss_cert.so is present in this release. == Documentation Changes == * The ad_gpo_access_control option default has changed from permissive to enforcing * The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task. * A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details == Tickets Fixed == https://fedorahosted.org/sssd/ticket/897 sssd should pass -d to nsupdate when running with high log level https://fedorahosted.org/sssd/ticket/1501 Make the LDAP bind operation timeout configurable https://fedorahosted.org/sssd/ticket/2150 [RFE] Expose listing calls over D-BUS https://fedorahosted.org/sssd/ticket/2224 nsupdate stderr is not captured https://fedorahosted.org/sssd/ticket/2236 The cleanup task has no DEBUG statements https://fedorahosted.org/sssd/ticket/2326 SBUS: Flush the UID cache when we receive NameOwnerChanged https://fedorahosted.org/sssd/ticket/2338 [RFE] Implement object caching on the bus https://fedorahosted.org/sssd/ticket/2339 IFP: support multiple interfaces for object https://fedorahosted.org/sssd/ticket/2540 SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain https://fedorahosted.org/sssd/ticket/2569 In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set https://fedorahosted.org/sssd/ticket/2574 SSSD should be able to build python2 and python3 bindings in a one build https://fedorahosted.org/sssd/ticket/2583 [RFE] Homedir is always overwritten with subdomain_homedir value in server mode https://fedorahosted.org/sssd/ticket/2593 Does sssd-ad use the most suitable attribute for group name? https://fedorahosted.org/sssd/ticket/2603 Make SSSD's HBAC validation more permissive if deny rules are not used https://fedorahosted.org/sssd/ticket/2609 [bug] sssd always appends default_domain_suffix when checking for host keys https://fedorahosted.org/sssd/ticket/2618 Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all https://fedorahosted.org/sssd/ticket/2620 id_provider=proxy with auth_provider=ldap does not work reliably https://fedorahosted.org/sssd/ticket/2625 Sudo responder does not respect filter_users and filter_groups https://fedorahosted.org/sssd/ticket/2627 Disable the cleanup task by default https://fedorahosted.org/sssd/ticket/2636 RFE: Fetch keytabs for one-way trusts in IPA subdomain code https://fedorahosted.org/sssd/ticket/2638 RFE: Change ad_id_ctx instantiation in the IPA subdomain code to support one-way trusts https://fedorahosted.org/sssd/ticket/2645 [RFE] Support GPOs from different domain controllers https://fedorahosted.org/sssd/ticket/2661 RFE: Change AD GPO default to enforcing https://fedorahosted.org/sssd/ticket/2666 sssd with ldap backend throws error domain log == Detailed Changelog == Jakub Hrozek (68): * MAN: Fix a typo * SYSDB: Reduce code duplication in sysdb_gpo.c * UTIL: Make two child_common.c functions static * TESTS: Cover child_common.c with unit tests * LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor * UTIL: Remove child_cleanup * UTIL: Unify the fd_nonblocking implementation * RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing * PAM: print the pam status as string, too * KRB5: More debugging for create_ccache() * SDAP: Make simple bind timeout configurable * SDAP: Make password change timeout configurable with ldap_opt_timeout * SDAP: Make StartTLS bind configurable with ldap_opt_timeout * SDAP: Decorate the sdap_op functions with DEBUG messages * IPA: Remove the ipa_hbac_treat_deny_as option * MAN: Clarify debug_level a bit * SSH: Ignore the default_domain_suffix * LDAP: Set sdap handle as explicitly connected in LDAP auth * tests: Revert strcmp condition * ncache: Fix sss_ncache_reset_permanent * ncache: Silence critical error from filter_users when default_domain_suffix is set * ncache: Add sss_ncache_reset_repopulate_permanent * responders: reset ncache after domains are discovered during startup * NSS: Reset negcache after checking domains * MAN: Clarify how are GPO mappings called in GPO editor * UTIL: Add a simple function to get the fd of debug_file * dyndns: Log nsupdate stderr with a high debug level * nsupdate: Append -d/-D to nsupdate with a high debug level * subdom: Remove unused function get_flat_name_from_subdomain_name * nss: Use negcache for getbysid requests * tests: Add NSS responder tests for bysid requests * LDAP: disable the cleanup task by default * TESTS: Use the right testcase * TESTS: Add test for get_next_domain * LDAP: Do not print verbose DEBUG messages from providers that don't set UUID * SYSDB: Store trust direction for subdomains * UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private * TESTS: Add a test for sysdb_subdomains.c * SYSDB: Add realm to sysdb_master_domain_add_info * SYSDB: Add a forest root attribute to sss_domain_info * IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers * IPA: Check master domain record before subdomain records * IPA: Fold ipa_subdom_enumerates into ipa_subdom_store * IPA: Also update master domain when initializing subdom handler * IPA: Move server-mode functions to a separate module * IPA: Split two functions to new module ipa_subdomains_utils.c * IPA: Include ipaNTTrustDirection in the attribute set for trusted domains * IPA: Read forest name for trusted forest roots as well * IPA: Make constructing an IPA server mode context async * TESTS: Split off keytab creation into a common module * TESTS: Add a common mock_be_ctx function * TESTS: Add a common function to set up sdap_id_ctx * TESTS: Move krb5_try_kdcip to nested group test * TESTS: Add unit test for the subdomain_server.c module * IPA: Fetch keytab for 1way trusts * AD: Rename ad_set_ad_id_options to ad_set_sdap_options * AD: Rename ad_create_default_options to ad_create_2way_trust_options * AD: Split off ad_create_default_options * IPA/AD: Set up AD domain in ad_create_2way_trust_options * IPA: Do not set AD_KRB5_REALM twice * AD: Add ad_create_1way_trust_options * IPA: Utility function for setting up one-way trust context * LDAP: Do not set keytab through environment variable * LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour * CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss * BUILD: Store keytabs in /var/lib/sss/keytabs * Updating the translations for the 1.13 Alpha release * Updating the version.m4 file for the 1.13 Beta release John Dickerson (1): * MAN: Amend the description of ignore_group_members Lukas Slebodnik (59): * MAN: Remove indentation in element programlistening * Fix warning: for loop has empty body * Bump version to track 1.13 development * SPEC: Use libnl3 for epel6 * MAKE: Don't include autoconf generated file to tarball * TESTS: Mock return value of sdap_get_generic_recv * test_nested_groups: Additional unit tests * Fix warning: equality comparison with extraneous parentheses * LDAP: Conditional jump depends on uninitialised value * BUILD: Remove unused libraries for pysss.so * BUILD: Remove unused variables * BUILD: Remove detection of type Py_ssize_t * UTIL: Remove python wrapper sss_python_set_new * UTIL: Remove python wrapper sss_python_set_add * UTIL: Remove python wrapper sss_python_set_check * UTIL: Remove compatibility macro PyModule_AddIntMacro * UTIL: Remove python wrapper sss_python_unicode_from_string * BUILD: Use python-config for detection *FLAGS * SPEC: Use new convention for python packages * SPEC: Move python bindings to separate packages * BUILD: Add possibility to build python{2,3} bindings * TESTS: Run python tests with all supported python versions * SPEC: Replace python_ macros with python2_ * SPEC: Build python3 bindings on available platforms * BUILD: Uninstall also symbolic links to python bindings * Remove unused argument from be_nsupdate_create_fwd_msg * IPA: Remove unused argument from ipa_id_get_group_uuids * Remove useless assignment to function parameter * PAC: Fix memory leak * responder_cache: Fix warning may be used uninitialized * debug-tests: Fix test with new line in debug message * BUILD: Add missing header file to tarball * pam_client: fix casting to const pointer * test_expire: Use right assertion macro for standard functions * test_ldap_auth: Use right assertion for integer comparison * test_resolv_fake: Fix alignment warning * PAC: Remove unused function * KRB5: Unify prototype and definition * util-tests: Initialize boolean variable to default value * SPEC: Drop workaround for old libtool * SPEC: Drop workarounds for old rpmbuild * SPEC: Remove unused option * SPEC: Few cosmetic changes * simple_access-tests: Simplify assertion * sysdb-tests: Add missing assertions * sysdb-tests: test return value before output arguments * ad_opts: Use different default attribute for group name * BUILD: Write hints about optional python bindings * sss_client: Fix mixed enums * LDAP: Remove dead assignment * sss_client: Fix warning "_" redefined * SSSDConfigTest: Use unique temporary directory * util-tests: Add validation of internal error messages * SDAP: Check return value before using output arguments * SDAP: Log failure from sysdb_handle_original_uuid * test_ipa_subdomains_server: Run clean-up after success * IFP: Fix warnings with enabled optimisation * SDAP: Remove user from cache for missing user in LDAP * test_ipa_subdom_server: Add missing assert Michal Zidek (2): * Use FQDN if default domain was set * MAN: default_domain_suffix with use_fully_qualified_names. Nikolai Kondrashov (3): * BUILD: Add AM_PYTHON2_MODULE macro * Add integration tests * BUILD: Fix variable substitution in cwrap.m4 Pavel B?ezina (53): * tests: refactor create_dom_test_ctx() * tests: add create_multidom_test_ctx() * tests: add test_multidom_suite_cleanup() * tests: remove code duplication in single domain cleanup * responders: new interface for cache request * responders: enable views in cache request * IFP: use new cache interface * server-tests: use strtouint32 instead strtol * sbus: add new iface via sbus_conn_register_iface() * sbus: move iface and object path code to separate file * sbus: use 'path/*' to represent a D-Bus fallback * sbus: support multiple interfaces on single path * sbus: add object path to sbus request * sbus: add sbus_opath_hash_lookup_supported() * sbus: support org.freedesktop.DBus.Introspectable * sbus: support org.freedesktop.DBus.Properties * sbus: unify naming of handler data variable * sbus: move common opath functions from ifp to sbus code * sbus: add sbus_opath_get_object_name() * ifp: fix potential memory leak in check_and_get_component_from_path() * sbus: use hard coded getters instead of generated * sbus: remove unused 'reply as' functions * IFP: move interface definitions from ifpsrv.c into separate file * IFP: unify generated interfaces names * sbus codegen: do not prefix getters with iface name * IFP: simplify object path constant names * sbus: add constant to represent subtree * be_refresh: get rid of callback pointers * sysdb: use sysdb_user/group_dn * cache_req tests: rename test_user to test_user_by_name * cache_req tests: define user name constant * cache_req: preparations for different input type * cache_req: add support for user by uid * cache_req: add support for group by name * cache_req: remove default branch from switches * cache_req: add support for group by id * cmocka: include mock_parse_inp in header file * cache_req: parse input name if needed * cache_req: return ERR_INTERNAL if more than one entry is found * sbus: provide custom error names * sbus: add sbus_opath_decompose[_exact] * sbus: add a{sas} get invoker * IFP: add org.freedesktop.sssd.infopipe.Users * IFP: add org.freedesktop.sssd.infopipe.Users.User * IFP: add org.freedesktop.sssd.infopipe.Groups * IFP: add org.freedesktop.sssd.infopipe.Groups.Group * IFP: deprecate GetUserAttr? * IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] * SBUS: Use default GetAll? invoker if none is set * SBUS: Add support for in introspection * IFP: Export nodes * sbus: add support for incoming signals * sbus: listen to NameOwnerChanged? Pavel Reichl (17): * add missing '\n' in debug messages * PROXY: add missing space in debug message * BUILD: fix chmake not to generate warning * SDAP: log expired accounts at lower severity level * KRB5: add debug hint * TESTS: test expiration * ldap: refactor check_pwexpire_kerberos to use util func * ldap: refactor nds_check_expired to use util func * Fix a few typos in comments * sbus: sbus_opath_hash_add_iface free tmp talloc ctx * krb5: remove field run_as_user * localauth plugin: fix coverity warning * dyndns: remove dupl declaration of ipa_dyndns_update * dyndns: don't pass zone directive to nsupdate * dyndns: ipa_dyndns.h missed declaration of used data * krb: remove duplicit decl. of write_krb5info_file * IPA: Don't override homedir with subdomain_homedir Stephen Gallagher (4): * LDAP: Support returning referral information * AD GPO: Support processing referrals * AD GPO: Change default to "enforcing" * Add Vagrant configuration for SSSD Sumit Bose (22): * Add leak check and command line option to test_authtok * utils: add sss_authtok_[gs]et_2fa * pam: handle 2FA authentication token in the responder * Add pre-auth request * krb5-child: add preauth and split 2fa token support * IPA: create preauth indicator file at startup * pam_sss: add pre-auth and 2fa support * Add cache_credentials_minimal_first_factor_length config option * sysdb: add sysdb_cache_password_ex() * krb5: save hash of the first authentication factor to the cache * krb5: try delayed online authentication only for single factor auth * 2FA offline auth * pam_sss: move message encoding into separate file * PAM: add PAM responder unit test * adding ldap_user_auth_type where missing * LDAP: add ldap_user_certificate option * certs: add PEM/DER conversion utilities * sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() * LDAP/IPA: add user lookup by certificate * ncache: add calls for certificate based searches * utils: add get_last_x_chars() * IFP: add FindByCertificate? method for User objects From pvoborni at redhat.com Mon Jun 22 12:15:49 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 22 Jun 2015 14:15:49 +0200 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <55865B25.5090607@gmail.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> Message-ID: <5587FC75.5080907@redhat.com> On 06/21/2015 08:35 AM, Janelle wrote: > Hi, > > Sure. Just login as a normal user to the WEB UI. screen is blank: > > Of course, if you click on Actions - you will see those and you can click on > them, but you can't do anything else. This is a vanilla server install, nothing > fancy. Oh and there is no error message at all. Any browser = same results. > > Tried clearing cache, history, web data.. Everything. Many of my users report > the same thing. This is 7.1 with IPA 4.1.7 > > Now the funny part - login as "admin" and everything works fine. But I certainly > can't have everyone logging in as admin. :-) > > ~Janelle Do you see any error in browser console? Does this happen also to a user which doesn't have any RBAC role assigned(either directly or indrectly)? > > > > On 6/20/15 11:21 PM, Prashant Bapat wrote: >> Can you share the steps to reproduce this and the error message? >> >> On 21 June 2015 at 02:33, Janelle > > wrote: >> >> Just wondering if others have run into the user login to the web-UI and >> with the exception of the top part of the screen and menu, all the user >> details go blank. This makes it hard for a user to "click on add ssh key" >> since they can't see it. >> >> Have reproduced this dozens of times on all browsers. Very confusing. >> There must be an answer or known fix? >> >> ~Janelle >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > > > -- Petr Vobornik From tbordaz at redhat.com Mon Jun 22 12:20:56 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 22 Jun 2015 14:20:56 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <5587DA57.9020307@martos.bme.hu> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> <5587DA57.9020307@martos.bme.hu> Message-ID: <5587FDA8.8010900@redhat.com> On 06/22/2015 11:50 AM, Tamas Papp wrote: > Fascinating. > > Can you Red Hat guys reproduce this in you test environment? Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. About the test case, you installed a server+replicas (version ?), then turn on errorlog-level (do you remember what level). That would slow down the DS instance and fill errors log. Then you hit extremely frequently a crash. Do you remember what kind of the load search/mod/add/del ? thanks thierry > > Thanks, > tamas > > On 06/22/2015 11:42 AM, Alexander Frolushkin wrote: >> >> Hello everyone. >> >> I can confirm this on VMWare, recently we have the similar issue when >> enabled dirsrv debug on 4 of our 19 IPA servers L >> >> WBR, >> >> Alexander Frolushkin >> >> Cell +79232508764 >> >> Work +79232507764 >> >> *From:*freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Christoph >> Kaminski >> *Sent:* Monday, June 22, 2015 2:50 PM >> *To:* Tamas Papp >> *Cc:* freeipa-users at redhat.com >> *Subject:* [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work >> >> > >> > In my particular case I'm interested, whether it can crash servers. >> > Does it for you? I don't see it in that thread. >> > >> > tamas >> >> yes... we has had a really often a crash on virtual machines >> installations. On bare metal we had 2-3x a crash. >> >> That was the reason for us to destroy all IPA VM's. There seems to be >> an IO issue on VM's with IPA (rhev virtualisation here). You can see >> it extremly if you turn the debug level higher. >> >> Greetz >> >> >> ------------------------------------------------------------------------ >> >> ?????????? ? ???? ????????? ????????????? ????????????? ??? >> ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? >> ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? >> ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? >> ?????????, ?? ?????????????, ?????????????, ??????????? ??? >> ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? >> ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, >> ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? >> ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. >> >> The information contained in this communication is intended solely >> for the use of the individual or entity to whom it is addressed and >> others authorized to receive it. It may contain confidential or >> legally privileged information. The contents may not be disclosed or >> used by anyone other than the addressee. If you are not the intended >> recipient(s), any use, disclosure, copying, distribution or any >> action taken or omitted to be taken in reliance on it is prohibited >> and may be unlawful. If you have received this communication in error >> please notify us immediately by responding to this email and then >> delete the e-mail and all attachments and any copies thereof. >> >> (c)20mf50 > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Jun 22 12:03:59 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 22 Jun 2015 14:03:59 +0200 Subject: [Freeipa-users] [SSSD-users] Announcing SSSD 1.13 Alpha In-Reply-To: <20150622103931.GO3006@hendrix> References: <20150622103931.GO3006@hendrix> Message-ID: <5587F9AF.6090508@stroeder.com> HI! I'd be glad if this RFE could make it into 1.13.x: https://fedorahosted.org/sssd/ticket/2411 Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4272 bytes Desc: S/MIME Cryptographic Signature URL: From nikola at krzalic.com Sat Jun 20 18:35:24 2015 From: nikola at krzalic.com (=?UTF-8?B?Tmlrb2xhIEtyxb5hbGnEhw==?=) Date: Sat, 20 Jun 2015 20:35:24 +0200 Subject: [Freeipa-users] FreeIPA groups not shown on client In-Reply-To: References: Message-ID: Just in case somebody is still struggling with this... On ubuntu 14.04 I had to set enumerate option to true in sssd.conf to make this work. On Fri, May 22, 2015 at 6:28 PM, Christoph Kaminski wrote: > freeipa-users-bounces at redhat.com schrieb am 22.05.2015 09:37:04: > >> Von: Nikola Kr?ali? >> An: freeipa-users at redhat.com >> Datum: 22.05.2015 15:05 >> Betreff: [Freeipa-users] FreeIPA groups not shown on client >> Gesendet von: freeipa-users-bounces at redhat.com >> >> I have a ubuntu system running IPA client. I am able to log in via ssh >> using IPA users, but I do not get any group memberships or sudo rules. >> Same configuration works on a different system (running CentOS). >> >> sssd domain log output shows that the groups are retrieved from server >> successfully: >> >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [admins] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [ipausers] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [editors] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [trust admins] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [devops_team] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [dev_team] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [sys_team] for user [nkrzalic] >> >> However, these groups are not shown on the user upon login: >> >> nkrzalic at ircsrv1:~$ id >> uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic) >> >> I tried cleaning sssd cache but that didn't help. >> >> sssd conf is as follows: >> >> [sssd] >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> >> nsswitch.conf seems to be correct as well: >> >> # /etc/nsswitch.conf >> >> passwd: compat sss >> group: compat sss >> shadow: compat >> >> hosts: files dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis sss >> sudoers: files sss >> >> Interestingly after I do "getent group devops_team" this group shows up: >> >> nkrzalic at ircsrv1:~$ id >> uid=281200051(nkrzalic) gid=281200051(nkrzalic) >> groups=281200051(nkrzalic),281200001(devops_team) >> nkrzalic at ircsrv1:~$ >> >> >> Any ideas? >> >> > > try to kill the cache with: > (stop sssd) rm -rf /var/lib/sss/db/* (start sssd) > > we has had the same problems often here and only really kill the cache has > fixed it (sss_cache -A hasnt help) > > Greetz > Christoph Kaminski > > -- S po?tovanjem / Regards, Nikola Kr?ali?. From tompos at martos.bme.hu Mon Jun 22 12:39:21 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Mon, 22 Jun 2015 14:39:21 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <5587FDA8.8010900@redhat.com> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> <5587DA57.9020307@martos.bme.hu> <5587FDA8.8010900@redhat.com> Message-ID: <558801F9.6040708@martos.bme.hu> On 06/22/2015 02:20 PM, thierry bordaz wrote: > On 06/22/2015 11:50 AM, Tamas Papp wrote: >> Fascinating. >> >> Can you Red Hat guys reproduce this in you test environment? > > Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. > About the test case, you installed a server+replicas (version ?), then > turn on errorlog-level (do you remember what level). All are CentOS 7.1 (IPA 4.1). I didn't touch erorlog-level. > That would slow down the DS instance and fill errors log. > Then you hit extremely frequently a crash. Do you remember what kind > of the load search/mod/add/del ? We currently see about 1 crash / day. add/del/mod: basically 0 search: We're investigating, on some servers we probably didn't enabled nscd for caching. In that case they probably received quite high load..... otherwise it's also should be extremely low. We don't use kerberos, do not join clients, just the ldap feature..... Thanks, tamas -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 22 12:40:05 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Jun 2015 08:40:05 -0400 Subject: [Freeipa-users] Changing the SSL certificate for the WebUI In-Reply-To: References: <5582C8C2.8040605@redhat.com> <5585CB63.4010706@redhat.com> Message-ID: <55880225.1000504@redhat.com> Prashant Bapat wrote: > Hi Rob, > > Thanks for the reply. > > The ipa-server-certinstalldid require that I have the cert and the CA > cert in PEM file and the key in another PEM file. And the command went > thru successfully. > > But afterwards the HTTP service stopped working. Only way I could get it > to start again was to set NSSEnforceValidCerts offin > /etc/httpd/conf.d/nss.conf. > > Below is the error message from the logs. > > [Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL > Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG > with 144 bytes of entropy > [Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing > (virtual) servers for SSL > [Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error: > -8102 Certificate key usage inadequate for attempted operation. > [Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify > certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf > so the server can start until the problem can be resolved. The error is that you are trying to use a certificate for SSL that doesn't have the usage flags to allow being used as a server. The nickname Signing-Cert suggests this is an object-signing cert. I'd suggest using certutil to look at the NSS database in /etc/httpd/alias to see what certs are installed and reconfigure mod_nss to use the correct nickname. > On the turning off SSL, I did try with what you are suggesting. A load > balancer with the commercial CA and HTTPS from LB to the server behind > it and it work! Only problem is, I will have to have have 1 each load > balancer for each of the servers. This is because I used naming like > ipa.example.com and ipa2.example.com > etc for the IPA servers. These are all > replicas and their name has to match whats on the LB. Why not get a 3rd party cert with multiple SAN, one for each IPA master? rob From dpal at redhat.com Mon Jun 22 12:42:42 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Jun 2015 08:42:42 -0400 Subject: [Freeipa-users] [SSSD-users] Announcing SSSD 1.13 Alpha In-Reply-To: <5587F9AF.6090508@stroeder.com> References: <20150622103931.GO3006@hendrix> <5587F9AF.6090508@stroeder.com> Message-ID: <558802C2.6040606@redhat.com> On 06/22/2015 08:03 AM, Michael Str?der wrote: > HI! > > I'd be glad if this RFE could make it into 1.13.x: > > https://fedorahosted.org/sssd/ticket/2411 > > Ciao, Michael. > > > > It was and is not planned for 1.13. It is targeting 1.14 but patches are always welcome. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 22 12:49:49 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 22 Jun 2015 14:49:49 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <558801F9.6040708@martos.bme.hu> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> <5587DA57.9020307@martos.bme.hu> <5587FDA8.8010900@redhat.com> <558801F9.6040708@martos.bme.hu> Message-ID: <5588046D.8040807@redhat.com> On 06/22/2015 02:39 PM, Tamas Papp wrote: > > > On 06/22/2015 02:20 PM, thierry bordaz wrote: >> On 06/22/2015 11:50 AM, Tamas Papp wrote: >>> Fascinating. >>> >>> Can you Red Hat guys reproduce this in you test environment? >> >> Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash >> of DS. >> About the test case, you installed a server+replicas (version ?), >> then turn on errorlog-level (do you remember what level). > > All are CentOS 7.1 (IPA 4.1). > I didn't touch erorlog-level. Hi Tamas, Thanks for these info... I will try to reproduce. Christoph, I think you mentioned "You can see it extremly if you turn the debug level higher.". What is the debug level, is it DS debug level ? What level did you select ? thanks thierry > >> That would slow down the DS instance and fill errors log. >> Then you hit extremely frequently a crash. Do you remember what kind >> of the load search/mod/add/del ? > > We currently see about 1 crash / day. > add/del/mod: basically 0 > search: We're investigating, on some servers we probably didn't > enabled nscd for caching. In that case they probably received quite > high load..... otherwise it's also should be extremely low. > > > We don't use kerberos, do not join clients, just the ldap feature..... > > > > Thanks, > tamas > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jun 22 13:18:43 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Jun 2015 15:18:43 +0200 Subject: [Freeipa-users] FreeIPA groups not shown on client In-Reply-To: References: Message-ID: <20150622131843.GQ3006@hendrix> On Sat, Jun 20, 2015 at 08:35:24PM +0200, Nikola Kr?ali? wrote: > Just in case somebody is still struggling with this... On ubuntu 14.04 > I had to set enumerate option to true in sssd.conf to make this work. While I'm glad it fixes your setup for you, enabling enumeration is really a suboptimal solution. Enumeration doesn't support overrides (aka views), doesn't support trust users and is generally slow. I would suggest to continue debugging your setup instead. Here is an upstream guide that might help you: https://fedorahosted.org/sssd/wiki/Troubleshooting From rcritten at redhat.com Mon Jun 22 13:54:46 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Jun 2015 09:54:46 -0400 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: References: Message-ID: <558813A6.6010409@redhat.com> Matt . wrote: > Hi Guys, > > I found some good information about migrating from 3.3 to 4.x using replica's. > > It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as > CentOS doesn't provide 3.3. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > Some other question is that my hostnames are now like ipa-01 and > ipa-02 where I make one replica ipa-01-1 and finally go from there. > > But what is the best way to set my hostnames back to ipa-01 from > ipa-01-1 (and maybe ipa-02-1) ? > > I hope for some good suggestions. You can't change a hostname in IPA. You'd need to create ipa-01-1 and ipa-02-1, confirm that they are working ok, delete ipa-01 and ipa-02, then re-create those as new replicas, connect them, then delete the -1 versions. It is a lot of trouble to go through to preserve a hostname. Things to consider: - maintaining a CA throughout - consider DNA ranges - ensure that RUVs are properly cleaned up rob From hf+redhat.com at scunc.net Mon Jun 22 13:59:12 2015 From: hf+redhat.com at scunc.net (Hendrik Frenzel) Date: Mon, 22 Jun 2015 15:59:12 +0200 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: References: Message-ID: <098f97b60aeccf4d115bf6f0aea625e3@scunc.net> Am 22.06.2015 12:10, schrieb Matt .: > Hi Guys, Hi Matt, > I found some good information about migrating from 3.3 to 4.x using > replica's. > > It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as > CentOS doesn't provide 3.3. Could you please share an URL or something? Currently I'm here: * ipa-6 - CentOS 6.6: ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-ca-9.0.3-38.el6_6.noarch * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, bind-dyndb-ldap): ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 pki-ca-10.1.2-7.el7.noarch -1. Update schema ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6: ipa-6# python copy-schema-to-ca.py 0. clean up old/stale replication aggreements ipa-replica-manage del --force ipa-6.example.com ipa-csreplica-manage del --force ipa-6.example.com 1. prepare replication on ipa-6 for ipa-7 ipa-replica-prepare ipa-7.example.com 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) - + 3. slow down the network a bit (don't know how effective it is, as we already got 1GBit, but without it, a timing bug in 389-ds-base is triggered - s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms burst 1540 4. install replication (without CA for the moment) ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir --no-forwarders Up to now, everything works, but we need the CA too: 5. install ca ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg But this won't work and I don't have a clue how to fix/proceed from here. # ipa-7: /var/log/ipareplica-ca-install.log ipa : DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero exit status 1 ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed # ipa-7: /var/log/pki/pki-tomcat/ca/system 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value # ipa-7: /var/log/pki/pki-tomcat/ca/debug [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ipa-6.example.com port=443 [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: failed to update security domain using admin port 443: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: now trying agent port with client auth [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ipa-6.example.com port=443 [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: status=1 # ipa-6: /var/log/httpd/access_log 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 # ipa-6: /var/log/pki-ca/debug [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = /ca/agent/ca/updateDomainXML [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='name' value='CA ipa-7.example.com 8443' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='eeclientauthsport' value='443' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='httpport' value='80' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='sport' value='443' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='dm' value='true' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='adminsport' value='443' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='list' value='CAList' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='clone' value='true' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='type' value='CA' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='agentsport' value='443' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='sessionID' value='-4812857165985662682' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param name='host' value='ipa-7.example.com' [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML start to service. [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing... [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: authentication starts [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2 [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL certificate [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA Subsystem,O=EXAMPLE.COM [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving client certificate [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client certificate [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client certificate found [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA Subsystem,O=EXAMPLE.COM] authentication failure [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 15:12:59 CEST 2015 id=caUpdateDomainXML time=11 # ipa-6: /var/log/pki-ca/system 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot authenticate agent with certificate Serial 0x272 Subject DN CN=CA Subsystem,O=EXAMPLE.COM. Error: User not found 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet caUpdateDomainXML: Failed to authorize: Invalid Credential.. It would be great if someone could give a hint where to look and what user can't authenticate and why. @Matt: For renaming the IdM server, see https://access.redhat.com/solutions/174733 it could possibly help. b/r H. From rcritten at redhat.com Mon Jun 22 14:02:59 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Jun 2015 10:02:59 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <20150619195738.GB8858@dead.ccr.buffalo.edu> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> <55846B1A.90605@redhat.com> <20150619195738.GB8858@dead.ccr.buffalo.edu> Message-ID: <55881593.7070601@redhat.com> Andrew E. Bruno wrote: > On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: >> Rich Megginson wrote: >>> On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: >>>> >>>> Questions: >>>> >>>> 0. Is it likely that after running out of file descriptors the dirsrv >>>> slapd database on rep2 was corrupted? >>> >>> That would appear to be the case based on correlation of events, >>> although I've never seen that happen, and it is not supposed to happen. >>> >>>> >>>> 1. Do we have to run ipa-replica-manage del rep2 on *each* of the >>>> remaining replica servers (rep1 and rep3)? Or should it just be run on >>>> the first master? >>> >>> I believe it should only be run on the first master, but it hung, so >>> something is not right, and I'm not sure how to remedy the situation. >> >> How long did it hang, and where? > > This command was run on rep1 (first master): > > [rep1]$ ipa-replica-manage del rep2 > > This command hung.. (~10 minutes..) until I Ctr-C. After noticing ldap > queries were hanging on rep2 we ran this on rep2: > > [rep2]$ systemctl stop ipa > (shutdown all ipa services on rep2) > > Then back on rep1 (first master) > > [rep1]$ ipa-replica-manage -v --force del rep2 > > Which appeared to work ok. > >> >>>> Do we need to run ipa-csreplicate-manage del as well? >>>> >>>> 2. Why does the rep2 server still appear when querying the >>>> nsDS5ReplicationAgreement in ldap? Is this benign or will this pose >>>> problems >>>> when we go to add rep2 back in? >>> >>> You should remove it. >> >> And ipa-csreplica-manage is the tool to do it. > > When I run this on rep1 (first master): > > [rep1]$ ipa-csreplica-manage list > Directory Manager password: > > rep3: master > rep1: master > > > [rep1]$ ipa-csreplica-manage del rep2 > Directory Manager password: > > 'rep1' has no replication agreement for 'rep2' > > But seems to still be there: > > [rep1]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config > objectClass: top > objectClass: nsds5replicationagreement > cn: masterAgreement1-rep3-pki-tomcat > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaHost: rep3 > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaTransportInfo: TLS > description: masterAgreement1-rep3-pki-tomcat > nsds50ruv: {replicageneration} 5527f74b000000600000 > nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b > 0000 5582c7e40004005b0000 > nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 > 0000 5582cd19000000600000 > nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 > 0000 556f462b000400610000 > nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 > 0000000 > nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 > 0000000 > nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 > 0000000 > nsds5replicaLastUpdateStart: 20150619193149Z > nsds5replicaLastUpdateEnd: 20150619193149Z > nsds5replicaChangesSentSinceStartup:: OTY6MTMyLzAg > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd > ate succeeded > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > > However, when I run the ldapsearch on rep3 it's not there (the > cn=ipaca,cn=mapping tree,cn=config is not listed): > > [rep3]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > dn: cn=meTorep1,cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2C dc\3Dedu,cn=mapping tree,cn=config > cn: meTorep1 > objectClass: nsds5replicationagreement > objectClass: top > nsDS5ReplicaTransportInfo: LDAP > description: me to rep1 > nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu > nsDS5ReplicaHost: rep1 > > >> >>>> >>>> 3. What steps/commands can we take to verify rep2 was successfully >>>> removed and >>>> replication is behaving normally? >> >> The ldapsearch you performed already will confirm that the CA agreement has >> been removed. > > Still showing up.. Any thoughts? > > At this point we want to ensure both remaining masters are functional and > operating normally. Any other commands you recommend running to check? You aren't seeing a replication agreement. You're seeing the Replication Update Vector (RUV). See http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html You need to do something like: # ldapmodify -D "cn=directory manager" -W -a dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config objectclass: extensibleObject replica-base-dn: o=ipaca replica-id: 97 cn: clean 97 rob From janellenicole80 at gmail.com Mon Jun 22 14:15:57 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 22 Jun 2015 07:15:57 -0700 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <5587FC75.5080907@redhat.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> Message-ID: <5588189D.5040300@gmail.com> On 6/22/15 5:15 AM, Petr Vobornik wrote: > On 06/21/2015 08:35 AM, Janelle wrote: >> Hi, >> >> Sure. Just login as a normal user to the WEB UI. screen is blank: >> >> Of course, if you click on Actions - you will see those and you can >> click on >> them, but you can't do anything else. This is a vanilla server >> install, nothing >> fancy. Oh and there is no error message at all. Any browser = same >> results. >> >> Tried clearing cache, history, web data.. Everything. Many of my >> users report >> the same thing. This is 7.1 with IPA 4.1.7 >> >> Now the funny part - login as "admin" and everything works fine. But >> I certainly >> can't have everyone logging in as admin. :-) >> >> ~Janelle > > Do you see any error in browser console? > > Does this happen also to a user which doesn't have any RBAC role > assigned(either directly or indrectly)? AHA -- perhaps a clue: [Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (json, line 0) [Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (login_kerberos, line 0) [Error] Failed to load resource: the server responded with a status of 404 (Not Found) (jquery-2.0.3.min.map, line 0) ~J From janellenicole80 at gmail.com Mon Jun 22 14:29:25 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 22 Jun 2015 07:29:25 -0700 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <5581DFDB.1090600@redhat.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> <55817E38.6040402@gmail.com> <5581DFDB.1090600@redhat.com> Message-ID: <55881BC5.6090607@gmail.com> On 6/17/15 2:00 PM, Rob Crittenden wrote: > Janelle wrote: >> On 6/17/15 6:21 AM, Rob Crittenden wrote: >>> Janelle wrote: >>>> On 6/17/15 6:14 AM, Rob Crittenden wrote: >>>>> Janelle wrote: >>>>>> Hi, >>>>>> >>>>>> Had a server - named ipa001.example.com -- it was a replica. It >>>>>> died. It >>>>>> was re-installed. However, prior to the re-install it was saying the >>>>>> wonderful: >>>>>> >>>>>> TLS error -8172:Peer's certificate issuer has been marked as not >>>>>> trusted >>>>>> by the user. >>>>>> >>>>>> It was rebuilt - new OS and doing a brand new ipa-server-install >>>>>> (NOT a >>>>>> replica or trying to join it back in to the existing ring of >>>>>> servers) >>>>>> and at the end of the ipa-server-install - it gives: >>>>>> >>>>>> Done. >>>>>> Restarting the directory server >>>>>> Restarting the KDC >>>>>> Restarting the certificate server >>>>>> Restarting the web server >>>>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>>>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>>>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>>>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned >>>>>> non-zero >>>>>> exit status 1 >>>>>> Configuration of client side components failed! >>>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>>>>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>>>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>>>>> 'ipa001.example.com'' returned non-zero exit status 1 >>>>>> >>>>>> and checking /var/log/ipaclient-install.log - the exact same TLS >>>>>> error???? >>>>>> >>>>>> But this is a brand new system, with brand new OS and the install >>>>>> was >>>>>> ipa-server-install to install a clean server. >>>>>> >>>>>> I don't understand how this is happening. There is no "peer" to >>>>>> be not >>>>>> trusted? >>>>> >>>>> What version of IPA and distro? (I don't think that probably has >>>>> anything to do with it, just curious in case it does eventually >>>>> matter). >>>>> >>>>> What does /etc/openldap/ldap.conf look like? Normally it should have >>>>> TLS_CACERT /etc/ipa/ca.crt >>>>> >>>>> Any chance you can share the server and client install logs? >>>>> >>>>> rob >>>> 4.1.4 = IPA >>>> CentOS 7.1 >>>> >>>> Oooh... Found something: /etc/openldap/ldap.conf: >>>> >>>> TLS_CACERTDIR /etc/openldap/certs >>>> >>>> Going to investigate. >>>> ~J >>>> >>> >>> That should be fine assuming there aren't any certs in there (and on a >>> brand new system I'd think you'd have empty NSS databases). >>> >>> rob >> So this gets interesting now... >> >> Say you have 6 IPA servers, named ipa001-ipa006.example.com -- all >> working fine. >> Something happens to 002. It dies. You "ipa-replica-manage del --clean >> --force ipa002" to get rid of it. >> >> A period of time, say a month, goes by. You have lost a couple of other >> replicas for whatever reason, say 3 and 6. You decide you want to >> rebuild. You start with 002 - leaving the others up and running because >> you have users working. You firewall off 002 why you rebuild it. >> >> You reinstall OS, reinstall FreeIPA. But no matter what, when you start >> to configure IPA it comes up with the error of being untrusted. Now, you >> try the same thing on 003 and 006. SAME problem. >> >> For fun - you shutdown 005 and uninstall freeipa --unattended and then >> try to re-install it. Guess what - no issues. >> >> Is this somehow related to: >> Same domain and realm names floating around the net - so is it querying >> for a name somehow and one of the "still running" servers is saying - >> "NO NO NO -- that CERT is revoked!!!" - even though it never tries to >> connect to that server. >> >> Or am I just thinking far too outside the box? And this is exactly what >> has happened. Rebuilding one of the servers that was never REMOVED is >> working just fine. > > You just jumped to a completely different scenario: from a fresh > standalone install to a replica install. We should probably pick one > and solve it. > > I think the leap you're making is that the issue is that it notices > some previous cert. A revoked service cert wouldn't have any effect as > those service certs aren't in use. > > It very well could be finding the "wrong" realm based on DNS SRV > records. The logs should show you what the client discovered. Things > happen in multiple steps so perhaps there is a disconnect where the > right server is used in some, but not all, cases. > > rob > ALL the problems were all related. Even after building brand new servers, the problem persisted and then started cropping up with client installs. The solution traced to bad NSS packages. A simple "yum downgrade nss nss-sysinit nss-tools" solved it.. Something is up with the 3.18 verion and downgrading to 3.16 seems to have resolved. Should have known it would all be related to an upgrade. Sometimes a slightly older version is best. ~Janelle From rcritten at redhat.com Mon Jun 22 14:37:14 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Jun 2015 10:37:14 -0400 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <55881BC5.6090607@gmail.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> <55817E38.6040402@gmail.com> <5581DFDB.1090600@redhat.com> <55881BC5.6090607@gmail.com> Message-ID: <55881D9A.3050709@redhat.com> Janelle wrote: > On 6/17/15 2:00 PM, Rob Crittenden wrote: >> Janelle wrote: >>> On 6/17/15 6:21 AM, Rob Crittenden wrote: >>>> Janelle wrote: >>>>> On 6/17/15 6:14 AM, Rob Crittenden wrote: >>>>>> Janelle wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Had a server - named ipa001.example.com -- it was a replica. It >>>>>>> died. It >>>>>>> was re-installed. However, prior to the re-install it was saying the >>>>>>> wonderful: >>>>>>> >>>>>>> TLS error -8172:Peer's certificate issuer has been marked as not >>>>>>> trusted >>>>>>> by the user. >>>>>>> >>>>>>> It was rebuilt - new OS and doing a brand new ipa-server-install >>>>>>> (NOT a >>>>>>> replica or trying to join it back in to the existing ring of >>>>>>> servers) >>>>>>> and at the end of the ipa-server-install - it gives: >>>>>>> >>>>>>> Done. >>>>>>> Restarting the directory server >>>>>>> Restarting the KDC >>>>>>> Restarting the certificate server >>>>>>> Restarting the web server >>>>>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>>>>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>>>>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>>>>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned >>>>>>> non-zero >>>>>>> exit status 1 >>>>>>> Configuration of client side components failed! >>>>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>>>>>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>>>>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>>>>>> 'ipa001.example.com'' returned non-zero exit status 1 >>>>>>> >>>>>>> and checking /var/log/ipaclient-install.log - the exact same TLS >>>>>>> error???? >>>>>>> >>>>>>> But this is a brand new system, with brand new OS and the install >>>>>>> was >>>>>>> ipa-server-install to install a clean server. >>>>>>> >>>>>>> I don't understand how this is happening. There is no "peer" to >>>>>>> be not >>>>>>> trusted? >>>>>> >>>>>> What version of IPA and distro? (I don't think that probably has >>>>>> anything to do with it, just curious in case it does eventually >>>>>> matter). >>>>>> >>>>>> What does /etc/openldap/ldap.conf look like? Normally it should have >>>>>> TLS_CACERT /etc/ipa/ca.crt >>>>>> >>>>>> Any chance you can share the server and client install logs? >>>>>> >>>>>> rob >>>>> 4.1.4 = IPA >>>>> CentOS 7.1 >>>>> >>>>> Oooh... Found something: /etc/openldap/ldap.conf: >>>>> >>>>> TLS_CACERTDIR /etc/openldap/certs >>>>> >>>>> Going to investigate. >>>>> ~J >>>>> >>>> >>>> That should be fine assuming there aren't any certs in there (and on a >>>> brand new system I'd think you'd have empty NSS databases). >>>> >>>> rob >>> So this gets interesting now... >>> >>> Say you have 6 IPA servers, named ipa001-ipa006.example.com -- all >>> working fine. >>> Something happens to 002. It dies. You "ipa-replica-manage del --clean >>> --force ipa002" to get rid of it. >>> >>> A period of time, say a month, goes by. You have lost a couple of other >>> replicas for whatever reason, say 3 and 6. You decide you want to >>> rebuild. You start with 002 - leaving the others up and running because >>> you have users working. You firewall off 002 why you rebuild it. >>> >>> You reinstall OS, reinstall FreeIPA. But no matter what, when you start >>> to configure IPA it comes up with the error of being untrusted. Now, you >>> try the same thing on 003 and 006. SAME problem. >>> >>> For fun - you shutdown 005 and uninstall freeipa --unattended and then >>> try to re-install it. Guess what - no issues. >>> >>> Is this somehow related to: >>> Same domain and realm names floating around the net - so is it querying >>> for a name somehow and one of the "still running" servers is saying - >>> "NO NO NO -- that CERT is revoked!!!" - even though it never tries to >>> connect to that server. >>> >>> Or am I just thinking far too outside the box? And this is exactly what >>> has happened. Rebuilding one of the servers that was never REMOVED is >>> working just fine. >> >> You just jumped to a completely different scenario: from a fresh >> standalone install to a replica install. We should probably pick one >> and solve it. >> >> I think the leap you're making is that the issue is that it notices >> some previous cert. A revoked service cert wouldn't have any effect as >> those service certs aren't in use. >> >> It very well could be finding the "wrong" realm based on DNS SRV >> records. The logs should show you what the client discovered. Things >> happen in multiple steps so perhaps there is a disconnect where the >> right server is used in some, but not all, cases. >> >> rob >> > ALL the problems were all related. Even after building brand new > servers, the problem persisted and then started cropping up with client > installs. > > The solution traced to bad NSS packages. A simple "yum downgrade nss > nss-sysinit nss-tools" solved it.. Something is up with the 3.18 verion > and downgrading to 3.16 seems to have resolved. Should have known it > would all be related to an upgrade. Sometimes a slightly older version > is best. > > ~Janelle Can you open a bugzilla about this? rob From pvoborni at redhat.com Mon Jun 22 14:37:13 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 22 Jun 2015 16:37:13 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.0 Alpha 1 Message-ID: <55881D99.2060002@redhat.com> The FreeIPA team is proud to announce FreeIPA v4.2.0 Alpha 1 release! It can be downloaded from . The builds for Fedora 22 and Fedora Rawhide is available in the official COPR repository . This announcement with additional ticket and design page links is available at . == Highlights in 4.2 == === Enhancements === * Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules * User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - 'preserved' - to special tree and re-activated when user returns, preserving it's UID/GID * Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! * Replication topology is now managed by Directory Server 'Topology plugin' which allows modifications to the topology via standard FreeIPA UI. The plugin is enabled for new 4.2 based deployment and for upgraded deployments that raised the Domain Level to 1 * Datepicker is now used for datetime fields in the Web UI * Upgrade process was overhauled. There is now single upgrade tool (`ipa-server-upgrade`) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. * Service constrained delegation rules can be now added by UI and CLI * FreeIPA Web Server no longer use deprecated `mod_auth_kerb` but switched to the modern `mod_auth_gssapi` * Add support for Domain Levels * `migrate-ds` command can now search the migrated users and groups with different scope * DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow deployment recommendations for DNS. === Changes to upgrade === The server still upgrades automatically during RPM update. However, `ipactl start` now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when `ipa-server-upgrade` was not run during RPM update (for example during [https://fedoraproject.org/wiki/FedUp FedUp] Fedora upgrade). Update files (files in `/usr/share/ipa/updates/`) format was changed. Namely: * Updates are not merged, update files are applied one at a time * Update entries no longer support CSV - commas can be now freely used in the added attributes * Update can now use base64 values * Update plugins are now not run automatically, but when referenced from update files (`plugin: `) == Known Issues == === Installation === * missing dependency on `python-setuptools`, run `dnf install python-setuptools` before installing FreeIPA rpms. === Topology management === * `ipa-replica-manage del` doesn't check for disconnection of topology * replica reinitialization after `ipa topologysegment-reinitialize` could be executed multiple times * topology segment direction and 'enable' can be still modified. It will not be allowed in final version. === Certificates === * Certificate profiles are not correctly upgraded and therefore certificate signing requests fail * Web UI does not support multiple certificates == Upgrading == Upgrade instructions are available on the Upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1 == === Ade Lee (3) === * Add a KRA to IPA * Add man page for ipa-kra-install * Re-enable uninstall feature for ipa-kra-install === Ales 'alich' Marecek (1) === * Ipatests DNS SOA Record Maintenance === Alexander Bokovoy (10) === * Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation * Support Samba PASSDB 0.2.0 aka interface version 24 * ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly * ipa-kdb: when processing transitions, hand over unknown ones to KDC * ipa-kdb: reject principals from disabled domains as a KDC policy * fix Makefile.am for daemons * slapi-nis: require 0.54.2 for CVE-2015-0283 fixes * ipaserver/dcerpc: Ensure LSA pipe has session key before using it === David Kupka (25) === * Respect UID and GID soft static allocation. * Stop dirsrv last in ipactl stop. * Remove unneeded internal methods. Move code to public methods. * Remove service file even if it isn't link. * Produce better error in group-add command. * Fix --{user,group}-ignore-attribute in migration plugin. * ipa-restore: Check if directory is provided + better errors. * Fix error message for nonexistent members and add tests. * Use singular in help metavars + update man pages. * Always add /etc/hosts record when DNS is being configured. * Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output. * Abort backup restoration on not matching host. * idviews: Allow setting ssh public key on ipauseroverride-add * Use IPA CA certificate when available and ignore NO_TLS_LDAP when not. * Restore default.conf and use it to build API. * Always reload StateFile before getting or modifying the stored values. * Remove unused part of ipa.conf. * Use mod_auth_gssapi instead of mod_auth_kerb. * Bump ipa.conf version to 17. * Lint: Skip checking of functions stolen by python-nose. * Make lint work on Fedora 22. * Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1. * Do not store state if CA is enabled * Move CA installation code into single module. * Use 389-ds centralized scripts. === Drew Erny (1) === * Migration now accepts scope as argument === Endi Sukma Dewata (5) === * Fixed KRA backend. * Modififed NSSConnection not to shutdown existing database. * Added vault plugin. * Added vault-archive and vault-retrieve commands. * Fixed KRA installation problem. === Francesco Marella (1) === * Refactor selinuxenabled check === Fraser Tweedale (18) === * Support multiple host and service certificates * Fix certificate management with service-mod * Install CA with LDAP profiles backend * Add schema for certificate profiles * ipa-pki-proxy: provide access to profiles REST API * Add ACL to allow CA agent to modify profiles * Add certprofile plugin * Enable LDAP-based profiles in CA on upgrade * Import included profiles during install or upgrade * Add generic split_any_principal method * Add profile_id parameter to 'request_certificate' * Add usercertificate attribute to user plugin * Update cert-request to support user certs and profiles * Fix certificate subject base * Import profiles earlier during install * ipa-pki-proxy: allow certificate and password authentication * Add CA ACL plugin * Enforce CA ACLs in cert-request command === Gabe Alford (16) === * Remove trivial path constants from modules * ipa-server-install Directory Manager help incorrect * ipa-managed-entries requires password with bad password * Update default NTP configuration * Remove usage of app_PYTHON in ipaserver Makefiles * Remove dependency on subscription-manager * Typos in ipa-rmkeytab options help and man page * permission-add does not prompt for ipapermright in interactive mode * ipa-replica-prepare should document ipv6 options * ipatests: Add tests for valid and invalid ipa-advise * ipa-replica-prepare can only be created on the first master * Add message for skipping NTP configuration during client install * Remove unneeded ip-address option in ipa-adtrust-install * Unsaved changes dialog internally inconsistent * Allow ipa help command to run when ipa-client-install is not configured * Do not print traceback when pipe is broken === Jan Cholasta (93) === * Do not crash in CAInstance.__init__ when default argument values are used * Fix certmonger configuration in installer code * Do not check if port 8443 is available in step 2 of external CA install * Handle profile changes in dogtag-ipa-ca-renew-agent * Do not wait for new CA certificate to appear in LDAP in ipa-certupdate * Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage * Fix possible NULL dereference in ipa-kdb * Fix memory leaks in ipa-extdom-extop * Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken * Fix memory leak in ipa-pwd-extop * Fix memory leaks in ipa-join * Fix various bugs in ipap11helper * Fix CA certificate backup and restore * Fix wrong expiration date on renewed IPA CA certificates * Restore file extended attributes and SELinux context in ipa-restore * Use correct service name in cainstance.backup_config * Stop tracking certificates before restoring them in ipa-restore * Remove redefinition of LOG from ipa-otp-lasttoken * Unload P11_Helper object's library when it is finalized in ipap11helper * Fix Kerberos error handling in ipa-sam * Fix unchecked return value in ipa-kdb * Fix unchecked return values in ipa-winsync * Fix unchecked return value in ipa-join * Fix unchecked return value in krb5 common utils * Fix memory leak in GetKeytabControl asn1 code * Add TLS 1.2 to the protocol list in mod_nss config * Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent * Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent * Improve validation of --instance and --backend options in ipa-restore * Check subject name encoding in ipa-cacert-manage renew * Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage * Fix ipa-restore on systems without IPA installed * Remove RUV from LDIF files before using them in ipa-restore * Fix CA certificate renewal syslog alert * Do not crash on unknown services in installutils.stopped_service * Restart dogtag when its server certificate is renewed * Make certificate renewal process synchronized * Fix validation of ipa-restore options * Do not assume certmonger is running in httpinstance * Put LDIF files to their original location in ipa-restore * Revert "Make all ipatokenTOTP attributes mandatory" * Create correct log directories during full restore in ipa-restore * Do not crash when replica is unreachable in ipa-restore * Bump 389-ds-base and pki-ca dependencies for POODLE fixes * ipalib: Allow multiple API instances * ipalib: Move plugin package setup to ipalib-specific API subclass * advise: Add separate API object for ipa-advise * ldap2: Use self API instance instead of ipalib.api * replica-install: Use different API instance for the remote server * certstore: Make certificate retrieval more robust * client-install: Do not crash on invalid CA certificate in LDAP * client: Fix ca_is_enabled calls * upload_cacrt: Fix empty cACertificate in cn=CAcert * ldap: Drop python-ldap tuple compatibility * ldap: Remove unused IPAdmin methods * ldap: Add connection management to LDAPClient * ldap: Use LDAPClient connection management in IPAdmin * ldap: Use LDAPClient connection management in ldap2 * ldap: Add bind and unbind methods to LDAPClient * ldap: Use LDAPClient bind and unbind methods in IPAdmin * ldap: Use LDAPClient bind and unbind methods in ldap2 * ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password * cainstance: Use LDAPClient instead of IPASimpleLDAPObject * makeaci: Use LDAPClient instead of IPASimpleLDAPObject * ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient * ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry * ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient * ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient * ldap: Remove IPASimpleLDAPObject * Fix stop_tracking_certificates call in ipa-restore * baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry * client-install: Fix kinits with non-default Kerberos config file * install: Make a package out of ipaserver.install.server * install: Move ipa-server-install code into a module * install: Move ipa-replica-install code into a module * install: Move ipa-server-upgrade code into a module * install: Fix missing variable initialization in replica install * install: Fix CA-less server install * install: Fix external CA server install * install: Move private_ccache from ipaserver to ipapython * install: Introduce installer framework ipapython.install * install: Migrate ipa-server-install to the install framework * install: Handle Knob cli_name and cli_aliases values consistently * install: Add support for positional arguments in CLI tools * install: Allow setting usage in CLI tools * install: Migrate ipa-replica-install to the install framework * vault: Move vaults to cn=vaults,cn=kra * install: Initialize API early in server and replica install * vault: Fix ipa-kra-install * install: Fix logging setup in server and replica install * User life cycle: provide preserved user virtual attribute * install: Fix ipa-replica-install not installing RA cert * User life cycle: change user-del flags to be CLI-specific === Jan Pazdziora (1) === * No explicit zone specification. === Lenka Ryznarova (1) === * Test Objectclass of postdetach group === Ludwig Krispenz (9) === * ds plugin - manage replication topology in the shared tree * install part - manage topology in shared tree * replica install fails with domain level 1 * accept missing binddn group * plugin uses 1 as minimum domain level to become active no calculation based on plugin version * crash when removing a replica * check for existing and self referential segments * make sure the agremment rdn match the rdn used in the segment * v2-reject modifications of endpoints and connectivity of a segment === Luk?? Slebodn?k (2) === * SPEC: Explicitly requires python-sssdconfig * SPEC: Require python2 version of sssd bindings === Martin Babinsky (36) === * Use 'remove-ds.pl' to remove DS instance * Moved dbus-python dependence to freeipa-python package * ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message * always get PAC for client principal if AS_REQ is true * ipa-kdb: more robust handling of principal addition/editing * OTP: failed search for the user of last token emits an error message * ipa-pwd-extop: added an informational comment about intentional fallthrough * ipa-uuid: emit a message when unexpected mod type is encountered * OTP: emit a log message when LDAP entry for config record is not found * ipa-client-install: put eol character after the last line of altered config file(s) * migrate-ds: exit with error message if no users/groups to migrate are found * Changing the token owner changes also the manager * ipa-dns-install: use STARTTLS to connect to DS * ipa-dns-install: use LDAPI to connect to DS * migrate-ds: print out failed attempts when no users/groups are migrated * show the exception message thrown by dogtag._parse_ca_status during install * do not log BINDs to non-existent users as errors * fix improper handling of boolean option in * proper client host setup/teardown in forced client reenrollment integration test suite * do not install CA on replica during integration test if setup_ca=False * ipautil: new functions kinit_keytab and kinit_password * ipa-client-install: try to get host TGT several times before giving up * Adopted kinit_keytab and kinit_password for kerberos auth * use separate ccache filename for each IPA DNSSEC daemon * point the users to PKI-related logs when CA configuration fails * suppress errors arising from deleting non-existent files during client uninstall * prevent duplicate IDs when setting up multiple replicas against single master * ipa-server-install: deprecate manual setting of master KDC password * update 'api.env.ca_host' if a different hostname is used during server install * provide dedicated ccache file for httpd * move IPA-related http runtime directories to common subdirectory * explicitly destroy httpd service ccache file during httpinstance removal * do not check for directory manager password during KRA uninstall * merge KRA installation machinery to a single module * KRA: get the right dogtag version during server uninstall * add DS index for userCertificate attribute === Martin Ba?ti (114) === * Dogtag 10.2 to spec.file * Fix dns zonemgr validation regression * Add bind-dyndb-ldap working dir to IPA specfile * Fix CI tests: install_adtrust * Fix upgrade: do not use invalid ldap connection * Fix: DNS installer adds invalid zonemgr email * Fix: DNS policy upgrade raises asertion error * Fix upgrade referint plugin * Upgrade: fix trusts objectclass violationi * Fix named working directory permissions * Fix: zonemgr must be unicode value * Fix warning message should not contain CLI commands * Show warning instead of error if CA did not start * Raise right exception if domain name is not valid * Fix pk11helper module compiler warnings * Fix: read_ip_addresses should return ipaddr object * Fix detection of encoding in zonemgr option * Fix zonemgr option encoding detection * Throw zonemgr error message before installation proceeds * Upgrade fix: masking named should be executed only once * Using wget to get status of CA * Show SSHFP record containing space in fingerprint * Fix don't check certificate during getting CA status * Fix: Upgrade forwardzones zones after adding newer replica * Fix zone find during forwardzone upgrade * Fix traceback if zonemgr error contains unicode * DNS tests: separate current forward zone tests * New test cases for Forward_zones * Detect and warn about invalid DNS forward zone configuration * DNS tests: warning if forward zone is inactive * Add debug messages into client autodetection * DNSSEC catch ldap exceptions in ipa-dnskeysyncd * DNSSEC: fix root zone dns name conversion * Always return absolute idnsname in dnszone commands * Use dyndns_update instead of deprecated sssd option * Fix reference counting in pkcs11 extension * Prevent install scripts fail silently if timeout exceeded * Fix warning message on client side * Fix restoring services status during uninstall * Fix do not enable service before storing status * Uninstall configured services only * Fix saving named restore status * Migrate uniquess plugins configuration to new style * Fix uniqueness plugins * DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism * Fix memory leaks in ipap11helper * Remove unused method from ipap11pkcs helper module * Remove unused disable-betxn.ldif file * DNS fix: do not traceback if unsupported records are in LDAP * DNS fix: do not show part options for unsupported records * DNS: remove NSEC3PARAM from records * Fix dead code in ipap11helper module * Server Upgrade: Remove unused PRE_SCHEMA_UPDATE * Server Upgrade: do not sort updates by DN * Server Upgrade: Upgrade one file per time * Server Upgrade: Set modified to false, before each update * Server Upgrade: Update entries in order specified in file * Server Upgrade: order update files by default * Server Upgrade: respect --test option in plugins * Server Upgrade: remove --test option * Server Upgrade: Fix comments * DNSSEC: Do not log into files * Fix ldap2 shared connection * Server Upgrade: use only LDAPI connection * Server Upgrade: remove unused code in upgrade * Server Upgrade: Apply plugin updates immediately * Server Upgrade: specify order of plugins in update files * Server Upgrade: plugins should use ldapupdater API instance * Server Upgrade: Handle connection better in updates_from_dict * Server Upgrade: use ldap2 connection in fix_replica_agreements * Server Upgrade: restart DS using ipaplatfom service * Server Upgrade: only root can run updates * DNSSEC CI tests * ipa client: make --ntp-server option multivalued * ipa client: use NTP servers detected from SRV * ipa client: use NTP servers specified by user * Server Upgrade: ipa-server-upgrade command * Server Upgrade: Verify version and platform * Server Upgrade: use ipa-server-upgrade in RPM upgrade * Server Upgrade: fix a comment in ldapupdater * move realm_to_serverid to installutils module * Server Upgrade: use LDIF parser to modify DSE.ldif * Server Upgrade: enable DS global lock during upgrade * Server Upgrade: remove CSV from upgrade files * Server Upgrade: Allow base64 encoded values * Server Upgrade: fix memberUid index * Dont use the proxy to check CA status * Server Upgrade: Do not start DS if it was stopped before upgrade * Server Upgrade: raise RuntimeError instead exit() * Server Upgrade: do not allow to run upgradeinstace alone * Server Upgrade: handle errors better * Server Upgrade: ipa-ldap-updater will not do overall upgrade * Server Upgrade: Fix uniqueness plugins * DNSSEC: FIX Do not re-create kasp.db if already exists * DNSSEC: update OpenDNSSEC KASP configuration * DNS install: extract DNS installer into one module * Pylint: fix false positive warning for domain * Uid uniqueness: fix: exclude compat tree from uniqueness * Server Upgrade: wait until DS is ready * Server Upgrade: Fix: execute schema update * Server Upgrade: Move code from ipa-upgradeconfig to separate module * Fix: use DS socket check only for upgrade * Server Upgrade: fix remove statement * Installers fix: remove temporal ccache * ULC: fix: upgrade for stage Stage User Admins failed * Fix: regression in host and service plugin * DNSSEC: Improve global forwarders validation * DNSSEC: validate forward zone forwarders * Revert 389-DS BuildRequires version to 1.3.3.9 * DNSSEC: fix traceback during shutdown phase * Server Upgrade: disconnect ldap2 connection before DS restart * DNS: add UnknownRecord to schema * ipa-ca-install fix: reconnect ldap2 after DS restart * Server Upgrade: create default config for NIS Server plugin === Martin Ko?ek (11) === * Fix ImportError in ipa-ca-install * Bump SSSD Requires to 1.12.3 * Fix IPA_BACKUP_DIR path name * Allow PassSync user to locate and update NT users * Allow Replication Administrators manipulate Winsync Agreements * Replication Administrators cannot remove replication agreements * Add anonymous read ACI for DUA profile * Print PublicError traceback when in debug mode * group-detach does not add correct objectclasses * Remove references to GPL v2.0 license * Fix typo in ipa-server-upgrade man page === Milan Kubik (1) === * ipatests: port of p11helper test from github === Milan Kub?k (1) === * Abstract the HostTracker class from host plugin test === Nathan Kinder (2) === * Timeout when performing time sync during client install * Skip time sync during client install when using --no-ntp === Nathaniel McCallum (15) === * Ensure that a password exists after OTP validation * Improve otptoken help messages * Ensure users exist when assigning tokens to them * Enable QR code display by default in otptoken-add * Catch USBError during YubiKey location * Preliminary refactoring of libotp files * Move authentication configuration cache into libotp * Enable last token deletion when password auth type is configured * Make token auth and sync windows configurable * Create an OTP help topic * Prefer TCP connections to UDP in krb5 clients * Expose the disabled User Auth Type * Update python-yubico dependency version * Fix a signedness bug in OTP code * Fix OTP token URI generation === Petr Viktorin (35) === * ipa-restore: Don't crash if AD trust is not installed * ipaplatform: Use the dirsrv service, not target * Do not restore SELinux settings that were not backed up * Add additional backup & restore checks * tests: Use PEP8-compliant setup/teardown method names * tests: Add configuration for pytest * ipatests.util.ClassChecker: Raise AttributeError in get_subcls * test_automount_plugin: Fix test ordering * Use setup_class/teardown_class in Declarative tests * dogtag plugin: Don't use doctest syntax for non-doctest examples * test_webui: Don't use __init__ for test classes * test_ipapython: Use functions instead of classes in test generators * Configure pytest to run doctests * Declarative tests: Move cleanup to setup_class/teardown_class * Declarative tests: Switch to pytest * Integration tests: Port the ordering plugin to pytest * Switch make-test to pytest * Add local pytest plugin for --with-xunit and --logging-level * Switch ipa-run-tests to pytest * Switch integration testing config to a fixture * Integration tests: Port the BeakerLib plugin and log collection to pytest * test_integration: Adjust tests for pytest * copy_schema_to_ca: Fallback to old import location for ipaplatform.services * Ignore ipap11helper/setup.py in doctests * test_integration: Use python-pytest-multihost * test_integration: Use collect_log from the host, not the testing class * test_integration: Parametrize test instead of using a generator * ipatests: Use pytest-beakerlib * ipatests: Use pytest-sourceorder * Run pylint on tests * test_host_plugin: Convert tests to imperative style * test_host_plugin: Split tests into independent classes * test_host_plugin: Use HostTracker fixtures * rename_managed: Remove use of EditableDN * Remove Editable DN and DN component classes === Petr Voborn?k (88) === * build: increase java stack size for all arches * ranges: prohibit setting --rid-base with ipa-trust-ad-posix type * unittests: baserid for ipa-ad-trust-posix idranges * ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges * idrange: include raw range type in output * webui: prohibit setting rid base with ipa-trust-ad-posix type * webui: fix potential XSS vulnerabilities * restore: clear httpd ccache after restore * webui: use domain name instead of domain SID in idrange adder dialog * webui: normalize idview tab labels * webui: add radius fields to user page * fix indentation in ipa-restore page * add --hosts and --hostgroup options to allow/retrieve keytab methods * webui: fix service unprovisioning * webui: increase duration of notification messages * revert removal of cn attribute from idnsRecord * migrate-ds: fix compat plugin check * rpcclient: use json_encode_binary for verbose output * Fix TOTP Synchronization Window label * ipatests: add missing ssh object classes to idoverrideuser * webui: service: add ipakrbrequirespreauth checkbox * webui: unable to select single value in CB by enter key * webui: use no_members option in entity select search * performance: faster DN implementation * speed up convert_attribute_members * speed up indirect member processing * webui: add pwpolicy link to group details page if group has associated pwpolicy * webui-ci: do not open 2 browser windows * Update BUILD.txt * allow to call ldap2.destroy_connection multiple times * use Connectible.disconnect() instead of .destroy_connection() * jQuery.ordered_map: faster creation * jQuery.ordered_map: remove map attribute * migrate-ds: optimize adding users to default group * migrate-ds: skip default group option * migrate-ds: remove unused def_group_gid context property * migrate-ds: optimize gid checks by utilizing dictionary nature of set * migrate-ds: log migrated group members only on debug level * cli: differentiate Flag a Bool when autofill is set * webui-ci: fix type error in host_tasks inicializations * webui: update patternfly to v1.1.4 * webui: rename IPA.user_* to IPA.user.* * webui: declare search command options in search facet * webui: register construction spec based on existing spec * webui: entity facets in facet registry * webui: entity menu items navigate to main entity facet * webui: prefer entity fallback in menu item select * webui: navigation: do not remember selected childs of menu item * webui: navigation: unique names on entity facet menu items * webui: metadata validator min and max value overrides * webui: custom facet groups in a facet * webui: facet groups widget * webui: allow to replace facet tabs with sidebar * webui: allow to hide facet tabs or sidebar * webui: facet policies for all facets * webui: stageuser plugin * webui: extend user deleter dialog with --permanent and --preserve options * webui: update stageuser/user pages based on action in diffrent user search page * webui: stageusers, display page elements based on user state * webui: prefer search facet's deleter dialog * webui: fix empty table border in Firefox * webui: option to not create user private group * webui: add boostrap-datepicker files * webui: datetime widget with datepicker * git ignore ipaplatform/__init__.py * server-find and server-show commands * topology: ipa management commands * webui: IPA.command_dialog - a new dialog base class * webui: use command_dialog as a base class for password dialog * webui: make usage of --all in details facet optional * webui: topology plugin * webui: configurable refresh command * webui: don't log in back after logout * topology: allow only one node to be specified in topologysegment-refresh * topology: hide topologysuffix-add del mod commands * move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX * add entries required by topology plugin on update * webui: make topology suffices UI readonly * rename topologysegment_refresh to topologysegment_reinitialize * disallow mod of topology segment nodes * topology: restrict direction changes * topology: fix swapped topologysegment-reinitialize behavior * regenerate ACI.txt after stage user permission rename * ipa-replica-manage: Do not allow topology altering commands from DL 1 * server: add "del" command * ipa-replica-manage: adjust del to work with managed topology * webui: adjust user deleter dialog to new api * Become IPA 4.2.0 Alpha 1 === Petr ?pa?ek (15) === * Fix zone name to directory name conversion in BINDMgr. * Fix minimal version of BIND for Fedora 20 and 21 * Fix default value type for wait_for_dns option * p11helper: standardize indentation and other visual aspects of the code * p11helper: use sizeof() instead of magic constants * p11helper: clarify error message * Clarify messages related to adding DNS forwarders * Grammar fix in 'Estimated time' messages printed by installer * Clarify host name output in ipa-client-install * Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. * DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures. * Bump run-time requires to SoftHSM 2.0.0rc1. * Improve error messages about reverse address resolution in ipa-replica-prepare * Clarify recommendation about --ip-address option in ipa-replica-prepapre * Clarify error messages in ipa-replica-prepare: add_dns_records() === Rob Crittenden (3) === * Search using proper scope when connecting CA instances * Use NSS protocol range API to set available TLS protocols * Add plugin to manage service constraint delegations === Simo Sorce (13) === * Add UTC date to GIT snapshot version generation * Fix filtering of enctypes in server code. * Add asn1c generated code for keytab controls * Use asn1c helpers to encode/decode the getkeytab control * Stop saving the master key in a stash file * Avoid calling ldap functions without a context * Remove the removal of the ccache * Handle DAL ABI change in MIT 1.13 * Add a clear OpenSSL exception. * Stop including the DES algorythm from openssl. * Detect default encsalts kadmin password change * Add compatibility function for older libkrb5 * Fix s4u2proxy README and add warning === Sumit Bose (11) === * ipa-range-check: do not treat missing objects as error * Add configure check for cwrap libraries * extdom: handle ERANGE return code for getXXYYY_r() calls * extdom: make nss buffer configurable * extdom: return LDAP_NO_SUCH_OBJECT to the client * extdom: fix memory leak * extdom: add err_msg member to request context * extdom: add add_err_msg() with test * extdom: add selected error messages * extdom: migrate check-based test to cmocka * extdom: fix wrong realloc size === Thierry Bordaz (16) === * User Life Cycle: create containers and scoping DS plugins * User Life Cycle: DNA scopes full SUFFIX * Deadlock in schema compat plugin (between automember_update_membership task and dse update) * User Life Cycle: Exclude subtree for ipaUniqueID generation * User life cycle: stageuser-add verb * User life cycle: allows MODRDN from ldap2 * User life cycle: new stageuser commands del/mod/find/show * User life cycle: new stageuser commands activate * User life cycle: new stageuser commands activate (provisioning) * User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user * User life cycle: user-find support finding delete users * User life cycle: support of user-undel * User life cycle: DNA DS plugin should exclude provisioning DIT * User life cycle: Stage user Administrators permission/priviledge * User life cycle: Add 'Stage User Provisioning' permission/priviledge * Stage User: Fix permissions naming and split them where apropriate. * Limit deadlocks between DS plugin DNA and slapi-nis === Thorsten Scherf (4) === * pwpolicy-add: Added better error handling * Add help string on how to configure multiple DNS forwards for various cli tools * Removed recommendation from ipa-adtrust-install * Changed in-tree development setup instructions === Tom?? Babej (24) === * Bump 4.2 development version to 4.1.99 * specfile: Add BuildRequires for pki-base 10.2.1-0 * Re-initialize NSS database after otptoken plugin tests * certs: Fix incorrect flag handling in load_cacert * hosts: Display assigned ID view by default in host-find and show commands * ipatests: Increase required version for pytest-multihost plugin * idviews: Complain if host is already assigned the ID View in idview-apply * idviews: Ignore host or hostgroup options set to None * ipatests: Invoke class install methods properly with respect to pytest-multihost * ipatests: Set the correct number of required clients for IntegrationTest * ipatests: Refactor and fix docstrings in integration pytest plugin * baseldap: Handle missing parent objects properly in *-find commands * spec: Add BuildRequires for python-pytest plugins * ipatests: Make descriptions sorted according to the order of the tests * ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView * ipatests: Fix old command references in the ID views tests * ipatests: Fix incorrect assumptions in idviews tests * ipapython: Fix incorrect python shebangs * ipatests: Add coverage for adding and removing sshpubkeys in ID overrides * ipalib: Make sure correct attribute name is referenced for fax * idviews: Use case-insensitive detection of Default Trust View * Revert "Server Upgrade: respect --test option in plugins" * replica-manage: Properly delete nested entries * Add Domain Level feature -- Petr Vobornik From lkrispen at redhat.com Mon Jun 22 14:52:48 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 22 Jun 2015 16:52:48 +0200 Subject: [Freeipa-users] WG: Re: Haunted servers? In-Reply-To: References: Message-ID: <55882140.6040607@redhat.com> Hi, I have one scenario where I can show the comeback of the "ghost" rids. but it requires a server where the rids have successfully cleaned and it is killed or crashes. In that case, if the "ghost" rids have not yet been trimmed from the changelog they can be recreated from information in the changelog. they can then also propagate to other servers Could something similar have happened in your environment ? Ludwig On 06/12/2015 07:38 AM, Christoph Kaminski wrote: > I've been too early pleased :/ After ipactl restart of our first > master (where we re-initialize from) are the 'ghost' rids again there... > > I think there is something like a fs backup for dirsrv (changelog?) > but where? > > > > > we had the same problem (and some more) and yesterday we have > > successfully cleaned the gohst rid's > > > > our fix: > > > > 1. stop all cleanallruv Tasks, if it works with ipa-replica-manage > > abort-clean-ruv. It hasnt worked here. We have done it manually on > > ALL replicas with: > > a) replica stop > > b) delete all nsds5ReplicaClean from /etc/dirsrv/slapd-HSO/dse.ldif > > c) replica start > > > > 2. prepare on EACH ipa a cleanruv ldif file with ALL ghost rids > > inside (really ALL from all ipa replicas, we has had some rids only > > on some replicas...) > > Example: > > > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > > changetype: modify > > replace: nsds5task > > nsds5task:CLEANRUV11 > > > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > > changetype: modify > > replace: nsds5task > > nsds5task:CLEANRUV22 > > > > dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config > > changetype: modify > > replace: nsds5task > > nsds5task:CLEANRUV37 > > ... > > > > 3. do a "ldapmodify -h 127.0.0.1 -D "cn=Directory Manager" -W -x -f > > $your-cleanruv-file.ldif" on all replicas AT THE SAME TIME :) we > > used terminator for it (https://launchpad.net/terminator). You can > > open multiple shell windows inside one window and send to all at the > > same time the same commands... > > > > 4. we have done a re-initialize of each IPA from our first master > > > > 5. restart of all replicas > > > > we are not sure about the point 3 and 4. Maybe they are not > > necessary, but we have done it. > > > > If something fails look at defect LDAP entries in whole ldap, we > > have had some entries with 'nsunique-$HASH' after the 'normal' name. > > We have deleted them. > > > > MfG > > Christoph Kaminski > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Mon Jun 22 16:25:47 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 22 Jun 2015 18:25:47 +0200 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <5588189D.5040300@gmail.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> <5588189D.5040300@gmail.com> Message-ID: <5588370B.2030209@redhat.com> On 06/22/2015 04:15 PM, Janelle wrote: > On 6/22/15 5:15 AM, Petr Vobornik wrote: >> On 06/21/2015 08:35 AM, Janelle wrote: >>> Hi, >>> >>> Sure. Just login as a normal user to the WEB UI. screen is blank: >>> >>> Of course, if you click on Actions - you will see those and you can >>> click on >>> them, but you can't do anything else. This is a vanilla server >>> install, nothing >>> fancy. Oh and there is no error message at all. Any browser = same >>> results. >>> >>> Tried clearing cache, history, web data.. Everything. Many of my >>> users report >>> the same thing. This is 7.1 with IPA 4.1.7 >>> >>> Now the funny part - login as "admin" and everything works fine. But >>> I certainly >>> can't have everyone logging in as admin. :-) >>> >>> ~Janelle >> >> Do you see any error in browser console? >> >> Does this happen also to a user which doesn't have any RBAC role >> assigned(either directly or indrectly)? > AHA -- perhaps a clue: > > [Error] Failed to load resource: the server responded with a status of > 401 (Unauthorized) (json, line 0) > [Error] Failed to load resource: the server responded with a status of > 401 (Unauthorized) (login_kerberos, line 0) > [Error] Failed to load resource: the server responded with a status of > 404 (Not Found) (jquery-2.0.3.min.map, line 0) > > ~J These errors are expected. First two happens when user is not yet authenticated. Third line is just about file for jquery debugging which is not shipped with ipa. Could you inspect other json request? Mainly the 3 which are executed on navigating to user details page (or after clicking on "refresh" button on the page). Does the first result of first request (of the three) contain user data as in I'm unable to reproduce the issue with ipa-server-4.1.0-18.el7_1.3.x86_64. Do these users have some special permissions/roles/rights? -- Petr Vobornik From janellenicole80 at gmail.com Mon Jun 22 16:39:36 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 22 Jun 2015 09:39:36 -0700 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <5588370B.2030209@redhat.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> <5588189D.5040300@gmail.com> <5588370B.2030209@redhat.com> Message-ID: <55883A48.2070104@gmail.com> On 6/22/15 9:25 AM, Petr Vobornik wrote: > On 06/22/2015 04:15 PM, Janelle wrote: >> On 6/22/15 5:15 AM, Petr Vobornik wrote: >>> On 06/21/2015 08:35 AM, Janelle wrote: >>>> Hi, >>>> >>>> Sure. Just login as a normal user to the WEB UI. screen is blank: >>>> >>>> Of course, if you click on Actions - you will see those and you can >>>> click on >>>> them, but you can't do anything else. This is a vanilla server >>>> install, nothing >>>> fancy. Oh and there is no error message at all. Any browser = same >>>> results. >>>> >>>> Tried clearing cache, history, web data.. Everything. Many of my >>>> users report >>>> the same thing. This is 7.1 with IPA 4.1.7 >>>> >>>> Now the funny part - login as "admin" and everything works fine. But >>>> I certainly >>>> can't have everyone logging in as admin. :-) >>>> >>>> ~Janelle >>> >>> Do you see any error in browser console? >>> >>> Does this happen also to a user which doesn't have any RBAC role >>> assigned(either directly or indrectly)? >> AHA -- perhaps a clue: >> >> [Error] Failed to load resource: the server responded with a status of >> 401 (Unauthorized) (json, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 401 (Unauthorized) (login_kerberos, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >> >> ~J > > These errors are expected. First two happens when user is not yet > authenticated. Third line is just about file for jquery debugging > which is not shipped with ipa. > > Could you inspect other json request? Mainly the 3 which are executed > on navigating to user details page (or after clicking on "refresh" > button on the page). Does the first result of first request (of the > three) contain user data as in > > > I'm unable to reproduce the issue with > ipa-server-4.1.0-18.el7_1.3.x86_64. > > Do these users have some special permissions/roles/rights? The user I did the same from is a User Administrator, however, all the other users are NOT. And if you watch closely, all the details do flash the screen, but then disappear. Refresh does nothing. The one thing - it works flawlessly for "admin" account. versions (I believe in the newest -- perhaps a bad idea) freeipa-client-4.1.4-1.el7.centos.x86_64 freeipa-server-4.1.4-1.el7.centos.x86_64 freeipa-python-4.1.4-1.el7.centos.x86_64 on a user screen after login - : [Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (json, line 0) [Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (login_kerberos, line 0) [Error] Failed to load resource: the server responded with a status of 404 (Not Found) (jquery-2.0.3.min.map, line 0) [Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (json, line 0) [Error] Failed to load resource: the server responded with a status of 401 (Unauthorized) (login_kerberos, line 0) [Error] Failed to load resource: the server responded with a status of 404 (Not Found) (jquery-2.0.3.min.map, line 0) [Error] Failed to load resource: the server responded with a status of 404 (Not Found) (jquery-2.0.3.min.map, line 0) ~Janelle From aebruno2 at buffalo.edu Mon Jun 22 16:45:27 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 22 Jun 2015 12:45:27 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <55881593.7070601@redhat.com> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> <55846B1A.90605@redhat.com> <20150619195738.GB8858@dead.ccr.buffalo.edu> <55881593.7070601@redhat.com> Message-ID: <20150622164527.GD18728@dead.ccr.buffalo.edu> On Mon, Jun 22, 2015 at 10:02:59AM -0400, Rob Crittenden wrote: > Andrew E. Bruno wrote: > >On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: > >>Rich Megginson wrote: > >>>On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: > >>>> > >>>>Questions: > >>>> > >>>>0. Is it likely that after running out of file descriptors the dirsrv > >>>>slapd database on rep2 was corrupted? > >>> > >>>That would appear to be the case based on correlation of events, > >>>although I've never seen that happen, and it is not supposed to happen. > >>> > >>>> > >>>>1. Do we have to run ipa-replica-manage del rep2 on *each* of the > >>>>remaining replica servers (rep1 and rep3)? Or should it just be run on > >>>>the first master? > >>> > >>>I believe it should only be run on the first master, but it hung, so > >>>something is not right, and I'm not sure how to remedy the situation. > >> > >>How long did it hang, and where? > > > >This command was run on rep1 (first master): > > > >[rep1]$ ipa-replica-manage del rep2 > > > >This command hung.. (~10 minutes..) until I Ctr-C. After noticing ldap > >queries were hanging on rep2 we ran this on rep2: > > > >[rep2]$ systemctl stop ipa > >(shutdown all ipa services on rep2) > > > >Then back on rep1 (first master) > > > >[rep1]$ ipa-replica-manage -v --force del rep2 > > > >Which appeared to work ok. > > > >> > >>>>Do we need to run ipa-csreplicate-manage del as well? > >>>> > >>>>2. Why does the rep2 server still appear when querying the > >>>>nsDS5ReplicationAgreement in ldap? Is this benign or will this pose > >>>>problems > >>>>when we go to add rep2 back in? > >>> > >>>You should remove it. > >> > >>And ipa-csreplica-manage is the tool to do it. > > > >When I run this on rep1 (first master): > > > >[rep1]$ ipa-csreplica-manage list > >Directory Manager password: > > > >rep3: master > >rep1: master > > > > > >[rep1]$ ipa-csreplica-manage del rep2 > >Directory Manager password: > > > >'rep1' has no replication agreement for 'rep2' > > > >But seems to still be there: > > > >[rep1]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > > >dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config > >objectClass: top > >objectClass: nsds5replicationagreement > >cn: masterAgreement1-rep3-pki-tomcat > >nsDS5ReplicaRoot: o=ipaca > >nsDS5ReplicaHost: rep3 > >nsDS5ReplicaPort: 389 > >nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config > >nsDS5ReplicaBindMethod: Simple > >nsDS5ReplicaTransportInfo: TLS > >description: masterAgreement1-rep3-pki-tomcat > >nsds50ruv: {replicageneration} 5527f74b000000600000 > >nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b > > 0000 5582c7e40004005b0000 > >nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 > > 0000 5582cd19000000600000 > >nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 > > 0000 556f462b000400610000 > >nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 > > 0000000 > >nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 > > 0000000 > >nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 > > 0000000 > >nsds5replicaLastUpdateStart: 20150619193149Z > >nsds5replicaLastUpdateEnd: 20150619193149Z > >nsds5replicaChangesSentSinceStartup:: OTY6MTMyLzAg > >nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd > > ate succeeded > >nsds5replicaUpdateInProgress: FALSE > >nsds5replicaLastInitStart: 0 > >nsds5replicaLastInitEnd: 0 > > > > > >However, when I run the ldapsearch on rep3 it's not there (the > >cn=ipaca,cn=mapping tree,cn=config is not listed): > > > >[rep3]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL > > > >dn: cn=meTorep1,cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2C dc\3Dedu,cn=mapping tree,cn=config > >cn: meTorep1 > >objectClass: nsds5replicationagreement > >objectClass: top > >nsDS5ReplicaTransportInfo: LDAP > >description: me to rep1 > >nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu > >nsDS5ReplicaHost: rep1 > > > > > >> > >>>> > >>>>3. What steps/commands can we take to verify rep2 was successfully > >>>>removed and > >>>>replication is behaving normally? > >> > >>The ldapsearch you performed already will confirm that the CA agreement has > >>been removed. > > > >Still showing up.. Any thoughts? > > > >At this point we want to ensure both remaining masters are functional and > >operating normally. Any other commands you recommend running to check? > > You aren't seeing a replication agreement. You're seeing the Replication > Update Vector (RUV). > > See http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html > > You need to do something like: > > # ldapmodify -D "cn=directory manager" -W -a > dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config > objectclass: extensibleObject > replica-base-dn: o=ipaca > replica-id: 97 > cn: clean 97 > Great, thanks for the clarification. Curious what's the difference between running the ldapmodify above and ipa-replica-manage clean-ruv? --Andrew From rcritten at redhat.com Mon Jun 22 16:49:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Jun 2015 12:49:01 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <20150622164527.GD18728@dead.ccr.buffalo.edu> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> <55846B1A.90605@redhat.com> <20150619195738.GB8858@dead.ccr.buffalo.edu> <55881593.7070601@redhat.com> <20150622164527.GD18728@dead.ccr.buffalo.edu> Message-ID: <55883C7D.7070605@redhat.com> Andrew E. Bruno wrote: > On Mon, Jun 22, 2015 at 10:02:59AM -0400, Rob Crittenden wrote: >> Andrew E. Bruno wrote: >>> On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: >>>> Rich Megginson wrote: >>>>> On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: >>>>>> >>>>>> Questions: >>>>>> >>>>>> 0. Is it likely that after running out of file descriptors the dirsrv >>>>>> slapd database on rep2 was corrupted? >>>>> >>>>> That would appear to be the case based on correlation of events, >>>>> although I've never seen that happen, and it is not supposed to happen. >>>>> >>>>>> >>>>>> 1. Do we have to run ipa-replica-manage del rep2 on *each* of the >>>>>> remaining replica servers (rep1 and rep3)? Or should it just be run on >>>>>> the first master? >>>>> >>>>> I believe it should only be run on the first master, but it hung, so >>>>> something is not right, and I'm not sure how to remedy the situation. >>>> >>>> How long did it hang, and where? >>> >>> This command was run on rep1 (first master): >>> >>> [rep1]$ ipa-replica-manage del rep2 >>> >>> This command hung.. (~10 minutes..) until I Ctr-C. After noticing ldap >>> queries were hanging on rep2 we ran this on rep2: >>> >>> [rep2]$ systemctl stop ipa >>> (shutdown all ipa services on rep2) >>> >>> Then back on rep1 (first master) >>> >>> [rep1]$ ipa-replica-manage -v --force del rep2 >>> >>> Which appeared to work ok. >>> >>>> >>>>>> Do we need to run ipa-csreplicate-manage del as well? >>>>>> >>>>>> 2. Why does the rep2 server still appear when querying the >>>>>> nsDS5ReplicationAgreement in ldap? Is this benign or will this pose >>>>>> problems >>>>>> when we go to add rep2 back in? >>>>> >>>>> You should remove it. >>>> >>>> And ipa-csreplica-manage is the tool to do it. >>> >>> When I run this on rep1 (first master): >>> >>> [rep1]$ ipa-csreplica-manage list >>> Directory Manager password: >>> >>> rep3: master >>> rep1: master >>> >>> >>> [rep1]$ ipa-csreplica-manage del rep2 >>> Directory Manager password: >>> >>> 'rep1' has no replication agreement for 'rep2' >>> >>> But seems to still be there: >>> >>> [rep1]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL >>> >>> dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=ipaca,cn=mapping tree,cn=config >>> objectClass: top >>> objectClass: nsds5replicationagreement >>> cn: masterAgreement1-rep3-pki-tomcat >>> nsDS5ReplicaRoot: o=ipaca >>> nsDS5ReplicaHost: rep3 >>> nsDS5ReplicaPort: 389 >>> nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-rep3-pki-tomcat,ou=csusers,cn=config >>> nsDS5ReplicaBindMethod: Simple >>> nsDS5ReplicaTransportInfo: TLS >>> description: masterAgreement1-rep3-pki-tomcat >>> nsds50ruv: {replicageneration} 5527f74b000000600000 >>> nsds50ruv: {replica 91 ldap://rep3:389} 5537c7ba0000005b >>> 0000 5582c7e40004005b0000 >>> nsds50ruv: {replica 96 ldap://rep1:389} 5527f75400000060 >>> 0000 5582cd19000000600000 >>> nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 >>> 0000 556f462b000400610000 >>> nsruvReplicaLastModified: {replica 91 ldap://rep3:389} 0 >>> 0000000 >>> nsruvReplicaLastModified: {replica 96 ldap://rep1:389} 0 >>> 0000000 >>> nsruvReplicaLastModified: {replica 97 ldap://rep2:389} 0 >>> 0000000 >>> nsds5replicaLastUpdateStart: 20150619193149Z >>> nsds5replicaLastUpdateEnd: 20150619193149Z >>> nsds5replicaChangesSentSinceStartup:: OTY6MTMyLzAg >>> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd >>> ate succeeded >>> nsds5replicaUpdateInProgress: FALSE >>> nsds5replicaLastInitStart: 0 >>> nsds5replicaLastInitEnd: 0 >>> >>> >>> However, when I run the ldapsearch on rep3 it's not there (the >>> cn=ipaca,cn=mapping tree,cn=config is not listed): >>> >>> [rep3]$ ldapsearch -Y GSSAPI -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement -LL >>> >>> dn: cn=meTorep1,cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2C dc\3Dedu,cn=mapping tree,cn=config >>> cn: meTorep1 >>> objectClass: nsds5replicationagreement >>> objectClass: top >>> nsDS5ReplicaTransportInfo: LDAP >>> description: me to rep1 >>> nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu >>> nsDS5ReplicaHost: rep1 >>> >>> >>>> >>>>>> >>>>>> 3. What steps/commands can we take to verify rep2 was successfully >>>>>> removed and >>>>>> replication is behaving normally? >>>> >>>> The ldapsearch you performed already will confirm that the CA agreement has >>>> been removed. >>> >>> Still showing up.. Any thoughts? >>> >>> At this point we want to ensure both remaining masters are functional and >>> operating normally. Any other commands you recommend running to check? >> >> You aren't seeing a replication agreement. You're seeing the Replication >> Update Vector (RUV). >> >> See http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html >> >> You need to do something like: >> >> # ldapmodify -D "cn=directory manager" -W -a >> dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config >> objectclass: extensibleObject >> replica-base-dn: o=ipaca >> replica-id: 97 >> cn: clean 97 >> > > Great, thanks for the clarification. > > Curious what's the difference between running the ldapmodify above and > ipa-replica-manage clean-ruv? > Nothing, for the IPA data. This is a remanant from a CA replication agreement and it was an oversight not to add similar RUV management options to the ipa-careplica-manage tool. rob From pvoborni at redhat.com Mon Jun 22 17:11:17 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 22 Jun 2015 19:11:17 +0200 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <55883A48.2070104@gmail.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> <5588189D.5040300@gmail.com> <5588370B.2030209@redhat.com> <55883A48.2070104@gmail.com> Message-ID: <558841B5.3020605@redhat.com> On 06/22/2015 06:39 PM, Janelle wrote: > On 6/22/15 9:25 AM, Petr Vobornik wrote: >> On 06/22/2015 04:15 PM, Janelle wrote: >>> On 6/22/15 5:15 AM, Petr Vobornik wrote: >>>> On 06/21/2015 08:35 AM, Janelle wrote: >>>>> Hi, >>>>> >>>>> Sure. Just login as a normal user to the WEB UI. screen is blank: >>>>> >>>>> Of course, if you click on Actions - you will see those and you can >>>>> click on >>>>> them, but you can't do anything else. This is a vanilla server >>>>> install, nothing >>>>> fancy. Oh and there is no error message at all. Any browser = same >>>>> results. >>>>> >>>>> Tried clearing cache, history, web data.. Everything. Many of my >>>>> users report >>>>> the same thing. This is 7.1 with IPA 4.1.7 >>>>> >>>>> Now the funny part - login as "admin" and everything works fine. But >>>>> I certainly >>>>> can't have everyone logging in as admin. :-) >>>>> >>>>> ~Janelle >>>> >>>> Do you see any error in browser console? >>>> >>>> Does this happen also to a user which doesn't have any RBAC role >>>> assigned(either directly or indrectly)? >>> AHA -- perhaps a clue: >>> >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (json, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (login_kerberos, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> >>> ~J >> >> These errors are expected. First two happens when user is not yet >> authenticated. Third line is just about file for jquery debugging >> which is not shipped with ipa. >> >> Could you inspect other json request? Mainly the 3 which are executed >> on navigating to user details page (or after clicking on "refresh" >> button on the page). Does the first result of first request (of the >> three) contain user data as in >> >> >> I'm unable to reproduce the issue with >> ipa-server-4.1.0-18.el7_1.3.x86_64. >> >> Do these users have some special permissions/roles/rights? > The user I did the same from is a User Administrator, however, all the > other users are NOT. And if you watch closely, all the details do flash > the screen, but then disappear. Refresh does nothing. The one thing - > it works flawlessly for "admin" account. > > versions (I believe in the newest -- perhaps a bad idea) > > freeipa-client-4.1.4-1.el7.centos.x86_64 > freeipa-server-4.1.4-1.el7.centos.x86_64 > freeipa-python-4.1.4-1.el7.centos.x86_64 > > > on a user screen after login - : > > [Error] Failed to load resource: the server responded with a status of > 401 (Unauthorized) (json, line 0) > [Error] Failed to load resource: the server responded with a status of > 401 (Unauthorized) (login_kerberos, line 0) > [Error] Failed to load resource: the server responded with a status of > 404 (Not Found) (jquery-2.0.3.min.map, line 0) > [Error] Failed to load resource: the server responded with a status of > 401 (Unauthorized) (json, line 0) > [Error] Failed to load resource: the server responded with a status of > 401 (Unauthorized) (login_kerberos, line 0) > [Error] Failed to load resource: the server responded with a status of > 404 (Not Found) (jquery-2.0.3.min.map, line 0) > [Error] Failed to load resource: the server responded with a status of > 404 (Not Found) (jquery-2.0.3.min.map, line 0) > > ~Janelle If I understand it correctly, you get bunch of 401 Unauthorized errors after successful auth? This should not happen. I have seen something similar when clients were couple minutes in a future than the ipa server (assuming forms based auth is used, otherwise it would fail on obtaining TGT) because session expires immediately if clients are more than 20 mins ahead. Or when krb ticket TTL was less than 5 minutes. Are there any "200 Success" requests to "ipa/session/json" or ipa/session/login_password in the network tab as shown on image: https://pvoborni.fedorapeople.org/images/user_response_data.png after successful login? -- Petr Vobornik From nathan at nathanpeters.com Mon Jun 22 19:43:23 2015 From: nathan at nathanpeters.com (Nathan Peters) Date: Mon, 22 Jun 2015 12:43:23 -0700 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <5585CA58.7020409@redhat.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> <558499E1.6080408@redhat.com> <5585CA58.7020409@redhat.com> Message-ID: <869AA3DC8CC741AEB83897FD6BDBEC46@Azul> -----Original Message----- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege Nathan Peters wrote: > > > -----Original Message----- From: Rob Crittenden > Sent: Friday, June 19, 2015 3:38 PM > To: nathan at nathanpeters.com > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission > "System: Read HBAC Rules" with bindtype "all" to a privilege > > nathan at nathanpeters.com wrote: >>> nathan at nathanpeters.com wrote: >>>> FreeIPA server 4.1.3 on CentOS 7 >>>> >>>> I am trying to create a set of privileges or roles that will allow >>>> me to >>>> create a user who has read-only access to as much of the FreeIPA web UI >>>> as >>>> possible. Basically my manager want the type of view into FreeIPA that >>>> they have in AD using the 'AD Users and Computers program). >>>> >>>> I note that there are quite a few read permission in the permissions >>>> list. >>>> I tried creating a new privilege called Read Only Administrator and >>>> giving them all the permission that have read only in the name. >>>> >>>> For some reason I can add all other system and full access permissions >>>> but >>>> when I try to add a read only permission I get the following error : >>>> invalid 'permission': cannot add permission "System: Read HBAC Rules" >>>> with >>>> bindtype "all" to a privilege >>>> >>>> This applies not just the HBAC rule, but anything that has Read in the >>>> name. >>>> >>>> How do I create a read only user without getting this error message? >>> >>> You can't add a rule with bindtype all because this bindtype already >>> allows all authenticated users the rights granted by the rule, in this >>> case read access. >>> >>> rob >>> >>> >> >> That doesn't sound right. When I login to FreeIPA web ui with a user who >> is not part of any group, the only thing he can do is browse other users >> and update his own password and SSH key. He does not get the HBAC menu >> and definitely cannot browse HBAC rules. > > The UI handles those permissions differently. > > $ kinit someuser > $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com > >> >> Also, If I do this step backward and go directly to the RBAC -> >> Permissions menu and choose a permission and edit it, I can add it to a >> privilege, but if I go to the privilege and try to add the permission it >> fails. This makes zero sense. >> >> I can post screenshots if that helps. >> > > This is a bug. There is a function not available on the command line, > permission_add_member, which incorrectly allows this. I opened > https://fedorahosted.org/freeipa/ticket/5075 > > Regardless of whether it is added or not, it is a no-op because the > whole idea of permissions is to grant access via groups and there is no > group in this permission. It allows all authenticated users. > > rob > > What do you mean by it is a no-op? > > Here is what I did that worked: > > 1)Create privilege called "Read only privilege" > > 2)Go to each permission individually that has the world "Read" in it and > add them to the "read only privilege" privilege one at a time. There > was about 65 of them. This is fine because we are not apply this to > users, only apply the permissions to the privilege. > > 3)Next, go back to the read-only privilege and add some group that > contains users. > > 4)Login to the webui as a user that is in the group that was added to > the privilege and now you can see all menu options just like an admin, > but everything is read only and any attempt to make changes results in a > message that you don't have permission to make that change. This is > currently working exactly as I expect it to once I set it up the long way. > > Result : Member can now browse the entire web ui and see everything, > hosts, users, rbac rules, hbac rules, groups etc but in read only mode > as expected. > >I'm talking only about the issue where a permission with a bindrule of all >cannot be added to a privilege. The fact that it can be added in the UI is >a bug. > >It is the data in LDAP we really care about and a permission with a >bindrule of all grants all authenticated users read access to that data, >regardless of what you might or might not see in the UI. > >I'm not entirely sure how Petr does that though I always thought it was >through LDAP effective rights which in effect should grant all users HBAC >read access, so perhaps he determines it based on other things as well. > >rob So what is the correct way to grant full read-only permissions in the web UI? The audience for this viewing is managers and they are non technical and have no desire to login to an SSH shell and try to view the data they need using the cli. They have seen me working in the web UI and really like how easy it is to browse the interface. Is there any proper way to do this? Is it possible at all without invoking that bug that I invoked to make it happen? From rcritten at redhat.com Mon Jun 22 20:09:45 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Jun 2015 16:09:45 -0400 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <869AA3DC8CC741AEB83897FD6BDBEC46@Azul> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> <558499E1.6080408@redhat.com> <5585CA58.7020409@redhat.com> <869AA3DC8CC741AEB83897FD6BDBEC46@Azul> Message-ID: <55886B89.1090508@redhat.com> Nathan Peters wrote: > > > -----Original Message----- From: Rob Crittenden > Sent: Saturday, June 20, 2015 1:17 PM > To: Nathan Peters > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission > "System: Read HBAC Rules" with bindtype "all" to a privilege > > Nathan Peters wrote: >> >> >> -----Original Message----- From: Rob Crittenden >> Sent: Friday, June 19, 2015 3:38 PM >> To: nathan at nathanpeters.com >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission >> "System: Read HBAC Rules" with bindtype "all" to a privilege >> >> nathan at nathanpeters.com wrote: >>>> nathan at nathanpeters.com wrote: >>>>> FreeIPA server 4.1.3 on CentOS 7 >>>>> >>>>> I am trying to create a set of privileges or roles that will allow >>>>> me to >>>>> create a user who has read-only access to as much of the FreeIPA >>>>> web UI >>>>> as >>>>> possible. Basically my manager want the type of view into FreeIPA >>>>> that >>>>> they have in AD using the 'AD Users and Computers program). >>>>> >>>>> I note that there are quite a few read permission in the permissions >>>>> list. >>>>> I tried creating a new privilege called Read Only Administrator and >>>>> giving them all the permission that have read only in the name. >>>>> >>>>> For some reason I can add all other system and full access permissions >>>>> but >>>>> when I try to add a read only permission I get the following error : >>>>> invalid 'permission': cannot add permission "System: Read HBAC Rules" >>>>> with >>>>> bindtype "all" to a privilege >>>>> >>>>> This applies not just the HBAC rule, but anything that has Read in the >>>>> name. >>>>> >>>>> How do I create a read only user without getting this error message? >>>> >>>> You can't add a rule with bindtype all because this bindtype already >>>> allows all authenticated users the rights granted by the rule, in this >>>> case read access. >>>> >>>> rob >>>> >>>> >>> >>> That doesn't sound right. When I login to FreeIPA web ui with a user >>> who >>> is not part of any group, the only thing he can do is browse other users >>> and update his own password and SSH key. He does not get the HBAC menu >>> and definitely cannot browse HBAC rules. >> >> The UI handles those permissions differently. >> >> $ kinit someuser >> $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com >> >>> >>> Also, If I do this step backward and go directly to the RBAC -> >>> Permissions menu and choose a permission and edit it, I can add it to a >>> privilege, but if I go to the privilege and try to add the permission it >>> fails. This makes zero sense. >>> >>> I can post screenshots if that helps. >>> >> >> This is a bug. There is a function not available on the command line, >> permission_add_member, which incorrectly allows this. I opened >> https://fedorahosted.org/freeipa/ticket/5075 >> >> Regardless of whether it is added or not, it is a no-op because the >> whole idea of permissions is to grant access via groups and there is no >> group in this permission. It allows all authenticated users. >> >> rob >> >> What do you mean by it is a no-op? >> >> Here is what I did that worked: >> >> 1)Create privilege called "Read only privilege" >> >> 2)Go to each permission individually that has the world "Read" in it and >> add them to the "read only privilege" privilege one at a time. There >> was about 65 of them. This is fine because we are not apply this to >> users, only apply the permissions to the privilege. >> >> 3)Next, go back to the read-only privilege and add some group that >> contains users. >> >> 4)Login to the webui as a user that is in the group that was added to >> the privilege and now you can see all menu options just like an admin, >> but everything is read only and any attempt to make changes results in a >> message that you don't have permission to make that change. This is >> currently working exactly as I expect it to once I set it up the long >> way. >> >> Result : Member can now browse the entire web ui and see everything, >> hosts, users, rbac rules, hbac rules, groups etc but in read only mode >> as expected. >> >> I'm talking only about the issue where a permission with a bindrule of >> all cannot be added to a privilege. The fact that it can be added in >> the UI is a bug. >> >> It is the data in LDAP we really care about and a permission with a >> bindrule of all grants all authenticated users read access to that >> data, regardless of what you might or might not see in the UI. >> >> I'm not entirely sure how Petr does that though I always thought it >> was through LDAP effective rights which in effect should grant all >> users HBAC read access, so perhaps he determines it based on other >> things as well. >> >> rob > > So what is the correct way to grant full read-only permissions in the > web UI? The audience for this viewing is managers and they are non > technical and have no desire to login to an SSH shell and try to view > the data they need using the cli. > > They have seen me working in the web UI and really like how easy it is > to browse the interface. > > Is there any proper way to do this? Is it possible at all without > invoking that bug that I invoked to make it happen? That's a question for Petr. I don't know how the UI determines which tabs to make visible. I thought it was based on the effective rights but perhaps it is more complex than that. rob From yamakasi.014 at gmail.com Mon Jun 22 20:57:26 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 22 Jun 2015 22:57:26 +0200 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: <098f97b60aeccf4d115bf6f0aea625e3@scunc.net> References: <098f97b60aeccf4d115bf6f0aea625e3@scunc.net> Message-ID: OK, I'm on the go here but I have some issue. When I install the replica server I get this error on the new replica: ipa : CRITICAL CA DS schema check failed. Make sure the PKI service on the remote master is operational. When I restart IPA on the old master I get this: PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [ OK ] So the error on the replica is not that strange, but how to fix this on the master ? Matt 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : > Am 22.06.2015 12:10, schrieb Matt .: >> >> Hi Guys, > > > Hi Matt, > >> I found some good information about migrating from 3.3 to 4.x using >> replica's. >> >> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >> CentOS doesn't provide 3.3. > > > Could you please share an URL or something? > > Currently I'm here: > > * ipa-6 - CentOS 6.6: > ipa-admintools-3.0.0-42.el6.centos.x86_64 > ipa-client-3.0.0-42.el6.centos.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-3.0.0-42.el6.centos.x86_64 > ipa-server-3.0.0-42.el6.centos.x86_64 > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > sssd-ipa-1.11.6-30.el6_6.4.x86_64 > pki-ca-9.0.3-38.el6_6.noarch > > * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, > bind-dyndb-ldap): > ipa-admintools-4.1.0-18.el7.centos.3.x86_64 > ipa-client-4.1.0-18.el7.centos.3.x86_64 > ipa-python-4.1.0-18.el7.centos.3.x86_64 > ipa-server-4.1.0-18.el7.centos.3.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > pki-ca-10.1.2-7.el7.noarch > > -1. Update schema > ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6: > ipa-6# python copy-schema-to-ca.py > > 0. clean up old/stale replication aggreements > ipa-replica-manage del --force ipa-6.example.com > ipa-csreplica-manage del --force ipa-6.example.com > > 1. prepare replication on ipa-6 for ipa-7 > ipa-replica-prepare ipa-7.example.com > > 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in > /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. > https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) > - "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> > + "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> > > 3. slow down the network a bit > (don't know how effective it is, as we already got 1GBit, but without > it, a timing bug in 389-ds-base is triggered - s. > https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) > tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms > burst 1540 > > 4. install replication (without CA for the moment) > ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg > --setup-dns --mkhomedir --no-forwarders > > Up to now, everything works, but we need the CA too: > > 5. install ca > ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg > > But this won't work and I don't have a clue how to fix/proceed from here. > > # ipa-7: /var/log/ipareplica-ca-install.log > ipa : DEBUG stderr=pkispawn : WARNING ....... unable to > validate security domain user/password through REST interface. Interface not > available > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > Error while updating security domain: java.io.IOException: 2 > > ipa : CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero > exit status 1 > ipa : DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 673, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > > # ipa-7: /var/log/pki/pki-tomcat/ca/system > 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build > CA chain. Error java.security.cert.CertificateException: Certificate is not > a PKCS #11 certificate > 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz > instance DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > > # ipa-7: /var/log/pki/pki-tomcat/ca/debug > [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master > [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML start hostname=ipa-6.example.com port=443 > [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: failed > to update security domain using admin port 443: > org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White > [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: now > trying agent port with client auth > [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML start hostname=ipa-6.example.com port=443 > [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() > nickname=subsystemCert cert-pki-ca > [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML: status=1 > > # ipa-6: /var/log/httpd/access_log > 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST > /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309 > 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST > /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 > > # ipa-6: /var/log/pki-ca/debug > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = > /ca/agent/ca/updateDomainXML > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='name' value='CA ipa-7.example.com 8443' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='eeclientauthsport' value='443' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='httpport' value='80' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='sport' value='443' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='dm' value='true' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='adminsport' value='443' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='list' value='CAList' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='clone' value='true' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='type' value='CA' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='agentsport' value='443' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='sessionID' value='-4812857165985662682' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param > name='host' value='ipa-7.example.com' > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML start > to service. > [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing... > [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: > authentication starts > [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2 > [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL > certificate > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA > Subsystem,O=EXAMPLE.COM > [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started > [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving client > certificate > [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client > certificate > [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() > [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true > [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true > [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 > [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 > [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client certificate > found > [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() > [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true > [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true > [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 > [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 > [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA > Subsystem,O=EXAMPLE.COM] authentication failure > [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 > 15:12:59 CEST 2015 id=caUpdateDomainXML time=11 > > # ipa-6: /var/log/pki-ca/system > 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot > authenticate agent with certificate Serial 0x272 Subject DN CN=CA > Subsystem,O=EXAMPLE.COM. Error: User not found > 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet > caUpdateDomainXML: Failed to authorize: Invalid Credential.. > > It would be great if someone could give a hint where to look and what user > can't authenticate and why. > > @Matt: For renaming the IdM server, see > https://access.redhat.com/solutions/174733 it could possibly help. > > b/r > H. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Alexander.Frolushkin at megafon.ru Tue Jun 23 04:01:39 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 23 Jun 2015 04:01:39 +0000 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <5587FDA8.8010900@redhat.com> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> <5587DA57.9020307@martos.bme.hu> <5587FDA8.8010900@redhat.com> Message-ID: Hello. We have 19 RHEL 7.1 IPA (ipa-server-4.1.0-18.el7_1.3.x86_64) servers. Debug level was changed this way on 4 of them: dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level:24576 - replace: nsslapd-accesslog-level nsslapd-accesslog-level:256 EOF After this, IO was increased significally. Two of servers hangs after some time, a lot of dups appears on most IPA servers in domain. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Monday, June 22, 2015 6:21 PM To: Tamas Papp Cc: Alexander Frolushkin (SIB); 'Christoph Kaminski'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work On 06/22/2015 11:50 AM, Tamas Papp wrote: Fascinating. Can you Red Hat guys reproduce this in you test environment? Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. About the test case, you installed a server+replicas (version ?), then turn on errorlog-level (do you remember what level). That would slow down the DS instance and fill errors log. Then you hit extremely frequently a crash. Do you remember what kind of the load search/mod/add/del ? thanks thierry Thanks, tamas On 06/22/2015 11:42 AM, Alexander Frolushkin wrote: Hello everyone. I can confirm this on VMWare, recently we have the similar issue when enabled dirsrv debug on 4 of our 19 IPA servers :( WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christoph Kaminski Sent: Monday, June 22, 2015 2:50 PM To: Tamas Papp Cc: freeipa-users at redhat.com Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work > > In my particular case I'm interested, whether it can crash servers. > Does it for you? I don't see it in that thread. > > tamas yes... we has had a really often a crash on virtual machines installations. On bare metal we had 2-3x a crash. That was the reason for us to destroy all IPA VM's. There seems to be an IO issue on VM's with IPA (rhev virtualisation here). You can see it extremly if you turn the debug level higher. Greetz ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From craig.redhat at shakenautomotive.com.au Tue Jun 23 07:24:32 2015 From: craig.redhat at shakenautomotive.com.au (craig.redhat at shakenautomotive.com.au) Date: Tue, 23 Jun 2015 17:24:32 +1000 Subject: [Freeipa-users] Very Odd Fedora 21 Auth Issue (Server: IPA 4.1.0) Message-ID: <20150623072432.GA12693@shakenautomotive.com.au> Hi, This is one odd issue?! Red Hat Enterprise Linux 7.1 #Server Side Red Hat Enterprise Linux Server release 7.1 (Maipo) ipa-server-4.1.0-18.el7_1.3.x86_64 #Client side Fedora release 21 (Twenty One) * freeipa-client-4.1.4-1.fc21.x86_64 * sssd-client-1.12.4-3.fc21.x86_64 Issue: User cannot login to their PC Error: /var/log/secure Jun 23 17:08:48 johnpc sshd[3591]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): received for user john: 7 (Authentication failure) However: 1. Kerberous works; kinit john john at johnpc /etc/pam.d> klist Ticket cache: KEYRING:persistent:365:365 Default principal: john at EXAMPLE.EXAMPLEAUS.COM.AU Valid starting Expires Service principal 23/06/15 16:49:30 24/06/15 16:49:28 krbtgt/EXAMPLE.EXAMPLEAUS.COM.AU at EXAMPLE.EXAMPLEAUS.COM.AU 2. LDAP works; john at johnpc ~> getent passwd john john:x:365:132::/home/john:/bin/bash 3. ssh to IPA server works with a password (so not relying on the kerberous ticket); john at erio ~> ssh john at sysvm-ipa1 john at sysvm-ipa1's password: Last login: Tue Jun 23 16:50:02 2015 from johnpc.example.exampleaus.com.au Any advice would be greatly appreciated? Regards, Craig From sbose at redhat.com Tue Jun 23 07:34:00 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 23 Jun 2015 09:34:00 +0200 Subject: [Freeipa-users] Very Odd Fedora 21 Auth Issue (Server: IPA 4.1.0) In-Reply-To: <20150623072432.GA12693@shakenautomotive.com.au> References: <20150623072432.GA12693@shakenautomotive.com.au> Message-ID: <20150623073400.GB12661@p.redhat.com> On Tue, Jun 23, 2015 at 05:24:32PM +1000, craig.redhat at shakenautomotive.com.au wrote: > Hi, > This is one odd issue?! > > Red Hat Enterprise Linux 7.1 > > #Server Side > Red Hat Enterprise Linux Server release 7.1 (Maipo) > ipa-server-4.1.0-18.el7_1.3.x86_64 > > #Client side > Fedora release 21 (Twenty One) > * freeipa-client-4.1.4-1.fc21.x86_64 > * sssd-client-1.12.4-3.fc21.x86_64 > > > Issue: > User cannot login to their PC > > Error: /var/log/secure > Jun 23 17:08:48 johnpc sshd[3591]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john > Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john > Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): received for user > john: 7 (Authentication failure) > > However: > 1. Kerberous works; > kinit john > john at johnpc /etc/pam.d> klist > Ticket cache: KEYRING:persistent:365:365 > Default principal: john at EXAMPLE.EXAMPLEAUS.COM.AU > > Valid starting Expires Service principal > 23/06/15 16:49:30 24/06/15 16:49:28 > krbtgt/EXAMPLE.EXAMPLEAUS.COM.AU at EXAMPLE.EXAMPLEAUS.COM.AU > > 2. LDAP works; > john at johnpc ~> getent passwd john > john:x:365:132::/home/john:/bin/bash > > 3. ssh to IPA server works with a password (so not relying on the kerberous > ticket); > john at erio ~> ssh john at sysvm-ipa1 > john at sysvm-ipa1's password: > Last login: Tue Jun 23 16:50:02 2015 from johnpc.example.exampleaus.com.au > > > Any advice would be greatly appreciated? I think we need sssd logs here, please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. We need at least logs for the PAM responder ([pam] section in sssd.conf) and the backend ([domain/...] section in sssd.conf). bye, Sumit > > Regards, > > Craig > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pvoborni at redhat.com Tue Jun 23 07:52:46 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 23 Jun 2015 09:52:46 +0200 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <55886B89.1090508@redhat.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> <558499E1.6080408@redhat.com> <5585CA58.7020409@redhat.com> <869AA3DC8CC741AEB83897FD6BDBEC46@Azul> <55886B89.1090508@redhat.com> Message-ID: <5589104E.2000306@redhat.com> On 06/22/2015 10:09 PM, Rob Crittenden wrote: > Nathan Peters wrote: >> >> >> -----Original Message----- From: Rob Crittenden >> Sent: Saturday, June 20, 2015 1:17 PM >> To: Nathan Peters >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission >> "System: Read HBAC Rules" with bindtype "all" to a privilege >> >> Nathan Peters wrote: >>> >>> >>> -----Original Message----- From: Rob Crittenden >>> Sent: Friday, June 19, 2015 3:38 PM >>> To: nathan at nathanpeters.com >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission >>> "System: Read HBAC Rules" with bindtype "all" to a privilege >>> >>> nathan at nathanpeters.com wrote: >>>>> nathan at nathanpeters.com wrote: >>>>>> FreeIPA server 4.1.3 on CentOS 7 >>>>>> >>>>>> I am trying to create a set of privileges or roles that will allow >>>>>> me to >>>>>> create a user who has read-only access to as much of the FreeIPA >>>>>> web UI >>>>>> as >>>>>> possible. Basically my manager want the type of view into FreeIPA >>>>>> that >>>>>> they have in AD using the 'AD Users and Computers program). >>>>>> >>>>>> I note that there are quite a few read permission in the permissions >>>>>> list. >>>>>> I tried creating a new privilege called Read Only Administrator >>>>>> and >>>>>> giving them all the permission that have read only in the name. >>>>>> >>>>>> For some reason I can add all other system and full access >>>>>> permissions >>>>>> but >>>>>> when I try to add a read only permission I get the following error : >>>>>> invalid 'permission': cannot add permission "System: Read HBAC Rules" >>>>>> with >>>>>> bindtype "all" to a privilege >>>>>> >>>>>> This applies not just the HBAC rule, but anything that has Read in >>>>>> the >>>>>> name. >>>>>> >>>>>> How do I create a read only user without getting this error message? >>>>> >>>>> You can't add a rule with bindtype all because this bindtype already >>>>> allows all authenticated users the rights granted by the rule, in this >>>>> case read access. >>>>> >>>>> rob >>>>> >>>>> >>>> >>>> That doesn't sound right. When I login to FreeIPA web ui with a user >>>> who >>>> is not part of any group, the only thing he can do is browse other >>>> users >>>> and update his own password and SSH key. He does not get the HBAC menu >>>> and definitely cannot browse HBAC rules. >>> >>> The UI handles those permissions differently. >>> >>> $ kinit someuser >>> $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com >>> >>>> >>>> Also, If I do this step backward and go directly to the RBAC -> >>>> Permissions menu and choose a permission and edit it, I can add it to a >>>> privilege, but if I go to the privilege and try to add the >>>> permission it >>>> fails. This makes zero sense. >>>> >>>> I can post screenshots if that helps. >>>> >>> >>> This is a bug. There is a function not available on the command line, >>> permission_add_member, which incorrectly allows this. I opened >>> https://fedorahosted.org/freeipa/ticket/5075 >>> >>> Regardless of whether it is added or not, it is a no-op because the >>> whole idea of permissions is to grant access via groups and there is no >>> group in this permission. It allows all authenticated users. >>> >>> rob >>> >>> What do you mean by it is a no-op? >>> >>> Here is what I did that worked: >>> >>> 1)Create privilege called "Read only privilege" >>> >>> 2)Go to each permission individually that has the world "Read" in it and >>> add them to the "read only privilege" privilege one at a time. There >>> was about 65 of them. This is fine because we are not apply this to >>> users, only apply the permissions to the privilege. >>> >>> 3)Next, go back to the read-only privilege and add some group that >>> contains users. >>> >>> 4)Login to the webui as a user that is in the group that was added to >>> the privilege and now you can see all menu options just like an admin, >>> but everything is read only and any attempt to make changes results in a >>> message that you don't have permission to make that change. This is >>> currently working exactly as I expect it to once I set it up the long >>> way. >>> >>> Result : Member can now browse the entire web ui and see everything, >>> hosts, users, rbac rules, hbac rules, groups etc but in read only mode >>> as expected. >>> >>> I'm talking only about the issue where a permission with a bindrule of >>> all cannot be added to a privilege. The fact that it can be added in >>> the UI is a bug. >>> >>> It is the data in LDAP we really care about and a permission with a >>> bindrule of all grants all authenticated users read access to that >>> data, regardless of what you might or might not see in the UI. >>> >>> I'm not entirely sure how Petr does that though I always thought it >>> was through LDAP effective rights which in effect should grant all >>> users HBAC read access, so perhaps he determines it based on other >>> things as well. >>> >>> rob >> >> So what is the correct way to grant full read-only permissions in the >> web UI? The audience for this viewing is managers and they are non >> technical and have no desire to login to an SSH shell and try to view >> the data they need using the cli. >> >> They have seen me working in the web UI and really like how easy it is >> to browse the interface. >> >> Is there any proper way to do this? Is it possible at all without >> invoking that bug that I invoked to make it happen? > > That's a question for Petr. I don't know how the UI determines which > tabs to make visible. I thought it was based on the effective rights but > perhaps it is more complex than that. > > rob It's as described in #4. Web UI displays all tabs if a user is assigned to at least one RBAC role either directly or indirectly trough user group. Effective rights are used only for attributes (attributeslevelrights). Object level rights are not provided to Web UI yet. In other words: 1. create empty RBAC role 2. assign there all users who should read stuff. Exception is DNS (and maybe some other entries). DNS is not readable by everybody by default. -- Petr Vobornik From tbordaz at redhat.com Tue Jun 23 08:50:53 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 23 Jun 2015 10:50:53 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> <5587DA57.9020307@martos.bme.hu> <5587FDA8.8010900@redhat.com> Message-ID: <55891DED.2030402@redhat.com> Hi Alexander, This is mainly replication logging. Having many instances will increase the amount of logging especially if you have updates. To create duplicate you are doing ADD in parallele of the same dn on differents servers. Do you what creates this ADD load ? Can you see MODs/DELs ? thanks thierry On 06/23/2015 06:01 AM, Alexander Frolushkin wrote: > > Hello. > > We have 19 RHEL 7.1 IPA (ipa-server-4.1.0-18.el7_1.3.x86_64) servers. > > Debug level was changed this way on 4 of them: > > dn: cn=config > > changetype: modify > > replace: nsslapd-errorlog-level > > nsslapd-errorlog-level:24576 > > - > > replace: nsslapd-accesslog-level > > nsslapd-accesslog-level:256 > > EOF > > After this, IO was increased significally. > > Two of servers hangs after some time, a lot of dups appears on most > IPA servers in domain. > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*thierry bordaz [mailto:tbordaz at redhat.com] > *Sent:* Monday, June 22, 2015 6:21 PM > *To:* Tamas Papp > *Cc:* Alexander Frolushkin (SIB); 'Christoph Kaminski'; > freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't > work > > On 06/22/2015 11:50 AM, Tamas Papp wrote: > > Fascinating. > > Can you Red Hat guys reproduce this in you test environment? > > > Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. > About the test case, you installed a server+replicas (version ?), then > turn on errorlog-level (do you remember what level). > That would slow down the DS instance and fill errors log. > Then you hit extremely frequently a crash. Do you remember what kind > of the load search/mod/add/del ? > > thanks > thierry > > > Thanks, > tamas > > On 06/22/2015 11:42 AM, Alexander Frolushkin wrote: > > Hello everyone. > > I can confirm this on VMWare, recently we have the similar issue > when enabled dirsrv debug on 4 of our 19 IPA servers L > > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > *From:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Christoph > Kaminski > *Sent:* Monday, June 22, 2015 2:50 PM > *To:* Tamas Papp > *Cc:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't > work > > > > > In my particular case I'm interested, whether it can crash servers. > > Does it for you? I don't see it in that thread. > > > > tamas > > yes... we has had a really often a crash on virtual machines > installations. On bare metal we had 2-3x a crash. > > That was the reason for us to destroy all IPA VM's. There seems to > be an IO issue on VM's with IPA (rhev virtualisation here). You > can see it extremly if you turn the debug level higher. > > Greetz > > ------------------------------------------------------------------------ > > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? > ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, > ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? > ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? > ??????????. > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed > and others authorized to receive it. It may contain confidential > or legally privileged information. The contents may not be > disclosed or used by anyone other than the addressee. If you are > not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have > received this communication in error please notify us immediately > by responding to this email and then delete the e-mail and all > attachments and any copies thereof. > > (c)20mf50 > > > > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Tue Jun 23 08:59:49 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 23 Jun 2015 08:59:49 +0000 Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work In-Reply-To: <55891DED.2030402@redhat.com> References: <5583DAB8.60002@martos.bme.hu> <5587C5B0.80903@martos.bme.hu> <5587CAC9.60500@martos.bme.hu> <4b36a452b7a24dc9b0d7ab4a80dc899f@sib-ums03.Megafon.ru> <5587DA57.9020307@martos.bme.hu> <5587FDA8.8010900@redhat.com> <55891DED.2030402@redhat.com> Message-ID: <8434c1596656401f9815e0ae8d31d629@sib-ums05.Megafon.ru> Unfortunately I can't really say what exactly it was - all of this dups already gone by almost every IPA replica's re-initializing. But it definitely was related to heavy load due to debug mode. The system itself was working as usual - a lot of this domain enrolled servers served users logins and so on, nothing special. Heavy loaded IPA servers while they was in debug mode failed to authenticate users, so sssd on clients have to use secondary servers. Our IPA/IdM system currently in limited production state, so we cannot repeat this conditions to test what exactly happened. I'm sorry for being useless now to explore the problem :( WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Tuesday, June 23, 2015 2:51 PM To: Alexander Frolushkin (SIB) Cc: Tamas Papp; 'Christoph Kaminski'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work Hi Alexander, This is mainly replication logging. Having many instances will increase the amount of logging especially if you have updates. To create duplicate you are doing ADD in parallele of the same dn on differents servers. Do you what creates this ADD load ? Can you see MODs/DELs ? thanks thierry On 06/23/2015 06:01 AM, Alexander Frolushkin wrote: Hello. We have 19 RHEL 7.1 IPA (ipa-server-4.1.0-18.el7_1.3.x86_64) servers. Debug level was changed this way on 4 of them: dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level:24576 - replace: nsslapd-accesslog-level nsslapd-accesslog-level:256 EOF After this, IO was increased significally. Two of servers hangs after some time, a lot of dups appears on most IPA servers in domain. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Monday, June 22, 2015 6:21 PM To: Tamas Papp Cc: Alexander Frolushkin (SIB); 'Christoph Kaminski'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work On 06/22/2015 11:50 AM, Tamas Papp wrote: Fascinating. Can you Red Hat guys reproduce this in you test environment? Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. About the test case, you installed a server+replicas (version ?), then turn on errorlog-level (do you remember what level). That would slow down the DS instance and fill errors log. Then you hit extremely frequently a crash. Do you remember what kind of the load search/mod/add/del ? thanks thierry Thanks, tamas On 06/22/2015 11:42 AM, Alexander Frolushkin wrote: Hello everyone. I can confirm this on VMWare, recently we have the similar issue when enabled dirsrv debug on 4 of our 19 IPA servers :( WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christoph Kaminski Sent: Monday, June 22, 2015 2:50 PM To: Tamas Papp Cc: freeipa-users at redhat.com Subject: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work > > In my particular case I'm interested, whether it can crash servers. > Does it for you? I don't see it in that thread. > > tamas yes... we has had a really often a crash on virtual machines installations. On bare metal we had 2-3x a crash. That was the reason for us to destroy all IPA VM's. There seems to be an IO issue on VM's with IPA (rhev virtualisation here). You can see it extremly if you turn the debug level higher. Greetz ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Tue Jun 23 13:41:42 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Tue, 23 Jun 2015 15:41:42 +0200 Subject: [Freeipa-users] search filter with non-existent attribute Message-ID: <55896216.9070601@martos.bme.hu> hi, This works: $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn "(|(mail=admin*)(uid=admin))" uid dn: uid=admin,cn=users,cn=accounts,dc=cxn uid: admin This not: $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn "(|(aaa=admin*)(uid=admin))" uid $ If there is search filter with non-existent attribute there is no result. Is that intentional? In CentOS 6.6 it worked just fine. 10x tamas From pspacek at redhat.com Tue Jun 23 15:01:12 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 23 Jun 2015 17:01:12 +0200 Subject: [Freeipa-users] search filter with non-existent attribute In-Reply-To: <55896216.9070601@martos.bme.hu> References: <55896216.9070601@martos.bme.hu> Message-ID: <558974B8.6000305@redhat.com> On 23.6.2015 15:41, Tamas Papp wrote: > hi, > > This works: > > $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn > "(|(mail=admin*)(uid=admin))" uid > dn: uid=admin,cn=users,cn=accounts,dc=cxn > uid: admin > > > This not: > > $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn > "(|(aaa=admin*)(uid=admin))" uid > $ > > > If there is search filter with non-existent attribute there is no result. > Is that intentional? In CentOS 6.6 it worked just fine. As far as I can tell this happens when the search is attempting to evaluate the filter and access to that attribute is denied by ACI. In newer version of FreeIPA everything is closed by default and access is allowed only to certain subset of attributes. What version of FreeIPA do you have? What version of 389-ds-base package do you have? $ rpm -q 389-ds-base freeipa-server ipa-server -- Petr^2 Spacek From pspacek at redhat.com Tue Jun 23 15:08:40 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 23 Jun 2015 17:08:40 +0200 Subject: [Freeipa-users] Announcing bind-dyndb-ldap version 8.0 Message-ID: <55897678.1000608@redhat.com> The FreeIPA team is proud to announce bind-dyndb-ldap version 8.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 23+ (rawhide). This version is also available from FreeIPA 4.2 COPR repo: https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/ Latest news: 8.0 ==== [1] Unknown record types can be stored in LDAP using generic syntax (RFC 3597). LDAP schema was extended for this purpose with the UnknownRecord attribute. https://fedorahosted.org/bind-dyndb-ldap/ticket/157 [2] PTR record synchronization was improved. - New PTR records now inherit the TTL value from the respective A/AAAA records. - SERVFAIL error is no longer returned to clients if A/AAAA record update succeeded but PTR record synchronization failed because of misconfiguration. Such errors are only logged. - PTR record synchronization was reworked to reduce the probability of race condition occurrences. https://fedorahosted.org/bind-dyndb-ldap/ticket/155 [3] LDAP rename (MODRDN) for DNS records is now supported. Renaming of whole DNS zones is not supported and will lead to errors. https://fedorahosted.org/bind-dyndb-ldap/ticket/123 [4] Data changed in LDAP while connection to server was down are now refreshed properly. https://fedorahosted.org/bind-dyndb-ldap/ticket/128 [5] Crash caused by object class and DN format mismatch were fixed. https://fedorahosted.org/bind-dyndb-ldap/ticket/148 [6] Compatibility with BIND 9.9.4 was improved. [7] Documentation and schema were fixed and improved. The doc/schema.ldif file is now properly formatted as LDIF and contains instructions for OpenLDAP and 389 DS. 7.0 ==== [1] Support for BIND 9.10 was added. https://fedorahosted.org/bind-dyndb-ldap/ticket/139 == Upgrading == A server can be upgraded by installing updated RPM. BIND has to be restarted manually after the RPM installation. Downgrading back to any 7.x version is supported if user is not relying on support for unknown attribute types or LDAP MODRDN operation. == Feedback == Please provide comments, report bugs and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr^2 Spacek From wia at iglass.net Tue Jun 23 17:44:53 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Tue, 23 Jun 2015 13:44:53 -0400 Subject: [Freeipa-users] ruv issue? Message-ID: So I have 3 servers, spider01a, spider01b, and spider01o [root at spider01a]$ ipa-replica-manage list-ruv Directory Manager password: spider01a.iglass.net:389: 12 spider01o.iglass.net:389: 13 spider01b.iglass.net:389: 7 spider01a.iglass.net:389: 5 [root at spider01b]$ ipa-replica-manage list-ruv Directory Manager password: spider01b.iglass.net:389: 7 spider01a.iglass.net:389: 12 spider01a.iglass.net:389: 5 spider01o.iglass.net:389: 13 [root at spider01o]$ ipa-replica-manage list-ruv Directory Manager password: spider01o.iglass.net:389: 13 spider01a.iglass.net:389: 12 spider01b.iglass.net:389: 7 spider01a.iglass.net:389: 5 I'm not seeing any issues, but there is only one spider01a (which was replaced at some point) Is the duplicate spider01a a problem? This a case for using clean-ruv? If so, is there a way tell which one to run it on? thanks, Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: From mareynol at redhat.com Tue Jun 23 18:22:07 2015 From: mareynol at redhat.com (Mark Reynolds) Date: Tue, 23 Jun 2015 14:22:07 -0400 Subject: [Freeipa-users] ruv issue? In-Reply-To: References: Message-ID: <5589A3CF.5020707@redhat.com> On 06/23/2015 01:44 PM, Marc Wiatrowski wrote: > So I have 3 servers, spider01a, spider01b, and spider01o > > [root at spider01a]$ ipa-replica-manage list-ruv > Directory Manager password: > > spider01a.iglass.net:389 : 12 > spider01o.iglass.net:389 : 13 > spider01b.iglass.net:389 : 7 > spider01a.iglass.net:389 : 5 > > [root at spider01b]$ ipa-replica-manage list-ruv > Directory Manager password: > > spider01b.iglass.net:389 : 7 > spider01a.iglass.net:389 : 12 > spider01a.iglass.net:389 : 5 > spider01o.iglass.net:389 : 13 > > [root at spider01o]$ ipa-replica-manage list-ruv > Directory Manager password: > > spider01o.iglass.net:389 : 13 > spider01a.iglass.net:389 : 12 > spider01b.iglass.net:389 : 7 > spider01a.iglass.net:389 : 5 > > I'm not seeing any issues, but there is only one spider01a (which was > replaced at some point) Is the duplicate spider01a a problem? This a > case for using clean-ruv? Yes it is. You need to know which replica id (5 or 12) is the old/invalid rid. You can look at /etc/dirsrv/slapd-INSTANCE/dse.ldif on spider01a, and look for nsDS5ReplicaId. The value you find is your current rid, so you can clean the other one. However it is possible that both 5 and 12 are valid. Each backend can have its own replication config - so once again look for all the nsDS5ReplicaId attributes to verify if its being used or not. Mark > If so, is there a way tell which one to run it on? > > thanks, > Marc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jun 23 18:51:57 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 23 Jun 2015 14:51:57 -0400 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <20150617135623.GF24163@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> <20150617135623.GF24163@redhat.com> Message-ID: <5589AACD.8080907@redhat.com> On 06/17/2015 09:56 AM, Alexander Bokovoy wrote: > On Wed, 17 Jun 2015, Henry Hofmann wrote: >> Ok, how can I configure the map of source attributes (mail or any >> other) to compat tree? > Go back in archives in this list and read discussions about "Single mail > deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the > compat tree as of right now. > Do we have a ticket for this? -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From abokovoy at redhat.com Tue Jun 23 19:02:46 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 23 Jun 2015 22:02:46 +0300 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <5589AACD.8080907@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> <20150617135623.GF24163@redhat.com> <5589AACD.8080907@redhat.com> Message-ID: <20150623190246.GB3774@redhat.com> On Tue, 23 Jun 2015, Dmitri Pal wrote: >On 06/17/2015 09:56 AM, Alexander Bokovoy wrote: >>On Wed, 17 Jun 2015, Henry Hofmann wrote: >>>Ok, how can I configure the map of source attributes (mail or any >>>other) to compat tree? >>Go back in archives in this list and read discussions about "Single mail >>deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the >>compat tree as of right now. >> >Do we have a ticket for this? No and I don't think it will be possible. slapi-nis is read-only view, it needs to get these attributes from somewhere. Storing values for specialized schema in ID overrides is probably going to be too much -- how these source attributes to be managed? In the case of 'single mail' it would need to be Kolab applications which would need to update such attributes, how Kolab would do that? Enabling slapi-nis to be writeable is going to break a lot and in general would not be possible. -- / Alexander Bokovoy From janellenicole80 at gmail.com Tue Jun 23 19:33:17 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 23 Jun 2015 12:33:17 -0700 Subject: [Freeipa-users] Crazy Cert problem? In-Reply-To: <55881D9A.3050709@redhat.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> <55817E38.6040402@gmail.com> <5581DFDB.1090600@redhat.com> <55881BC5.6090607@gmail.com> <55881D9A.3050709@redhat.com> Message-ID: <5589B47D.1090600@gmail.com> On 6/22/15 7:37 AM, Rob Crittenden wrote: > Janelle wrote: >> On 6/17/15 2:00 PM, Rob Crittenden wrote: >>> Janelle wrote: >>>> On 6/17/15 6:21 AM, Rob Crittenden wrote: >>>>> Janelle wrote: >>>>>> On 6/17/15 6:14 AM, Rob Crittenden wrote: >>>>>>> Janelle wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Had a server - named ipa001.example.com -- it was a replica. It >>>>>>>> died. It >>>>>>>> was re-installed. However, prior to the re-install it was >>>>>>>> saying the >>>>>>>> wonderful: >>>>>>>> >>>>>>>> TLS error -8172:Peer's certificate issuer has been marked as not >>>>>>>> trusted >>>>>>>> by the user. >>>>>>>> >>>>>>>> It was rebuilt - new OS and doing a brand new ipa-server-install >>>>>>>> (NOT a >>>>>>>> replica or trying to join it back in to the existing ring of >>>>>>>> servers) >>>>>>>> and at the end of the ipa-server-install - it gives: >>>>>>>> >>>>>>>> Done. >>>>>>>> Restarting the directory server >>>>>>>> Restarting the KDC >>>>>>>> Restarting the certificate server >>>>>>>> Restarting the web server >>>>>>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' >>>>>>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' >>>>>>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' >>>>>>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned >>>>>>>> non-zero >>>>>>>> exit status 1 >>>>>>>> Configuration of client side components failed! >>>>>>>> ipa-client-install returned: Command >>>>>>>> ''/usr/sbin/ipa-client-install' >>>>>>>> '--on-master' '--unattended' '--domain' 'example.com' '--server' >>>>>>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname' >>>>>>>> 'ipa001.example.com'' returned non-zero exit status 1 >>>>>>>> >>>>>>>> and checking /var/log/ipaclient-install.log - the exact same TLS >>>>>>>> error???? >>>>>>>> >>>>>>>> But this is a brand new system, with brand new OS and the install >>>>>>>> was >>>>>>>> ipa-server-install to install a clean server. >>>>>>>> >>>>>>>> I don't understand how this is happening. There is no "peer" to >>>>>>>> be not >>>>>>>> trusted? >>>>>>> >>>>>>> What version of IPA and distro? (I don't think that probably has >>>>>>> anything to do with it, just curious in case it does eventually >>>>>>> matter). >>>>>>> >>>>>>> What does /etc/openldap/ldap.conf look like? Normally it should >>>>>>> have >>>>>>> TLS_CACERT /etc/ipa/ca.crt >>>>>>> >>>>>>> Any chance you can share the server and client install logs? >>>>>>> >>>>>>> rob >>>>>> 4.1.4 = IPA >>>>>> CentOS 7.1 >>>>>> >>>>>> Oooh... Found something: /etc/openldap/ldap.conf: >>>>>> >>>>>> TLS_CACERTDIR /etc/openldap/certs >>>>>> >>>>>> Going to investigate. >>>>>> ~J >>>>>> >>>>> >>>>> That should be fine assuming there aren't any certs in there (and >>>>> on a >>>>> brand new system I'd think you'd have empty NSS databases). >>>>> >>>>> rob >>>> So this gets interesting now... >>>> >>>> Say you have 6 IPA servers, named ipa001-ipa006.example.com -- all >>>> working fine. >>>> Something happens to 002. It dies. You "ipa-replica-manage del --clean >>>> --force ipa002" to get rid of it. >>>> >>>> A period of time, say a month, goes by. You have lost a couple of >>>> other >>>> replicas for whatever reason, say 3 and 6. You decide you want to >>>> rebuild. You start with 002 - leaving the others up and running >>>> because >>>> you have users working. You firewall off 002 why you rebuild it. >>>> >>>> You reinstall OS, reinstall FreeIPA. But no matter what, when you >>>> start >>>> to configure IPA it comes up with the error of being untrusted. >>>> Now, you >>>> try the same thing on 003 and 006. SAME problem. >>>> >>>> For fun - you shutdown 005 and uninstall freeipa --unattended and then >>>> try to re-install it. Guess what - no issues. >>>> >>>> Is this somehow related to: >>>> Same domain and realm names floating around the net - so is it >>>> querying >>>> for a name somehow and one of the "still running" servers is saying - >>>> "NO NO NO -- that CERT is revoked!!!" - even though it never tries to >>>> connect to that server. >>>> >>>> Or am I just thinking far too outside the box? And this is exactly >>>> what >>>> has happened. Rebuilding one of the servers that was never REMOVED is >>>> working just fine. >>> >>> You just jumped to a completely different scenario: from a fresh >>> standalone install to a replica install. We should probably pick one >>> and solve it. >>> >>> I think the leap you're making is that the issue is that it notices >>> some previous cert. A revoked service cert wouldn't have any effect as >>> those service certs aren't in use. >>> >>> It very well could be finding the "wrong" realm based on DNS SRV >>> records. The logs should show you what the client discovered. Things >>> happen in multiple steps so perhaps there is a disconnect where the >>> right server is used in some, but not all, cases. >>> >>> rob >>> >> ALL the problems were all related. Even after building brand new >> servers, the problem persisted and then started cropping up with client >> installs. >> >> The solution traced to bad NSS packages. A simple "yum downgrade nss >> nss-sysinit nss-tools" solved it.. Something is up with the 3.18 verion >> and downgrading to 3.16 seems to have resolved. Should have known it >> would all be related to an upgrade. Sometimes a slightly older version >> is best. >> >> ~Janelle > > Can you open a bugzilla about this? > > rob This looks like the fix - besides downgrading: https://bugzilla.mozilla.org/show_bug.cgi?id=1132941 From Steven.Jones at vuw.ac.nz Tue Jun 23 20:35:26 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 23 Jun 2015 20:35:26 +0000 Subject: [Freeipa-users] Integrating samba 4 to AD for authentication with an IPA enabled client. In-Reply-To: <5589B47D.1090600@gmail.com> References: <55809268.5090608@gmail.com> <558172A8.7000908@redhat.com> <558173E2.9020306@gmail.com> <5581746B.4080604@redhat.com> <55817E38.6040402@gmail.com> <5581DFDB.1090600@redhat.com> <55881BC5.6090607@gmail.com> <55881D9A.3050709@redhat.com>,<5589B47D.1090600@gmail.com> Message-ID: Hi, Is this possible? I am trying to find some docs to do this but they point at sssd and/or kerberos. But looking at RHEL7.1 / samba 4 it looks to me that with an IPA enabled client sssd, kerberos and ldap files/configuration are committed to IPA's use so cannot be altered? regards Steven From yamakasi.014 at gmail.com Tue Jun 23 22:15:48 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 24 Jun 2015 00:15:48 +0200 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: References: <098f97b60aeccf4d115bf6f0aea625e3@scunc.net> Message-ID: Anyone some suggestions about this ? I'm thinking about adding from my second 3.x master where I first need to split that cluster to make that happen. 2015-06-22 22:57 GMT+02:00 Matt . : > OK, > > I'm on the go here but I have some issue. > > When I install the replica server I get this error on the new replica: > > ipa : CRITICAL CA DS schema check failed. Make sure the PKI > service on the remote master is operational. > > > When I restart IPA on the old master I get this: > > PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: > the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with > the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] > [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR > matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with > the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] > [ OK ] > > So the error on the replica is not that strange, but how to fix this > on the master ? > > Matt > > 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : >> Am 22.06.2015 12:10, schrieb Matt .: >>> >>> Hi Guys, >> >> >> Hi Matt, >> >>> I found some good information about migrating from 3.3 to 4.x using >>> replica's. >>> >>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >>> CentOS doesn't provide 3.3. >> >> >> Could you please share an URL or something? >> >> Currently I'm here: >> >> * ipa-6 - CentOS 6.6: >> ipa-admintools-3.0.0-42.el6.centos.x86_64 >> ipa-client-3.0.0-42.el6.centos.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-python-3.0.0-42.el6.centos.x86_64 >> ipa-server-3.0.0-42.el6.centos.x86_64 >> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >> sssd-ipa-1.11.6-30.el6_6.4.x86_64 >> pki-ca-9.0.3-38.el6_6.noarch >> >> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, >> bind-dyndb-ldap): >> ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >> ipa-client-4.1.0-18.el7.centos.3.x86_64 >> ipa-python-4.1.0-18.el7.centos.3.x86_64 >> ipa-server-4.1.0-18.el7.centos.3.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> pki-ca-10.1.2-7.el7.noarch >> >> -1. Update schema >> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6: >> ipa-6# python copy-schema-to-ca.py >> >> 0. clean up old/stale replication aggreements >> ipa-replica-manage del --force ipa-6.example.com >> ipa-csreplica-manage del --force ipa-6.example.com >> >> 1. prepare replication on ipa-6 for ipa-7 >> ipa-replica-prepare ipa-7.example.com >> >> 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in >> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >> - > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> >> + > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> >> >> 3. slow down the network a bit >> (don't know how effective it is, as we already got 1GBit, but without >> it, a timing bug in 389-ds-base is triggered - s. >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms >> burst 1540 >> >> 4. install replication (without CA for the moment) >> ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >> --setup-dns --mkhomedir --no-forwarders >> >> Up to now, everything works, but we need the CA too: >> >> 5. install ca >> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >> >> But this won't work and I don't have a clue how to fix/proceed from here. >> >> # ipa-7: /var/log/ipareplica-ca-install.log >> ipa : DEBUG stderr=pkispawn : WARNING ....... unable to >> validate security domain user/password through REST interface. Interface not >> available >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: >> Error while updating security domain: java.io.IOException: 2 >> >> ipa : CRITICAL failed to configure ca instance Command >> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero >> exit status 1 >> ipa : DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 382, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 372, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 673, in __spawn_instance >> raise RuntimeError('Configuration of CA failed') >> RuntimeError: Configuration of CA failed >> >> # ipa-7: /var/log/pki/pki-tomcat/ca/system >> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build >> CA chain. Error java.security.cert.CertificateException: Certificate is not >> a PKCS #11 certificate >> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz >> instance DirAclAuthz initialization failed and skipped, error=Property >> internaldb.ldapconn.port missing value >> >> # ipa-7: /var/log/pki/pki-tomcat/ca/debug >> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master >> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ipa-6.example.com port=443 >> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: failed >> to update security domain using admin port 443: >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: now >> trying agent port with client auth >> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ipa-6.example.com port=443 >> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML: status=1 >> >> # ipa-6: /var/log/httpd/access_log >> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309 >> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 >> >> # ipa-6: /var/log/pki-ca/debug >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = >> /ca/agent/ca/updateDomainXML >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='name' value='CA ipa-7.example.com 8443' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='eeclientauthsport' value='443' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='httpport' value='80' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='sport' value='443' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='dm' value='true' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='adminsport' value='443' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='list' value='CAList' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='clone' value='true' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='type' value='CA' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='agentsport' value='443' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='sessionID' value='-4812857165985662682' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >> name='host' value='ipa-7.example.com' >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML start >> to service. >> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing... >> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: >> authentication starts >> [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2 >> [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL >> certificate >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA >> Subsystem,O=EXAMPLE.COM >> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started >> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving client >> certificate >> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client >> certificate >> [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() >> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true >> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >> [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client certificate >> found >> [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() >> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true >> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >> [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: create() >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA >> Subsystem,O=EXAMPLE.COM] authentication failure >> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 >> 15:12:59 CEST 2015 id=caUpdateDomainXML time=11 >> >> # ipa-6: /var/log/pki-ca/system >> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot >> authenticate agent with certificate Serial 0x272 Subject DN CN=CA >> Subsystem,O=EXAMPLE.COM. Error: User not found >> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet >> caUpdateDomainXML: Failed to authorize: Invalid Credential.. >> >> It would be great if someone could give a hint where to look and what user >> can't authenticate and why. >> >> @Matt: For renaming the IdM server, see >> https://access.redhat.com/solutions/174733 it could possibly help. >> >> b/r >> H. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From prasun.gera at gmail.com Wed Jun 24 05:46:14 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 23 Jun 2015 22:46:14 -0700 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts Message-ID: Version: idm 4.x on rhel 7.1 Yet again, I've discovered a problem with residual state left behind by ipa client install and uninstall scripts. I was having some trouble with autofs+sssd leading to users not being mapped correctly (got nobody users for everything). So I tried theipa-client-automount --uninstall, followed by ipa-client-install --uninstall, and then did a fresh install of the client. The original autofs issue aside, I started getting hangs in sudo. After spending a better part of the day, the culprit was this line in nsswitch.conf: sudoers: files sss sss It turns out that the extra sss left behind is sufficient to make any sudo command hang. Easy to reproduce too. Regarding the original autofs problem, I don't have a conclusive explanation yet, but explicitly adding nfsvers=3 seems to map users correctly. It's always scary to use these install and uninstall scripts. They always tend to leave bits and pieces behind. Isn't there a cleaner way to achieve this ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Jun 24 07:49:20 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 24 Jun 2015 09:49:20 +0200 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: References: Message-ID: <20150624074920.GF11174@hendrix.redhat.com> On Tue, Jun 23, 2015 at 10:46:14PM -0700, Prasun Gera wrote: > After spending a better part of the day, the culprit was this line in > nsswitch.conf: > > sudoers: files sss sss Known ipa-client-install bug, fixed. > > It turns out that the extra sss left behind is sufficient to make any sudo > command hang. Easy to reproduce too. Known sudo bug, fixed in upstream and making its way into downstreams: https://bugzilla.redhat.com/show_bug.cgi?id=1133657 https://bugzilla.redhat.com/show_bug.cgi?id=1147498 From christoph.kaminski at biotronik.com Wed Jun 24 08:02:39 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 24 Jun 2015 10:02:39 +0200 Subject: [Freeipa-users] Antwort: Re: thousands DSRetroclPlugin mesages In-Reply-To: <5540FE12.7060302@fahrendorf.de> References: <553CA688.9040009@fahrendorf.de> <553DE905.3080108@redhat.com> <5540D9DA.9040507@fahrendorf.de> <5540DFE7.9030208@redhat.com> <5540FE12.7060302@fahrendorf.de> Message-ID: freeipa-users-bounces at redhat.com schrieb am 29.04.2015 17:51:46: > Am 29.04.2015 um 15:43 schrieb Ludwig Krispenz: > > > > On 04/29/2015 03:17 PM, Martin (Lists) wrote: > >> Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: > >>> On 04/26/2015 10:49 AM, Martin (Lists) wrote: > >>>> Hallo > >>>> > >>>> after a reboot I get almost thousand of the following messages: > >>>> > >>>> DSRetroclPlugin - delete_changerecord: could not delete change record > >>>> 128755 (rc: 32) > >>> this message comes from changeglog trimming and means that an entry, > >>> which should be purged does not exist (any more). > >>> the retrocl maintains a first/lastchange and trinming starts at > >>> firstchange. if for some reason (race ?) there is an attempt to try to > >>> delete the same entry a second time this message should be logged. > >>> since the changenumbers in the error message increases, I think > >>> changelog trimming moves forward. you could do searches on > >>> "cn=changelog" to verify that trimming works. > >> changelog is part of the ldbm database plugin and contains several > >> informations I don't understand (or understand partially). What kind of > >> information should I look for? > > the changelog keeps track of the changes applied to the database, a > > typical entry looks like: > > dn: changenumber=4,cn=changelog > > objectClass: top > > objectClass: changelogentry > > changeNumber: 4 > > targetDn: cn=tuser,ou=people,dc=example,dc=com > > changeTime: 20140411093444Z > > changeType: delete > > OK, I looked in the wrong directory. Now I have found many changelog > entries, starting with number 152926 and ending with 155512 (ldapsearch > states 2588 numEntries). Should that be that much? > > The oldest is about two days and an half old and it does not change > within the last few minutes. > > > > > each entry gets a DN made up from he changenumber, so your entries will > > be named: > > .... > > dn: changenumber=61,cn=changelog > > dn: changenumber=62,cn=changelog > > dn: changenumber=63,cn=changelog > > dn: changenumber=64,cn=changelog > > .... > > changenumbers start and are always incremented, changelog trimming > > removes old entries (depending on config). > > > > so if you do a search like: > > ldapsearch .................. -b "cn=changelog" > > the changenumber of the first entry rerurne should always increase, > > indicating that trimming works. > > As it seems my trimming is broken, at least partially. Is there > something I can adjust? > > > > > you said "thousands" of messages, how frequent are they really ? > > On every reboot I got these messages. I do not get them during normal > opperation. > > Something odd I observed after the last two reboots: ns-slapd runs my > hard disk for several minutes (about 15 minutes) after the reboot. This > is the time it takes to log all these change record messages. > > Kindly > Martin > > -- We have the same issue here on some servers... Any solutions for it? Greetz -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Wed Jun 24 08:24:37 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 24 Jun 2015 01:24:37 -0700 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: <20150624074920.GF11174@hendrix.redhat.com> References: <20150624074920.GF11174@hendrix.redhat.com> Message-ID: Thanks. It's good to know that it is fixed upstream. For discussion though, are any enhancements planned for dealing with installation/removal of ipa ? On Wed, Jun 24, 2015 at 12:49 AM, Jakub Hrozek wrote: > On Tue, Jun 23, 2015 at 10:46:14PM -0700, Prasun Gera wrote: > > After spending a better part of the day, the culprit was this line in > > nsswitch.conf: > > > > sudoers: files sss sss > > Known ipa-client-install bug, fixed. > > > > > It turns out that the extra sss left behind is sufficient to make any > sudo > > command hang. Easy to reproduce too. > > Known sudo bug, fixed in upstream and making its way into downstreams: > https://bugzilla.redhat.com/show_bug.cgi?id=1133657 > https://bugzilla.redhat.com/show_bug.cgi?id=1147498 > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Jun 24 08:31:22 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 24 Jun 2015 10:31:22 +0200 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: References: <20150624074920.GF11174@hendrix.redhat.com> Message-ID: <20150624083122.GG11174@hendrix.redhat.com> On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote: > Thanks. It's good to know that it is fixed upstream. For discussion though, > are any enhancements planned for dealing with installation/removal of ipa ? Not sure, but please file bugs as you see them. From tbordaz at redhat.com Wed Jun 24 09:38:27 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 24 Jun 2015 11:38:27 +0200 Subject: [Freeipa-users] Antwort: Re: thousands DSRetroclPlugin mesages In-Reply-To: References: <553CA688.9040009@fahrendorf.de> <553DE905.3080108@redhat.com> <5540D9DA.9040507@fahrendorf.de> <5540DFE7.9030208@redhat.com> <5540FE12.7060302@fahrendorf.de> Message-ID: <558A7A93.4000705@redhat.com> On 06/24/2015 10:02 AM, Christoph Kaminski wrote: > freeipa-users-bounces at redhat.com schrieb am 29.04.2015 17:51:46: > > > Am 29.04.2015 um 15:43 schrieb Ludwig Krispenz: > > > > > > On 04/29/2015 03:17 PM, Martin (Lists) wrote: > > >> Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: > > >>> On 04/26/2015 10:49 AM, Martin (Lists) wrote: > > >>>> Hallo > > >>>> > > >>>> after a reboot I get almost thousand of the following messages: > > >>>> > > >>>> DSRetroclPlugin - delete_changerecord: could not delete change > record > > >>>> 128755 (rc: 32) > > >>> this message comes from changeglog trimming and means that an entry, > > >>> which should be purged does not exist (any more). > > >>> the retrocl maintains a first/lastchange and trinming starts at > > >>> firstchange. if for some reason (race ?) there is an attempt to > try to > > >>> delete the same entry a second time this message should be logged. > > >>> since the changenumbers in the error message increases, I think > > >>> changelog trimming moves forward. you could do searches on > > >>> "cn=changelog" to verify that trimming works. > > >> changelog is part of the ldbm database plugin and contains several > > >> informations I don't understand (or understand partially). What > kind of > > >> information should I look for? > > > the changelog keeps track of the changes applied to the database, a > > > typical entry looks like: > > > dn: changenumber=4,cn=changelog > > > objectClass: top > > > objectClass: changelogentry > > > changeNumber: 4 > > > targetDn: cn=tuser,ou=people,dc=example,dc=com > > > changeTime: 20140411093444Z > > > changeType: delete > > > > OK, I looked in the wrong directory. Now I have found many changelog > > entries, starting with number 152926 and ending with 155512 (ldapsearch > > states 2588 numEntries). Should that be that much? > > > > The oldest is about two days and an half old and it does not change > > within the last few minutes. > > > > > > > > each entry gets a DN made up from he changenumber, so your entries > will > > > be named: > > > .... > > > dn: changenumber=61,cn=changelog > > > dn: changenumber=62,cn=changelog > > > dn: changenumber=63,cn=changelog > > > dn: changenumber=64,cn=changelog > > > .... > > > changenumbers start and are always incremented, changelog trimming > > > removes old entries (depending on config). > > > > > > so if you do a search like: > > > ldapsearch .................. -b "cn=changelog" > > > the changenumber of the first entry rerurne should always increase, > > > indicating that trimming works. > > > > As it seems my trimming is broken, at least partially. Is there > > something I can adjust? > > > > > > > > you said "thousands" of messages, how frequent are they really ? > > > > On every reboot I got these messages. I do not get them during normal > > opperation. > > > > Something odd I observed after the last two reboots: ns-slapd runs my > > hard disk for several minutes (about 15 minutes) after the reboot. This > > is the time it takes to log all these change record messages. > > > > Kindly > > Martin > > > > -- > > We have the same issue here on some servers... Any solutions for it? Hi Christoph, If you do a search on 'cn=changelog' what is the number of the first returned entry ? Also what is the first number logged in the error log 'delete_changerecord: could not delete change record xxx'. Did you see those messages after a server restart ? thanks thierry > > Greetz > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From giorgio at di.unimi.it Wed Jun 24 15:11:07 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Wed, 24 Jun 2015 17:11:07 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust Message-ID: <558AC88B.7010104@di.unimi.it> Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username at mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john.doe at otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? Thanks in advance -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From sbose at redhat.com Wed Jun 24 16:45:26 2015 From: sbose at redhat.com (Sumit Bose) Date: Wed, 24 Jun 2015 18:45:26 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <558AC88B.7010104@di.unimi.it> References: <558AC88B.7010104@di.unimi.it> Message-ID: <20150624164526.GJ12661@p.redhat.com> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > Hi everybody, > I established a bidirectional trust between an IPA server (version 4.1.0 on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > Everything is working fine, and I'm able to authenticate and logon on a linux > host joined to IPA server using AD credentials (username at mydomain.local). > But active directory is configured with two more UPN suffixes (otherdomain.com > and sub.otherdomain.com), and I cannot logon with credentials using alternative > UPN (example: john.doe at otherdomain.com). > > How can I make this possible? Another trust (ipa trust-add) with the same AD? > Manual configuration of krb5 and/or sssd? Have you tried to login to an IPA client or the server? Please try with an IPA server first. If this does not work it would be nice if you can send the SSSD log files from the IPA server which are generated during the logon attempt. Please call 'sss_cache -E' before to invalidate all cached entries so that the logs will contain all needed calls to AD. Using UPN suffixes were added to the AD provider some time ago and the code is available in the IPA provider as well, but I guess no one has actually tried this before. bye, Sumit > > Thanks in advance > > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From quest.monger at gmail.com Thu Jun 25 01:21:15 2015 From: quest.monger at gmail.com (quest monger) Date: Wed, 24 Jun 2015 21:21:15 -0400 Subject: [Freeipa-users] Storing LDAP credentials in clear text. Message-ID: I have a IPA server running on CentOS server. I have multiple Solaris boxes that use this IPA server for SSH authentication. When configuring the Solaris hosts to be IPA clients, one of the things i had to do was to configure LDAP. This involved editing the /etc/ldap.conf file. It looks like this now - binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw ssl start_tls tls_cacertfile /var/ldap/cer8.db tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://example.com sudoers_base ou=SUDOers,dc=example,dc=com TLS_CERT /var/ldap/cer8.db As you can see, the bind password is being stored in clear text. Is there a workaround for this? Has someone done this on a Solaris-11 platform? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From giorgio at di.unimi.it Thu Jun 25 10:22:16 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Thu, 25 Jun 2015 12:22:16 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150624164526.GJ12661@p.redhat.com> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> Message-ID: <558BD658.40301@di.unimi.it> On 06/24/2015 06:45 PM, Sumit Bose wrote: > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >> Hi everybody, >> I established a bidirectional trust between an IPA server (version 4.1.0 on >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >> Everything is working fine, and I'm able to authenticate and logon on a linux >> host joined to IPA server using AD credentials (username at mydomain.local). >> But active directory is configured with two more UPN suffixes (otherdomain.com >> and sub.otherdomain.com), and I cannot logon with credentials using alternative >> UPN (example: john.doe at otherdomain.com). >> >> How can I make this possible? Another trust (ipa trust-add) with the same AD? >> Manual configuration of krb5 and/or sssd? > > Have you tried to login to an IPA client or the server? Please try with > an IPA server first. If this does not work it would be nice if you can > send the SSSD log files from the IPA server which are generated during > the logon attempt. Please call 'sss_cache -E' before to invalidate all > cached entries so that the logs will contain all needed calls to AD. > > Using UPN suffixes were added to the AD provider some time ago and the > code is available in the IPA provider as well, but I guess no one has > actually tried this before. > > bye, > Sumit First of all let me say that i feel like I'm missing some config somewhere.. Changes tried in krb5.conf to support UPN suffixes didn't helped. I can only access the server vi ssh so I've attached the logs for a successful login for account1 at mydomain.local and an unsuccessful login for account2 at otherdomain.com done via ssh. Bye and thanks for your help > >> >> Thanks in advance >> >> -- >> gb >> >> PGP Key: http://pgp.mit.edu/ >> Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -------------- next part -------------- (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group admins (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object admins (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group admins (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [admins] (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:ipa.mydomain.local:b002c2bc-18dd-11e5-b692-005056a45723))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:38:18 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:38:27 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account1] (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc02.mydomain.local' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc02.mydomain.local' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [6171] finished successfully. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435311673] (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc02.mydomain.local' as 'working' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'working' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc02.mydomain.local' as 'working' (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectClass=ipaexternalgroup][dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ext_groups_done] (0x0400): [0] external groups found. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=nobody] (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=account1] (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:14 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account1] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'gc_mydomain.local' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc02.mydomain.local' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc02.mydomain.local:3268' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc02.mydomain.local' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc02.mydomain.local' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [6173] finished successfully. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435311678] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'dc02.mydomain.local' as 'working' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'working' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 3268 of duplicate server 'dc02.mydomain.local' as 'working' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Giorgio Biacchi,OU=Gestori Aule,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-548 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=group)(name=*))][CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 1. Ignoring. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: xxx.xxx.xxx (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 1 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 6169 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://idc01.ipa.mydomain.local' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [6174] finished successfully. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'idc01.ipa.mydomain.local' as 'working' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'working' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'idc01.ipa.mydomain.local' as 'working' (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account1] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Giorgio Biacchi,OU=Gestori Aule,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-548 (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account1 at mydomain.local (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: xxx.xxx.xxx (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 1 (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 6169 (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_access_send] (0x0400): Performing access check for user [account1 at mydomain.local] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [account1 at mydomain.local] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=idc01.ipa.mydomain.local))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=idc01.ipa.mydomain.local,cn=computers,cn=accounts,dc=ipa,dc=mydomain,dc=local] using OpenLDAP deref (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=idc01.ipa.mydomain.local,cn=computers,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ipa,dc=mydomain,dc=local][2][(objectClass=ipaHBACService)] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ipa,dc=mydomain,dc=local][2][(objectClass=ipaHBACServiceGroup)] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ipa,dc=mydomain,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=idc01.ipa.mydomain.local,cn=computers,cn=accounts,dc=ipa,dc=mydomain,dc=local)))] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=idc01.ipa.mydomain.local,cn=computers,cn=accounts,dc=ipa,dc=mydomain,dc=local)))][cn=hbac,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Thu Jun 25 11:41:19 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=polkitd] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=polkitd)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [6175] finished successfully. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account1] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Giorgio Biacchi,OU=Gestori Aule,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-548 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: xxx.xxx.xxx (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 1 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 6169 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1539403800] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uidNumber=1539403800)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account1] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Giorgio Biacchi,OU=Gestori Aule,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-548 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: xxx.xxx.xxx (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 1 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 6169 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account1] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account1))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account1)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account1 at MYDOMAIN.LOCAL] to attributes of [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Giorgio Biacchi,OU=Gestori Aule,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-548 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-3800))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account1 at mydomain.local (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: xxx.xxx.xxx (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 0 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 6181 (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Sending result [0][mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][idnumber=1539403800] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1539403800)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 11:41:21 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed -------------- next part -------------- (Thu Jun 25 11:38:18 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1647000000] (Thu Jun 25 11:38:18 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1647000000 at ipa.mydomain.local] (Thu Jun 25 11:38:18 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [1647000000 at ipa.mydomain.local] (Thu Jun 25 11:38:18 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1647000000] (Thu Jun 25 11:38:18 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:2:1647000000 at ipa.mydomain.local] (Thu Jun 25 11:38:18 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jun 25 11:40:46 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 11:40:46 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 11:41:10 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 11:41:10 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 11:41:13 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 11:41:13 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 11:41:13 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 11:41:13 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:13 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:13 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:13 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:13 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadaee00:1:account1 at mydomain.local] (Thu Jun 25 11:41:13 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][4097][1][name=account1] (Thu Jun 25 11:41:13 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadaee00:1:account1 at mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:1:account1 at mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [nobody]. (Thu Jun 25 11:41:14 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nobody' matched without domain, user is nobody (Thu Jun 25 11:41:14 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [nobody] from [] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nobody at ipa.mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadaee00:3:nobody at ipa.mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=nobody] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadaee00:3:nobody at ipa.mydomain.local] (Thu Jun 25 11:41:14 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 11:41:14 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:3:nobody at ipa.mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:18 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:18 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [root]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [polkitd]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'polkitd' matched without domain, user is polkitd (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [polkitd] from [] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [polkitd at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadaee00:3:polkitd at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=polkitd] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadaee00:3:polkitd at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:3:polkitd at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [1539403800]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Requesting info for [1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadaee00:1:1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][idnumber=1539403800] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadaee00:1:1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [1539403800] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Requesting info for [1539403800 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0400): Returning info for uid [1539403800 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [1539403800] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:1:1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): Initgroups for [account1 at mydomain.local] completed (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account1 at mydomain.local]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'account1 at mydomain.local' matched expression for domain 'mydomain.local', user is account1 (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [account1] from [mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account1 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1539403800]. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadaee00:2:1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4098][1][idnumber=1539403800] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadaee00:2:1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1539403800] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1539403800 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [1539403800 at mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1539403800] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:2:1539403800 at ipa.mydomain.local] (Thu Jun 25 11:41:21 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 11:41:39 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:50 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 11:41:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] -------------- next part -------------- (Thu Jun 25 11:41:39 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 11:41:39 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 11:41:39 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Thu Jun 25 11:41:39 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call (Thu Jun 25 11:41:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 11:41:41 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jun 25 11:41:44 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 11:41:44 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 11:41:45 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 11:41:45 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 11:41:50 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 11:41:50 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 11:41:50 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 11:41:50 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 11:41:50 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:50 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 11:41:50 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:50 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 11:41:50 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 11:41:50 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadaee00:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadaee00:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadaee00:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 11:41:55 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 11:41:55 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f36aadb0670:domains at ipa.mydomain.local] (Thu Jun 25 11:42:01 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! From sbose at redhat.com Thu Jun 25 10:56:33 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 25 Jun 2015 12:56:33 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <558BD658.40301@di.unimi.it> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> Message-ID: <20150625105633.GN12661@p.redhat.com> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >> Hi everybody, > >> I established a bidirectional trust between an IPA server (version 4.1.0 on > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >> Everything is working fine, and I'm able to authenticate and logon on a linux > >> host joined to IPA server using AD credentials (username at mydomain.local). > >> But active directory is configured with two more UPN suffixes (otherdomain.com > >> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >> UPN (example: john.doe at otherdomain.com). > >> > >> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >> Manual configuration of krb5 and/or sssd? > > > > Have you tried to login to an IPA client or the server? Please try with > > an IPA server first. If this does not work it would be nice if you can > > send the SSSD log files from the IPA server which are generated during > > the logon attempt. Please call 'sss_cache -E' before to invalidate all > > cached entries so that the logs will contain all needed calls to AD. > > > > Using UPN suffixes were added to the AD provider some time ago and the > > code is available in the IPA provider as well, but I guess no one has > > actually tried this before. > > > > bye, > > Sumit > > First of all let me say that i feel like I'm missing some config somewhere.. > Changes tried in krb5.conf to support UPN suffixes didn't helped. > I can only access the server vi ssh so I've attached the logs for a successful > login for account1 at mydomain.local and an unsuccessful login for > account2 at otherdomain.com done via ssh. > > Bye and thanks for your help > It looks like the request is not properly propagated to sub-domains (the trusted AD domain) but only send to the IPA domain. Would it be possible for you to run a test build of SSSD which might fix this? If yes, which version of SSSD are you currently using? Then I can prepare a test build with the patch on top of this version. bye, Sumit From giorgio at di.unimi.it Thu Jun 25 11:06:22 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Thu, 25 Jun 2015 13:06:22 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150625105633.GN12661@p.redhat.com> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> Message-ID: <558BE0AE.3020603@di.unimi.it> On 06/25/2015 12:56 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>> Hi everybody, >>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>> UPN (example: john.doe at otherdomain.com). >>>> >>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>> Manual configuration of krb5 and/or sssd? >>> >>> Have you tried to login to an IPA client or the server? Please try with >>> an IPA server first. If this does not work it would be nice if you can >>> send the SSSD log files from the IPA server which are generated during >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>> cached entries so that the logs will contain all needed calls to AD. >>> >>> Using UPN suffixes were added to the AD provider some time ago and the >>> code is available in the IPA provider as well, but I guess no one has >>> actually tried this before. >>> >>> bye, >>> Sumit >> >> First of all let me say that i feel like I'm missing some config somewhere.. >> Changes tried in krb5.conf to support UPN suffixes didn't helped. >> I can only access the server vi ssh so I've attached the logs for a successful >> login for account1 at mydomain.local and an unsuccessful login for >> account2 at otherdomain.com done via ssh. >> >> Bye and thanks for your help >> > > It looks like the request is not properly propagated to sub-domains (the > trusted AD domain) but only send to the IPA domain. > > Would it be possible for you to run a test build of SSSD which might fix > this? If yes, which version of SSSD are you currently using? Then I can > prepare a test build with the patch on top of this version. > > bye, > Sumit > Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 Thanks again -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From dpal at redhat.com Thu Jun 25 11:16:05 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 25 Jun 2015 07:16:05 -0400 Subject: [Freeipa-users] Storing LDAP credentials in clear text. In-Reply-To: References: Message-ID: <558BE2F5.7010006@redhat.com> On 06/24/2015 09:21 PM, quest monger wrote: > I have a IPA server running on CentOS server. I have multiple Solaris > boxes that use this IPA server for SSH authentication. > When configuring the Solaris hosts to be IPA clients, one of the > things i had to do was to configure LDAP. This involved editing the > /etc/ldap.conf file. It looks like this now - > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com > bindpw > ssl start_tls > tls_cacertfile /var/ldap/cer8.db > tls_checkpeer yes > bind_timelimit 5 > timelimit 15 > uri ldap://example.com > sudoers_base ou=SUDOers,dc=example,dc=com > TLS_CERT /var/ldap/cer8.db > > As you can see, the bind password is being stored in clear text. > Is there a workaround for this? Has someone done this on a Solaris-11 > platform? > > Thanks. > > > AFAIR Solaris should have some kind of the obfuscation scheme at least used to but it might be buried in some manuals. It might be a feature or switch of the ldapclient command. HTH -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Jun 25 12:10:22 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 25 Jun 2015 14:10:22 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <558BE0AE.3020603@di.unimi.it> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> Message-ID: <20150625121022.GO12661@p.redhat.com> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 12:56 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>> Hi everybody, > >>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > >>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >>>> Everything is working fine, and I'm able to authenticate and logon on a linux > >>>> host joined to IPA server using AD credentials (username at mydomain.local). > >>>> But active directory is configured with two more UPN suffixes (otherdomain.com > >>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >>>> UPN (example: john.doe at otherdomain.com). > >>>> > >>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >>>> Manual configuration of krb5 and/or sssd? > >>> > >>> Have you tried to login to an IPA client or the server? Please try with > >>> an IPA server first. If this does not work it would be nice if you can > >>> send the SSSD log files from the IPA server which are generated during > >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>> cached entries so that the logs will contain all needed calls to AD. > >>> > >>> Using UPN suffixes were added to the AD provider some time ago and the > >>> code is available in the IPA provider as well, but I guess no one has > >>> actually tried this before. > >>> > >>> bye, > >>> Sumit > >> > >> First of all let me say that i feel like I'm missing some config somewhere.. > >> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >> I can only access the server vi ssh so I've attached the logs for a successful > >> login for account1 at mydomain.local and an unsuccessful login for > >> account2 at otherdomain.com done via ssh. > >> > >> Bye and thanks for your help > >> > > > > It looks like the request is not properly propagated to sub-domains (the > > trusted AD domain) but only send to the IPA domain. > > > > Would it be possible for you to run a test build of SSSD which might fix > > this? If yes, which version of SSSD are you currently using? Then I can > > prepare a test build with the patch on top of this version. > > > > bye, > > Sumit > > > > Hi, > I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > any test. > > Here's the packages version for sssd: > > sssd-common-1.12.2-58.el7_1.6.x86_64 > sssd-krb5-1.12.2-58.el7_1.6.x86_64 > python-sssdconfig-1.12.2-58.el7_1.6.noarch > sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > sssd-1.12.2-58.el7_1.6.x86_64 > sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > sssd-ad-1.12.2-58.el7_1.6.x86_64 > sssd-ldap-1.12.2-58.el7_1.6.x86_64 > sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > sssd-proxy-1.12.2-58.el7_1.6.x86_64 > sssd-client-1.12.2-58.el7_1.6.x86_64 Please try the packages at http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . bye, Sumit > > Thanks again > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From harald.dunkel at aixigo.de Wed Jun 24 07:06:49 2015 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Wed, 24 Jun 2015 09:06:49 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa Message-ID: <558A5709.1000603@aixigo.de> Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools following the Unix paradigm (do one thing and do it well) don't help anymore. I can speak only for my own stomach, but it turns upside down when I think about this. Your thoughts on this? Regards Harri From giorgio at di.unimi.it Thu Jun 25 14:29:37 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Thu, 25 Jun 2015 16:29:37 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150625121022.GO12661@p.redhat.com> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> Message-ID: <558C1051.8010205@di.unimi.it> On 06/25/2015 02:10 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>>>> Hi everybody, >>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>>>> UPN (example: john.doe at otherdomain.com). >>>>>> >>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>>>> Manual configuration of krb5 and/or sssd? >>>>> >>>>> Have you tried to login to an IPA client or the server? Please try with >>>>> an IPA server first. If this does not work it would be nice if you can >>>>> send the SSSD log files from the IPA server which are generated during >>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>>>> cached entries so that the logs will contain all needed calls to AD. >>>>> >>>>> Using UPN suffixes were added to the AD provider some time ago and the >>>>> code is available in the IPA provider as well, but I guess no one has >>>>> actually tried this before. >>>>> >>>>> bye, >>>>> Sumit >>>> >>>> First of all let me say that i feel like I'm missing some config somewhere.. >>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. >>>> I can only access the server vi ssh so I've attached the logs for a successful >>>> login for account1 at mydomain.local and an unsuccessful login for >>>> account2 at otherdomain.com done via ssh. >>>> >>>> Bye and thanks for your help >>>> >>> >>> It looks like the request is not properly propagated to sub-domains (the >>> trusted AD domain) but only send to the IPA domain. >>> >>> Would it be possible for you to run a test build of SSSD which might fix >>> this? If yes, which version of SSSD are you currently using? Then I can >>> prepare a test build with the patch on top of this version. >>> >>> bye, >>> Sumit >>> >> >> Hi, >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for >> any test. >> >> Here's the packages version for sssd: >> >> sssd-common-1.12.2-58.el7_1.6.x86_64 >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >> python-sssdconfig-1.12.2-58.el7_1.6.noarch >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> sssd-1.12.2-58.el7_1.6.x86_64 >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >> sssd-ad-1.12.2-58.el7_1.6.x86_64 >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > Please try the packages at > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > bye, > Sumit Hi, I've installed the new RPMs, now if I run on the server: id account1 at mydomain.local id account2 at otherdomain.com id account2 at sub.otherdomain.com all the users are found but I'm still unable to log in via ssh with the accounts @otherdomain.com and @sub.otherdomain.com. In attachment the logs for unsuccessful login for user account2 at otherdomain.com. Bye -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -------------- next part -------------- (Thu Jun 25 16:18:54 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 16:18:54 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa075e40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa075e40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa075e40:1:account2 at otherdomain.com:U at mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa075e40:1:account2 at otherdomain.com:U at mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa075e40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa075e40:1:account2 at otherdomain.com:U at mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [nobody]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nobody' matched without domain, user is nobody (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [nobody] from [] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nobody at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa075e40:3:nobody at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=nobody] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa075e40:3:nobody at ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa075e40:3:nobody at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 16:19:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 16:19:02 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fd3aa0776b0:domains at ipa.mydomain.local] (Thu Jun 25 16:19:05 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=nobody] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=account2] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account2)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectClass=ipaexternalgroup][dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ext_groups_done] (0x0400): [0] external groups found. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 16:18:58 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 16:19:02 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 16:19:02 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 16:19:02 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 16:19:02 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 16:19:02 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 16:19:02 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] From pspacek at redhat.com Thu Jun 25 14:40:14 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 25 Jun 2015 16:40:14 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558A5709.1000603@aixigo.de> References: <558A5709.1000603@aixigo.de> Message-ID: <558C12CE.5040400@redhat.com> On 24.6.2015 09:06, Harald Dunkel wrote: > Hi folks, > > I have a general problem with freeipa: It is *highly* complex > and depends upon too many systems working together correctly > (IMHO). > > My concern is, if there is a problem, then the usual tools > following the Unix paradigm (do one thing and do it well) > don't help anymore. I can speak only for my own stomach, but > it turns upside down when I think about this. > > Your thoughts on this? Yes, FreeIPA is complex. On the other hand, you will get the same complexity when you try to integrate the same services yourself + you will get all the maintenance cost as a bonus. I can speak from my own sysadmin experience :-) -- Petr^2 Spacek From brian.topping at gmail.com Thu Jun 25 14:48:55 2015 From: brian.topping at gmail.com (Brian Topping) Date: Thu, 25 Jun 2015 07:48:55 -0700 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558C12CE.5040400@redhat.com> References: <558A5709.1000603@aixigo.de> <558C12CE.5040400@redhat.com> Message-ID: +1. After maintaining these components separately for years, getting everything as a single package with tested integration between them from release-to-release is huge. If you are worried about the complexity, take a look at any good Windows Server documentation set. It's thousands of pages. RH IPA doesn't have this advantage, but the fact that it's gaining traction without that all that says a lot of good things to me. Sent from my iPhone > On Jun 25, 2015, at 07:40, Petr Spacek wrote: > >> On 24.6.2015 09:06, Harald Dunkel wrote: >> Hi folks, >> >> I have a general problem with freeipa: It is *highly* complex >> and depends upon too many systems working together correctly >> (IMHO). >> >> My concern is, if there is a problem, then the usual tools >> following the Unix paradigm (do one thing and do it well) >> don't help anymore. I can speak only for my own stomach, but >> it turns upside down when I think about this. >> >> Your thoughts on this? > > Yes, FreeIPA is complex. On the other hand, you will get the same complexity > when you try to integrate the same services yourself + you will get all the > maintenance cost as a bonus. > > I can speak from my own sysadmin experience :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From CWhite at skytouchtechnology.com Thu Jun 25 15:33:02 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 25 Jun 2015 15:33:02 +0000 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558A5709.1000603@aixigo.de> References: <558A5709.1000603@aixigo.de> Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Harald Dunkel Sent: Wednesday, June 24, 2015 12:07 AM To: freeipa-users Subject: [Freeipa-users] hesitate to deploy freeipa Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools following the Unix paradigm (do one thing and do it well) don't help anymore. I can speak only for my own stomach, but it turns upside down when I think about this. Your thoughts on this? ---- Well, it's a good thing that you don't use XWindows. You already have a humble opinion on something that you aren't using yet? Seriously? It's clearly not for you, thanks for playing. Craig From sbose at redhat.com Thu Jun 25 15:44:26 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 25 Jun 2015 17:44:26 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <558C1051.8010205@di.unimi.it> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> Message-ID: <20150625154426.GQ12661@p.redhat.com> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>> Hi everybody, > >>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > >>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > >>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > >>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > >>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >>>>>> UPN (example: john.doe at otherdomain.com). > >>>>>> > >>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >>>>>> Manual configuration of krb5 and/or sssd? > >>>>> > >>>>> Have you tried to login to an IPA client or the server? Please try with > >>>>> an IPA server first. If this does not work it would be nice if you can > >>>>> send the SSSD log files from the IPA server which are generated during > >>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>>>> cached entries so that the logs will contain all needed calls to AD. > >>>>> > >>>>> Using UPN suffixes were added to the AD provider some time ago and the > >>>>> code is available in the IPA provider as well, but I guess no one has > >>>>> actually tried this before. > >>>>> > >>>>> bye, > >>>>> Sumit > >>>> > >>>> First of all let me say that i feel like I'm missing some config somewhere.. > >>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>> I can only access the server vi ssh so I've attached the logs for a successful > >>>> login for account1 at mydomain.local and an unsuccessful login for > >>>> account2 at otherdomain.com done via ssh. > >>>> > >>>> Bye and thanks for your help > >>>> > >>> > >>> It looks like the request is not properly propagated to sub-domains (the > >>> trusted AD domain) but only send to the IPA domain. > >>> > >>> Would it be possible for you to run a test build of SSSD which might fix > >>> this? If yes, which version of SSSD are you currently using? Then I can > >>> prepare a test build with the patch on top of this version. > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Hi, > >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > >> any test. > >> > >> Here's the packages version for sssd: > >> > >> sssd-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >> sssd-1.12.2-58.el7_1.6.x86_64 > >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > > Please try the packages at > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > > > bye, > > Sumit > > Hi, > I've installed the new RPMs, now if I run on the server: > > id account1 at mydomain.local > id account2 at otherdomain.com > id account2 at sub.otherdomain.com > > all the users are found but I'm still unable to log in via ssh with the accounts > @otherdomain.com and @sub.otherdomain.com. > > In attachment the logs for unsuccessful login for user account2 at otherdomain.com. Bother, I forgot to add the fix to the pam responder as well, please try new packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . bye, Sumit > > Bye > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From simo at redhat.com Thu Jun 25 15:47:25 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 25 Jun 2015 11:47:25 -0400 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: References: <558A5709.1000603@aixigo.de> Message-ID: <1435247245.22563.63.camel@willson.usersys.redhat.com> On Thu, 2015-06-25 at 15:33 +0000, Craig White wrote: > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Harald Dunkel > Sent: Wednesday, June 24, 2015 12:07 AM > To: freeipa-users > Subject: [Freeipa-users] hesitate to deploy freeipa > > Hi folks, > > I have a general problem with freeipa: It is *highly* complex and > depends upon too many systems working together correctly (IMHO). > > My concern is, if there is a problem, then the usual tools following > the Unix paradigm (do one thing and do it well) don't help anymore. I > can speak only for my own stomach, but it turns upside down when I > think about this. > > > Your thoughts on this? > ---- > Well, it's a good thing that you don't use XWindows. > > You already have a humble opinion on something that you aren't using > yet? Seriously? > > It's clearly not for you, thanks for playing. > > Craig > Craig, it is a legitimate question to ask, there is no need to make snarky remarks. Harald, the reason I (and others) started this project many years ago is that trying to set up all components myself was boring and highly error prone, and you would always end up with a bag of parts that had a lot of mismatches, and some functionality was always missing or poor or incomplete, due to the imperfect integration. Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. The best option is to study the individual components and how they are integrated, just like you (presumably) studied how a Unix/Linus OS is put together and operates. An OS is not simpler in anyway, but you probably do not see the complexity as menacing anymore because you are familiar with how it works. The same familiarity can be attained with FreeIPA, all the components are available, the configuration directives are mostly where you expect them to be, and all the glue code is in the FreeIPA repositories if you want to go deep into the minutiae, and understand the nuanced integration for some of the plumbing. It can be studied and understood. I would say that time would be better invested in learning how FreeIPA works rather than trying to build your own and be the only one that knows (or forgets) how things were put together ad hoc. Collaborating on a project means you are not alone and can share experiences, ask for help and in general get up to speed with various parts of the infrastructure as you need it, not being forced to know everything like a pro before even starting. This is my humble opinion. Simo. -- Simo Sorce * Red Hat, Inc * New York From giorgio at di.unimi.it Thu Jun 25 17:00:34 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Thu, 25 Jun 2015 19:00:34 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150625154426.GQ12661@p.redhat.com> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> Message-ID: <558C33B2.5020508@di.unimi.it> On 06/25/2015 05:44 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>>>>>> Hi everybody, >>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>>>>>> UPN (example: john.doe at otherdomain.com). >>>>>>>> >>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>>>>>> Manual configuration of krb5 and/or sssd? >>>>>>> >>>>>>> Have you tried to login to an IPA client or the server? Please try with >>>>>>> an IPA server first. If this does not work it would be nice if you can >>>>>>> send the SSSD log files from the IPA server which are generated during >>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>>>>>> cached entries so that the logs will contain all needed calls to AD. >>>>>>> >>>>>>> Using UPN suffixes were added to the AD provider some time ago and the >>>>>>> code is available in the IPA provider as well, but I guess no one has >>>>>>> actually tried this before. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>> >>>>>> First of all let me say that i feel like I'm missing some config somewhere.. >>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. >>>>>> I can only access the server vi ssh so I've attached the logs for a successful >>>>>> login for account1 at mydomain.local and an unsuccessful login for >>>>>> account2 at otherdomain.com done via ssh. >>>>>> >>>>>> Bye and thanks for your help >>>>>> >>>>> >>>>> It looks like the request is not properly propagated to sub-domains (the >>>>> trusted AD domain) but only send to the IPA domain. >>>>> >>>>> Would it be possible for you to run a test build of SSSD which might fix >>>>> this? If yes, which version of SSSD are you currently using? Then I can >>>>> prepare a test build with the patch on top of this version. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>> >>>> Hi, >>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for >>>> any test. >>>> >>>> Here's the packages version for sssd: >>>> >>>> sssd-common-1.12.2-58.el7_1.6.x86_64 >>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch >>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>> sssd-1.12.2-58.el7_1.6.x86_64 >>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 >>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >>>> sssd-client-1.12.2-58.el7_1.6.x86_64 >>> >>> Please try the packages at >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>> >>> bye, >>> Sumit >> >> Hi, >> I've installed the new RPMs, now if I run on the server: >> >> id account1 at mydomain.local >> id account2 at otherdomain.com >> id account2 at sub.otherdomain.com >> >> all the users are found but I'm still unable to log in via ssh with the accounts >> @otherdomain.com and @sub.otherdomain.com. >> >> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > > Bother, I forgot to add the fix to the pam responder as well, please try > new packages from > http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > bye, > Sumit > Hi, I've updated all the packages but still no login. Logs follows. Thanks again -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -------------- next part -------------- (Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:49:49 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jun 25 18:53:07 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 18:53:07 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335ce40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335ce40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335ce40:1:account2 at otherdomain.com:U at mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335ce40:1:account2 at otherdomain.com:U at mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335ce40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335ce40:1:account2 at otherdomain.com:U at mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [nobody]. (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nobody' matched without domain, user is nobody (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [nobody] from [] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nobody at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335ce40:3:nobody at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=nobody] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335ce40:3:nobody at ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jun 25 18:53:12 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335ce40:3:nobody at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Thu Jun 25 18:53:16 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Thu Jun 25 18:53:16 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains at ipa.mydomain.local] (Thu Jun 25 18:53:19 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Thu Jun 25 18:49:40 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 18:49:40 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 18:49:44 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:49:44 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 18:49:44 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:49:44 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 18:49:44 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:49:44 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 18:49:54 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it (Thu Jun 25 18:50:10 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [1874] finished successfully. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435337592] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc02.mydomain.local' as 'working' (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'working' (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc02.mydomain.local' as 'working' (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=nobody] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=account2] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Thu Jun 25 18:53:12 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account2)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectClass=ipaexternalgroup][dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ext_groups_done] (0x0400): [0] external groups found. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Thu Jun 25 18:53:13 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Thu Jun 25 18:53:16 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] From t.sailer at alumni.ethz.ch Thu Jun 25 18:12:22 2015 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Thu, 25 Jun 2015 20:12:22 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <1435247245.22563.63.camel@willson.usersys.redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> Message-ID: <558C4486.70101@alumni.ethz.ch> Am 25.06.2015 um 17:47 schrieb Simo Sorce: > Yes, the whole project is complex, but not because we like complexity, > it is complex because the problem space is complex and we are bound to > use existing protocols, which sometimes add in complexity, and we want > to offer useful features to admins, so they can think about managing > stuff and not about the plumbing all the time. Sure, the problem space is a lot more complex than say ls. But I think there is room for improvement, by making the individual tools somewhat more resilient to unexpected behaviour in other components. For example, if there's any nsuniqueid group present in a users entry, login authentication via sssd breaks with a cryptic error message. It would be nice, IMO, if it didn't break or if it at least issued a better error message. Furthermore, a good graphical generic LDAP editor would make the admin's life significantly easier, IMO. I so far haven't found one. There's gq, which works, mostly, but crashes relatively frequently. I'm mostly using ldapvi now, which works quite well but only after studying its manual. Thomas From rmeggins at redhat.com Thu Jun 25 18:30:24 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 25 Jun 2015 12:30:24 -0600 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558C4486.70101@alumni.ethz.ch> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> Message-ID: <558C48C0.80503@redhat.com> On 06/25/2015 12:12 PM, Thomas Sailer wrote: > Am 25.06.2015 um 17:47 schrieb Simo Sorce: > >> Yes, the whole project is complex, but not because we like complexity, >> it is complex because the problem space is complex and we are bound to >> use existing protocols, which sometimes add in complexity, and we want >> to offer useful features to admins, so they can think about managing >> stuff and not about the plumbing all the time. > > Sure, the problem space is a lot more complex than say ls. > > But I think there is room for improvement, by making the individual > tools somewhat more resilient to unexpected behaviour in other > components. +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. > > For example, if there's any nsuniqueid group present in a users entry, > login authentication via sssd breaks with a cryptic error message. It > would be nice, IMO, if it didn't break or if it at least issued a > better error message. Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 > > Furthermore, a good graphical generic LDAP editor would make the > admin's life significantly easier, IMO. I so far haven't found one. > There's gq, which works, mostly, but crashes relatively frequently. > I'm mostly using ldapvi now, which works quite well but only after > studying its manual. Have you tried Apache Directory Studio? > > Thomas > From jhrozek at redhat.com Thu Jun 25 18:46:58 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 25 Jun 2015 20:46:58 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558C48C0.80503@redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> Message-ID: <20150625184658.GE3792@hendrix> On Thu, Jun 25, 2015 at 12:30:24PM -0600, Rich Megginson wrote: > On 06/25/2015 12:12 PM, Thomas Sailer wrote: > >Am 25.06.2015 um 17:47 schrieb Simo Sorce: > > > >>Yes, the whole project is complex, but not because we like complexity, > >>it is complex because the problem space is complex and we are bound to > >>use existing protocols, which sometimes add in complexity, and we want > >>to offer useful features to admins, so they can think about managing > >>stuff and not about the plumbing all the time. > > > >Sure, the problem space is a lot more complex than say ls. > > > >But I think there is room for improvement, by making the individual tools > >somewhat more resilient to unexpected behaviour in other components. > > +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. > > > > >For example, if there's any nsuniqueid group present in a users entry, > >login authentication via sssd breaks with a cryptic error message. It > >would be nice, IMO, if it didn't break or if it at least issued a better > >error message. > > Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 On the SSSD side there's https://fedorahosted.org/sssd/ticket/2605 to deal with this problem. I'm genuinely interested in hearing how we can improve SSSD! Please file tickets or start threads on sssd-users/sssd-devel! From aebruno2 at buffalo.edu Thu Jun 25 21:40:23 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Thu, 25 Jun 2015 17:40:23 -0400 Subject: [Freeipa-users] ipa replica failure In-Reply-To: <55883C7D.7070605@redhat.com> References: <20150619182240.GA8365@dead.ccr.buffalo.edu> <55846622.2080401@redhat.com> <55846B1A.90605@redhat.com> <20150619195738.GB8858@dead.ccr.buffalo.edu> <55881593.7070601@redhat.com> <20150622164527.GD18728@dead.ccr.buffalo.edu> <55883C7D.7070605@redhat.com> Message-ID: <20150625214023.GC2764@dead.ccr.buffalo.edu> On Mon, Jun 22, 2015 at 12:49:01PM -0400, Rob Crittenden wrote: > >> > >>You aren't seeing a replication agreement. You're seeing the Replication > >>Update Vector (RUV). > >> > >>See http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html > >> > >>You need to do something like: > >> > >># ldapmodify -D "cn=directory manager" -W -a > >>dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config > >>objectclass: extensibleObject > >>replica-base-dn: o=ipaca > >>replica-id: 97 > >>cn: clean 97 > >> > > > >Great, thanks for the clarification. > > > >Curious what's the difference between running the ldapmodify above and > >ipa-replica-manage clean-ruv? > > > > Nothing, for the IPA data. This is a remanant from a CA replication > agreement and it was an oversight not to add similar RUV management options > to the ipa-careplica-manage tool. > I'm still seeing some inconsistencies. Forgive me if I'm mis-interpreting any of this output (still learning the ropes with FreeIPA here).. Just trying to wrap my head around the RUVs. Trying to follow the docs here: http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html And after running the ldapsearch command to check for "obsolete masters" I'm not seeing the replica ID for the old replica we deleted (rep2): $ ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica Enter LDAP Password: dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: nsds5replica objectClass: top objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu nsDS5ReplicaBindDN: krbprincipalname=ldap/rep3 at CCR.BUFFA LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu nsState:: BAAAAAAAAABIa4xVAAAAAAAAAAAAAAAAJAAAAAAAAAABAAAAAAAAAA== nsDS5ReplicaName: a0957886-df9c11e4-a351aa45-2e06257b nsds5ReplicaChangeCount: 1687559 nsds5replicareapactive: 0 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsDS5Replica objectClass: extensibleobject nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaType: 3 nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-rep2 falo.edu-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-rep3 falo.edu-pki-tomcat,ou=csusers,cn=config cn: replica nsDS5ReplicaId: 96 nsDS5Flags: 1 nsState:: YAAAAAAAAAAPa4xVAAAAAAkAAAAAAAAACgAAAAAAAAABAAAAAAAAAA== nsDS5ReplicaName: c458be8e-df9c11e4-a351aa45-2e06257b nsds5ReplicaChangeCount: 9480 nsds5replicareapactive: 0 I see: dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config) nsds5replicaid: 4 and dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsDS5ReplicaId: 96 In the above output I only see the old replica showing up under: nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA... According to the docs I need the nsds5replicaid for use in the CLEANALLRUV task? I also checked the RUV tombstone entry as per the docs: # ldapsearch -xLLL -D "cn=directory manager" -W -b dc=ccr,dc=buffalo,dc=edu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Enter LDAP Password: dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: nsds5replica objectClass: top objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu nsDS5ReplicaBindDN: krbprincipalname=ldap/rep3 at CCR.BUFFA LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu nsState:: BAAAAAAAAADycYxVAAAAAAAAAAAAAAAAJAAAAAAAAAABAAAAAAAAAA== nsDS5ReplicaName: a0957886-df9c11e4-a351aa45-2e06257b nsds50ruv: {replicageneration} 5527f711000000040000 nsds50ruv: {replica 4 ldap://rep1:389} 5527f771000000040 000 558c7228000200040000 nsds50ruv: {replica 5 ldap://rep3:389} 5537c773000000050 000 5582c7f6000600050000 nsds5agmtmaxcsn: dc=ccr,dc=buffalo,dc=edu;meTorep3;rep3;389;5;558c572b000a00040000 nsruvReplicaLastModified: {replica 4 ldap://rep1:389} 55 8c7204 nsruvReplicaLastModified: {replica 5 ldap://rep3:389} 00 000000 nsds5ReplicaChangeCount: 1689129 nsds5replicareapactive: 0 And only see nsds50ruv attributes for rep1, and rep3. However, still seeing rep2 in the nsDS5ReplicaBindDN. If I'm parsing this output correct, it appears RUVs for rep2 is already cleaned? If so, how come the nsDS5ReplicaBindDN still exist? Also, why is there a nsds50ruv attribute for rep2 listed when I run this query (but not the others above): $ ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=o\ 3Dipaca,cn=mapping tree,cn=config nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061 0000 556f462b000400610000 I'm likely missing something here..any help is greatly appreciated. Thanks, --Andrew From christopher.lamb at ch.ibm.com Fri Jun 26 07:21:19 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 26 Jun 2015 09:21:19 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558C48C0.80503@redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> Message-ID: Hi Harold Perhaps you should not think of FreeIPA as a product. Perhaps a better analogy is a Product Stack. Another example would be LAMP. And as far as I can make out, the point of the FreeIPA project is to better integrate the various products that build the stack. A very important factor - at least to me is this community: It is vibrant and active, you get advice, "they" listen and change things. For example I can think of at least 3 changes made to the documentation in the last few months due to mistakes I had made! I second the use of Apache Directory Studio - very useful for peaking under the hood and studying the guts of your LDAP directory. Cheers Chris From: Rich Megginson To: freeipa-users at redhat.com Date: 25.06.2015 20:32 Subject: Re: [Freeipa-users] hesitate to deploy freeipa Sent by: freeipa-users-bounces at redhat.com On 06/25/2015 12:12 PM, Thomas Sailer wrote: > Am 25.06.2015 um 17:47 schrieb Simo Sorce: > >> Yes, the whole project is complex, but not because we like complexity, >> it is complex because the problem space is complex and we are bound to >> use existing protocols, which sometimes add in complexity, and we want >> to offer useful features to admins, so they can think about managing >> stuff and not about the plumbing all the time. > > Sure, the problem space is a lot more complex than say ls. > > But I think there is room for improvement, by making the individual > tools somewhat more resilient to unexpected behaviour in other > components. +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. > > For example, if there's any nsuniqueid group present in a users entry, > login authentication via sssd breaks with a cryptic error message. It > would be nice, IMO, if it didn't break or if it at least issued a > better error message. Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 > > Furthermore, a good graphical generic LDAP editor would make the > admin's life significantly easier, IMO. I so far haven't found one. > There's gq, which works, mostly, but crashes relatively frequently. > I'm mostly using ldapvi now, which works quite well but only after > studying its manual. Have you tried Apache Directory Studio? > > Thomas > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From pspacek at redhat.com Fri Jun 26 07:47:55 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 26 Jun 2015 09:47:55 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> Message-ID: <558D03AB.3020807@redhat.com> On 26.6.2015 09:21, Christopher Lamb wrote: > A very important factor - at least to me is this community: It is vibrant > and active, you get advice, "they" listen and change things. For example I > can think of at least 3 changes made to the documentation in the last few > months due to mistakes I had made! BTW if you feel that something is incorrect (not only) in the docs please file a bug. If you want to contribute even more then feel free to send patch! Git repository with documentation source code is available to you. See http://www.freeipa.org/page/Contribute/Documentation for further details or ask this list. Have a nice day! -- Petr^2 Spacek From prasun.gera at gmail.com Fri Jun 26 08:29:36 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 26 Jun 2015 01:29:36 -0700 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558D03AB.3020807@redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> <558D03AB.3020807@redhat.com> Message-ID: I've found that if you are setting up a new environment from scratch which is mostly going to involve RHEL/Fedora systems, and that you have full control over your network including DNS, DHCP etc., it should mostly be smooth sailing. However, if you already have a network of old and new machines running different versions and flavours of unix, there is significantly more work involved. That is, there is significant complexity on client side code as well which should not be discounted. Do a survey of the state of client side support on different distributions. From my experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to 'future' on FreeNAS, which is BSD based. IMO this is one of the major hurdles for wider adoption. On Fri, Jun 26, 2015 at 12:47 AM, Petr Spacek wrote: > On 26.6.2015 09:21, Christopher Lamb wrote: > > A very important factor - at least to me is this community: It is vibrant > > and active, you get advice, "they" listen and change things. For example > I > > can think of at least 3 changes made to the documentation in the last few > > months due to mistakes I had made! > > BTW if you feel that something is incorrect (not only) in the docs please > file > a bug. If you want to contribute even more then feel free to send patch! > > Git repository with documentation source code is available to you. > > See http://www.freeipa.org/page/Contribute/Documentation for further > details > or ask this list. > > Have a nice day! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chamambom at afri-com.net Fri Jun 26 09:18:17 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Fri, 26 Jun 2015 09:18:17 +0000 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT Message-ID: I installed ipa-client on centos 6.6 32 bit and it installed correctly but there was no /etc/sssd/sssd.conf file ????..I read through forums that you can copy another sssd.conf file from another machine but this is what im getting when I try to start sssd (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jun 26 09:28:28 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 26 Jun 2015 11:28:28 +0200 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: References: Message-ID: <20150626092828.GK3792@hendrix> On Fri, Jun 26, 2015 at 09:18:17AM +0000, Martin Chamambo wrote: > I installed ipa-client on centos 6.6 32 bit and it installed correctly but there was no /etc/sssd/sssd.conf file ????..I read through forums that you can copy another sssd.conf file from another machine but this is what im getting when I try to start sssd > > (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] > (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. Add: config_file_version = 2 to the [sssd] section. > (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] > (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > From chamambom at afri-com.net Fri Jun 26 09:32:43 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Fri, 26 Jun 2015 09:32:43 +0000 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: <20150626092828.GK3792@hendrix> References: <20150626092828.GK3792@hendrix> Message-ID: This is my sssd.conf file and I have that config_file_version = 2 [root at server sssd]# vim sssd.conf [domain/ai.co.zw] debug_level = 10 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = nimbus.ai.co.zw chpass_provider = ipa ipa_server = _srv_, ipaserver.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = default, ai.co.zw [nss] homedir_substring = /home [pam] [sudo] "sssd.conf" 46L, 809C -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 26, 2015 11:28 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT On Fri, Jun 26, 2015 at 09:18:17AM +0000, Martin Chamambo wrote: > I installed ipa-client on centos 6.6 32 bit and it installed correctly > but there was no /etc/sssd/sssd.conf file ????..I read through forums > that you can copy another sssd.conf file from another machine but this > is what im getting when I try to start sssd > > (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] > (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. Add: config_file_version = 2 to the [sssd] section. > (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] > (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Fri Jun 26 09:42:05 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 26 Jun 2015 11:42:05 +0200 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: References: <20150626092828.GK3792@hendrix> Message-ID: <20150626094205.GL3792@hendrix> On Fri, Jun 26, 2015 at 09:32:43AM +0000, Martin Chamambo wrote: > This is my sssd.conf file and I have that config_file_version = 2 Is the config file owned by root.root and does it have 0600 permissions? Are there any AVC denials? > > [root at server sssd]# vim sssd.conf > > [domain/ai.co.zw] > > debug_level = 10 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = nimbus.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, ipaserver.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, autofs, ssh > config_file_version = 2 > > domains = default, ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > "sssd.conf" 46L, 809C > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Friday, June 26, 2015 11:28 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT > > On Fri, Jun 26, 2015 at 09:18:17AM +0000, Martin Chamambo wrote: > > I installed ipa-client on centos 6.6 32 bit and it installed correctly > > but there was no /etc/sssd/sssd.conf file ????..I read through forums > > that you can copy another sssd.conf file from another machine but this > > is what im getting when I try to start sssd > > > > (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] > > (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > > (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. > > Add: > config_file_version = 2 > > to the [sssd] section. > > > (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] > > (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > > (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From chamambom at afri-com.net Fri Jun 26 10:00:38 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Fri, 26 Jun 2015 10:00:38 +0000 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: <20150626094205.GL3792@hendrix> References: <20150626092828.GK3792@hendrix> <20150626094205.GL3792@hendrix> Message-ID: [root at nimbus sssd]# ls -l sssd.conf -rw------- 1 root root 809 Jun 26 11:20 sssd.conf [root at nimbus sssd]# And the permissions are 0600 and SELINUX IS DISABLED -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Friday, June 26, 2015 11:42 AM To: Martin Chamambo Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT On Fri, Jun 26, 2015 at 09:32:43AM +0000, Martin Chamambo wrote: > This is my sssd.conf file and I have that config_file_version = 2 Is the config file owned by root.root and does it have 0600 permissions? Are there any AVC denials? > > [root at server sssd]# vim sssd.conf > > [domain/ai.co.zw] > > debug_level = 10 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = nimbus.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, ipaserver.ai.co.zw ldap_tls_cacert = > /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, autofs, ssh > config_file_version = 2 > > domains = default, ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > "sssd.conf" 46L, 809C > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Friday, June 26, 2015 11:28 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT > > On Fri, Jun 26, 2015 at 09:18:17AM +0000, Martin Chamambo wrote: > > I installed ipa-client on centos 6.6 32 bit and it installed > > correctly but there was no /etc/sssd/sssd.conf file ????..I read > > through forums that you can copy another sssd.conf file from another > > machine but this is what im getting when I try to start sssd > > > > (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] > > (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > > (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. > > Add: > config_file_version = 2 > > to the [sssd] section. > > > (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] > > (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. > > (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From natxo.asenjo at gmail.com Fri Jun 26 10:08:08 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 26 Jun 2015 12:08:08 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558A5709.1000603@aixigo.de> References: <558A5709.1000603@aixigo.de> Message-ID: hi, On Wed, Jun 24, 2015 at 9:06 AM, Harald Dunkel wrote: > Hi folks, > > I have a general problem with freeipa: It is *highly* complex > and depends upon too many systems working together correctly > (IMHO). > > My concern is, if there is a problem, then the usual tools > following the Unix paradigm (do one thing and do it well) > don't help anymore. I can speak only for my own stomach, but > it turns upside down when I think about this. > my 2 cents: any organization growing its linux/unix computer park beneath a certain threshold will come accross the problem of synchronizing its user and group information accross the whole computer fleet. On top of that, organizations are increasingly feeling the need to prove (compliance, in management terms) that the communication protocols used to exchange information between the internal systems are secure (this is specially true in the US because of e-commerce laws, but also in post Snowden Europe). So you need to use tls and kerberos in your internal communications. You can try and run all that using the stock software by MIT/Heimdal, coupled to openldap and openssl, but I pretty much doubt you will get a nicer and easier to use product than what you already can get using freely available software thanks to the Red Hat folks. I've done it, it worked but it was complicated for new staff and difficult to delegate because everything was cli based (not help-desk friendly). Is it new and daunting at first? Sure, if you have never been exposed to ldap/kerberos/tls before this is a lot to wrap your head into the first time. But let me assure you, the protocol knowledge you will gain by learning this will be a big win for you as an IT professional because you will come across those systems everywhere (and certainly not only in linux networks but anywhere where computers are used in an enterprise networks). Besides these points, freeipa offers so much more. Thanks to sssd you can actually have laptops leave the network and authenticate while on the road, for intance, putting it on par with Windows on that point. You can use OTP and two factor authentication for vpn netwoks. You can have a central automounter. You can have true role based access control (these users may login using those protocols on those hosts, but not on the others). You have centralized sudo rules. We will soon have subordinate certificate authorities and user certificates. People are using the native ldap database for plenty of applications (basically, most things you can used ldap for), tying it to their configuration management solutions using 'legacy' netgroups databases. And obviously, people are integrating it into their Windows AD infrastructure using kerberos trusts or plain ldap replication. There is room for improvement. I am looking forward to using smartcard certificates with kerberos (PKINIT) for dumping user passwords (at least admin passwords). SAML integrations (getting there with ipsilon), kerberos trusts between ipa realms, ..., etc. So the question is not really why you hesitate to deploy ipa, but why you have not deployed it yet ;-) -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jun 26 10:16:46 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 26 Jun 2015 12:16:46 +0200 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: References: <20150626092828.GK3792@hendrix> <20150626094205.GL3792@hendrix> Message-ID: <20150626101646.GM3792@hendrix> On Fri, Jun 26, 2015 at 10:00:38AM +0000, Martin Chamambo wrote: > [root at nimbus sssd]# ls -l sssd.conf > -rw------- 1 root root 809 Jun 26 11:20 sssd.conf > [root at nimbus sssd]# > > And the permissions are 0600 and SELINUX IS DISABLED Can you send me the file in attachment, ideally in a tarball so we can rule out any strange issues like trailing space etc? From lslebodn at redhat.com Fri Jun 26 10:18:03 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 26 Jun 2015 12:18:03 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> <558D03AB.3020807@redhat.com> Message-ID: <20150626101802.GG30758@mail.corp.redhat.com> On (26/06/15 01:29), Prasun Gera wrote: >I've found that if you are setting up a new environment from scratch which >is mostly going to involve RHEL/Fedora systems, and that you have full >control over your network including DNS, DHCP etc., it should mostly be >smooth sailing. However, if you already have a network of old and new >machines running different versions and flavours of unix, there is >significantly more work involved. That is, there is significant complexity >on client side code as well which should not be discounted. Do a survey of >the state of client side support on different distributions. From my >experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to ipa-client-install is not properly ported to ubuntu 12.04 and moreover there is quite there quite old version of sssd 1.11.5-1 which contains may bugs. Lots of them are fixed in upstream 1.11.7 and some of them in 1.11.8 which we would like to release in few weeks. so If you hit bugs on ubuntu 12.04 please try latest upstream version (1.11) or file bugs to ubuntu. >'future' on FreeNAS, which is BSD based. IMO this is one of the major >hurdles for wider adoption. > FreeNAS is based on FreeBSD and ipa-client-install is not available there. The only benefit is newer version of sssd (1.11.7) than in ubuntu 12.04. There was also thread here(freeipa-users) with document describing steps for configuration on FreeBSD. LS From chamambom at afri-com.net Fri Jun 26 10:20:19 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Fri, 26 Jun 2015 10:20:19 +0000 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: <20150626101646.GM3792@hendrix> References: <20150626092828.GK3792@hendrix> <20150626094205.GL3792@hendrix> <20150626101646.GM3792@hendrix> Message-ID: Find file attached -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Friday, June 26, 2015 12:17 PM To: Martin Chamambo Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT On Fri, Jun 26, 2015 at 10:00:38AM +0000, Martin Chamambo wrote: > [root at nimbus sssd]# ls -l sssd.conf > -rw------- 1 root root 809 Jun 26 11:20 sssd.conf [root at nimbus sssd]# > > And the permissions are 0600 and SELINUX IS DISABLED Can you send me the file in attachment, ideally in a tarball so we can rule out any strange issues like trailing space etc? -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd.zip Type: application/x-zip-compressed Size: 425 bytes Desc: sssd.zip URL: From jhrozek at redhat.com Fri Jun 26 10:26:21 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 26 Jun 2015 12:26:21 +0200 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: References: <20150626092828.GK3792@hendrix> <20150626094205.GL3792@hendrix> <20150626101646.GM3792@hendrix> Message-ID: <20150626102621.GN3792@hendrix> On Fri, Jun 26, 2015 at 10:20:19AM +0000, Martin Chamambo wrote: > Find file attached OK, this looks good. Are you sure the file is at the correct location? (/etc/sssd/sssd.conf) Can you run "strace sssd -i" to see which file is sssd opening? From lslebodn at redhat.com Fri Jun 26 10:28:52 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 26 Jun 2015 12:28:52 +0200 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: References: <20150626092828.GK3792@hendrix> Message-ID: <20150626102852.GH30758@mail.corp.redhat.com> On (26/06/15 09:32), Martin Chamambo wrote: >This is my sssd.conf file and I have that config_file_version = 2 > >[root at server sssd]# vim sssd.conf > > [domain/ai.co.zw] > >debug_level = 10 >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = ai.co.zw >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = nimbus.ai.co.zw >chpass_provider = ipa >ipa_server = _srv_, ipaserver.ai.co.zw >ldap_tls_cacert = /etc/ipa/ca.crt >[sssd] >services = nss, sudo, pam, autofs, ssh >config_file_version = 2 > >domains = default, ai.co.zw ^^^^^^^^ You have non existing domain listed here. Try to remove it. But I do not see a reason why it should cause troubles for domain "ai.co.zw" LS From jhrozek at redhat.com Fri Jun 26 10:28:59 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 26 Jun 2015 12:28:59 +0200 Subject: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT In-Reply-To: References: <20150626092828.GK3792@hendrix> <20150626094205.GL3792@hendrix> <20150626101646.GM3792@hendrix> Message-ID: <20150626102859.GO3792@hendrix> On Fri, Jun 26, 2015 at 10:20:19AM +0000, Martin Chamambo wrote: > Find file attached Also please try to remove the databases to make sure no old db is around: rm -f /var/lib/sss/db/* From pspacek at redhat.com Fri Jun 26 10:48:58 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 26 Jun 2015 12:48:58 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <20150626101802.GG30758@mail.corp.redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> <558D03AB.3020807@redhat.com> <20150626101802.GG30758@mail.corp.redhat.com> Message-ID: <558D2E1A.5090109@redhat.com> On 26.6.2015 12:18, Lukas Slebodnik wrote: > On (26/06/15 01:29), Prasun Gera wrote: >> I've found that if you are setting up a new environment from scratch which >> is mostly going to involve RHEL/Fedora systems, and that you have full >> control over your network including DNS, DHCP etc., it should mostly be >> smooth sailing. However, if you already have a network of old and new >> machines running different versions and flavours of unix, there is >> significantly more work involved. That is, there is significant complexity >> on client side code as well which should not be discounted. Do a survey of >> the state of client side support on different distributions. From my >> experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to > ipa-client-install is not properly ported to ubuntu 12.04 and > moreover there is quite there quite old version of sssd 1.11.5-1 > which contains may bugs. Lots of them are fixed in upstream 1.11.7 > and some of them in 1.11.8 which we would like to release in few weeks. > so If you hit bugs on ubuntu 12.04 please try latest upstream version (1.11) > or file bugs to ubuntu. > >> 'future' on FreeNAS, which is BSD based. IMO this is one of the major >> hurdles for wider adoption. >> > FreeNAS is based on FreeBSD and ipa-client-install is not available there. > The only benefit is newer version of sssd (1.11.7) than in ubuntu 12.04. > There was also thread here(freeipa-users) with document describing steps > for configuration on FreeBSD. More importantly, ipa-client-install is just a thin configuration tool. If ipa-client-install is not available on your platform you can configure everything manually and it will work (as long as the client is standard-compliant). I.e. the client side is *in the worst case* (without ipa-client-install) equally hard to setup as for any home-made solution. -- Petr^2 Spacek From lslebodn at redhat.com Fri Jun 26 10:55:23 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 26 Jun 2015 12:55:23 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558D2E1A.5090109@redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> <558D03AB.3020807@redhat.com> <20150626101802.GG30758@mail.corp.redhat.com> <558D2E1A.5090109@redhat.com> Message-ID: <20150626105522.GI30758@mail.corp.redhat.com> On (26/06/15 12:48), Petr Spacek wrote: >On 26.6.2015 12:18, Lukas Slebodnik wrote: >> On (26/06/15 01:29), Prasun Gera wrote: >>> I've found that if you are setting up a new environment from scratch which >>> is mostly going to involve RHEL/Fedora systems, and that you have full >>> control over your network including DNS, DHCP etc., it should mostly be >>> smooth sailing. However, if you already have a network of old and new >>> machines running different versions and flavours of unix, there is >>> significantly more work involved. That is, there is significant complexity >>> on client side code as well which should not be discounted. Do a survey of >>> the state of client side support on different distributions. From my >>> experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to >> ipa-client-install is not properly ported to ubuntu 12.04 and >> moreover there is quite there quite old version of sssd 1.11.5-1 >> which contains may bugs. Lots of them are fixed in upstream 1.11.7 >> and some of them in 1.11.8 which we would like to release in few weeks. >> so If you hit bugs on ubuntu 12.04 please try latest upstream version (1.11) >> or file bugs to ubuntu. >> >>> 'future' on FreeNAS, which is BSD based. IMO this is one of the major >>> hurdles for wider adoption. >>> >> FreeNAS is based on FreeBSD and ipa-client-install is not available there. >> The only benefit is newer version of sssd (1.11.7) than in ubuntu 12.04. >> There was also thread here(freeipa-users) with document describing steps >> for configuration on FreeBSD. > >More importantly, ipa-client-install is just a thin configuration tool. If >ipa-client-install is not available on your platform you can configure >everything manually and it will work (as long as the client is >standard-compliant). > >I.e. the client side is *in the worst case* (without ipa-client-install) >equally hard to setup as for any home-made solution. > There is a ticket[1] for description of steps done by ipa-client-install. One use-case is "containers world" and another is to help others to manually configure machine against FreeIPA. It is planned fo FreeIPA 4.2 release So I hope it will be finished on time. LS [1] https://fedorahosted.org/freeipa/ticket/4993 From sbose at redhat.com Fri Jun 26 12:38:55 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 26 Jun 2015 14:38:55 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <558C33B2.5020508@di.unimi.it> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> Message-ID: <20150626123855.GS12661@p.redhat.com> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 05:44 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>>>> Hi everybody, > >>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > >>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > >>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > >>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > >>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >>>>>>>> UPN (example: john.doe at otherdomain.com). > >>>>>>>> > >>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >>>>>>>> Manual configuration of krb5 and/or sssd? > >>>>>>> > >>>>>>> Have you tried to login to an IPA client or the server? Please try with > >>>>>>> an IPA server first. If this does not work it would be nice if you can > >>>>>>> send the SSSD log files from the IPA server which are generated during > >>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>>>>>> cached entries so that the logs will contain all needed calls to AD. > >>>>>>> > >>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > >>>>>>> code is available in the IPA provider as well, but I guess no one has > >>>>>>> actually tried this before. > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>> > >>>>>> First of all let me say that i feel like I'm missing some config somewhere.. > >>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>>>> I can only access the server vi ssh so I've attached the logs for a successful > >>>>>> login for account1 at mydomain.local and an unsuccessful login for > >>>>>> account2 at otherdomain.com done via ssh. > >>>>>> > >>>>>> Bye and thanks for your help > >>>>>> > >>>>> > >>>>> It looks like the request is not properly propagated to sub-domains (the > >>>>> trusted AD domain) but only send to the IPA domain. > >>>>> > >>>>> Would it be possible for you to run a test build of SSSD which might fix > >>>>> this? If yes, which version of SSSD are you currently using? Then I can > >>>>> prepare a test build with the patch on top of this version. > >>>>> > >>>>> bye, > >>>>> Sumit > >>>>> > >>>> > >>>> Hi, > >>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > >>>> any test. > >>>> > >>>> Here's the packages version for sssd: > >>>> > >>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > >>> > >>> Please try the packages at > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>> > >>> bye, > >>> Sumit > >> > >> Hi, > >> I've installed the new RPMs, now if I run on the server: > >> > >> id account1 at mydomain.local > >> id account2 at otherdomain.com > >> id account2 at sub.otherdomain.com > >> > >> all the users are found but I'm still unable to log in via ssh with the accounts > >> @otherdomain.com and @sub.otherdomain.com. > >> > >> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > > > > Bother, I forgot to add the fix to the pam responder as well, please try > > new packages from > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > > > bye, > > Sumit > > > > Hi, > I've updated all the packages but still no login. > > Logs follows. I found another issue in the logs which should be fixed by the build from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . Please send the sssd_pam log file as well it might contain more details about what goes wrong during authentication. bye, Sumit > > Thanks again > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 From giorgio at di.unimi.it Fri Jun 26 14:34:05 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Fri, 26 Jun 2015 16:34:05 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150626123855.GS12661@p.redhat.com> References: <558AC88B.7010104@di.unimi.it> <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> Message-ID: <558D62DD.8020702@di.unimi.it> On 06/26/2015 02:38 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 05:44 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>>>>>>>> Hi everybody, >>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>>>>>>>> UPN (example: john.doe at otherdomain.com). >>>>>>>>>> >>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>>>>>>>> Manual configuration of krb5 and/or sssd? >>>>>>>>> >>>>>>>>> Have you tried to login to an IPA client or the server? Please try with >>>>>>>>> an IPA server first. If this does not work it would be nice if you can >>>>>>>>> send the SSSD log files from the IPA server which are generated during >>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>>>>>>>> cached entries so that the logs will contain all needed calls to AD. >>>>>>>>> >>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the >>>>>>>>> code is available in the IPA provider as well, but I guess no one has >>>>>>>>> actually tried this before. >>>>>>>>> >>>>>>>>> bye, >>>>>>>>> Sumit >>>>>>>> >>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. >>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. >>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful >>>>>>>> login for account1 at mydomain.local and an unsuccessful login for >>>>>>>> account2 at otherdomain.com done via ssh. >>>>>>>> >>>>>>>> Bye and thanks for your help >>>>>>>> >>>>>>> >>>>>>> It looks like the request is not properly propagated to sub-domains (the >>>>>>> trusted AD domain) but only send to the IPA domain. >>>>>>> >>>>>>> Would it be possible for you to run a test build of SSSD which might fix >>>>>>> this? If yes, which version of SSSD are you currently using? Then I can >>>>>>> prepare a test build with the patch on top of this version. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>>> >>>>>> >>>>>> Hi, >>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for >>>>>> any test. >>>>>> >>>>>> Here's the packages version for sssd: >>>>>> >>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch >>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 >>>>> >>>>> Please try the packages at >>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>>>> >>>>> bye, >>>>> Sumit >>>> >>>> Hi, >>>> I've installed the new RPMs, now if I run on the server: >>>> >>>> id account1 at mydomain.local >>>> id account2 at otherdomain.com >>>> id account2 at sub.otherdomain.com >>>> >>>> all the users are found but I'm still unable to log in via ssh with the accounts >>>> @otherdomain.com and @sub.otherdomain.com. >>>> >>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. >>> >>> Bother, I forgot to add the fix to the pam responder as well, please try >>> new packages from >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . >>> >>> bye, >>> Sumit >>> >> >> Hi, >> I've updated all the packages but still no login. >> >> Logs follows. > > I found another issue in the logs which should be fixed by the build > from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > Please send the sssd_pam log file as well it might contain more details > about what goes wrong during authentication. > > bye, > Sumit > Hi, packages update, sssd and kerberos services restarted, cache flushed but still no login on the IPA server. As before, logs attached. I've also included the logs generated by the restart of sssd service because there were no logs in sssd_pam.log when trying to authenticate. Debug level is set to 6 in the sections: [domain/ipa.mydomain.local] [sssd] [nss] [pam] of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to increase it. Thanks -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -------------- next part -------------- (Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Fri Jun 26 16:22:30 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fc4f7633760:domains at ipa.mydomain.local] (Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fc4f7633760:domains at ipa.mydomain.local] (Fri Jun 26 16:22:30 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Jun 26 16:22:30 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Jun 26 16:22:30 2015) [sssd[pam]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fc4f7633760:domains at ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Fri Jun 26 16:23:55 2015) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Jun 26 16:23:55 2015) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x7f91d9153c50 (Fri Jun 26 16:23:55 2015) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x7f91d9151040 (Fri Jun 26 16:23:55 2015) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Fri Jun 26 16:23:55 2015) [sssd[pam]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Jun 26 16:23:55 2015) [sssd[pam]] [get_trusted_uids] (0x0400): All UIDs are allowed. (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/root] to negative cache permanently (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Fri Jun 26 16:23:55 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f91d752e760:domains at ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f91d752e760:domains at ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Jun 26 16:23:55 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Jun 26 16:23:55 2015) [sssd[pam]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Fri Jun 26 16:23:55 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f91d752e760:domains at ipa.mydomain.local] -------------- next part -------------- (Fri Jun 26 16:22:50 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Fri Jun 26 16:22:50 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fc4104ee6b0:domains at ipa.mydomain.local] (Fri Jun 26 16:22:50 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Fri Jun 26 16:22:50 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fc4104ee6b0:domains at ipa.mydomain.local] (Fri Jun 26 16:22:50 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Fri Jun 26 16:22:50 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fc4104ee6b0:domains at ipa.mydomain.local] (Fri Jun 26 16:22:50 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Fri Jun 26 16:22:50 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Fri Jun 26 16:22:50 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fc4104ee6b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:36 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Fri Jun 26 16:23:55 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Jun 26 16:23:55 2015) [sssd[nss]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7fe6daaea160 (Fri Jun 26 16:23:55 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7fe6daaea2f0 (Fri Jun 26 16:23:55 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Fri Jun 26 16:23:55 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/root] to negative cache permanently (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/sbin/nologin in /etc/shells (Fri Jun 26 16:23:55 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P[^@]+)@?(?P[^@]*$)]. (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Jun 26 16:23:55 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Jun 26 16:23:55 2015) [sssd[nss]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Fri Jun 26 16:23:55 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Fri Jun 26 16:23:55 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Fri Jun 26 16:23:58 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Jun 26 16:23:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Jun 26 16:23:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Jun 26 16:23:58 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Fri Jun 26 16:23:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:58 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Fri Jun 26 16:23:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d9244e40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d9244e40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d9244e40:1:account2 at otherdomain.com:U at mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d9244e40:1:account2 at otherdomain.com:U at mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d9244e40:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d9244e40:1:account2 at otherdomain.com:U at mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [nobody]. (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nobody' matched without domain, user is nobody (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [nobody] from [] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nobody at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d9244e40:3:nobody at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=nobody] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d9244e40:3:nobody at ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Fri Jun 26 16:23:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d9244e40:3:nobody at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Fri Jun 26 16:24:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [account2 at otherdomain.com], fail! (Fri Jun 26 16:24:02 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fe6d92466b0:domains at ipa.mydomain.local] (Fri Jun 26 16:24:06 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Fri Jun 26 16:22:50 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:16 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.IPA.MYDOMAIN.LOCAL], [2][No such file or directory] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed PAC client (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed autofs client (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed PAM client (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed SUDO client (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed NSS client (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed SSH client (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option lookup_family_order has value ipv4_first (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_resolver_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_resolver_op_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_discovery_domain has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43d769c0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_ipa.mydomain.local,1) (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_ipa.mydomain.local.6439,guid=7c98a73ae1986e4cf9300f72558d607b (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_domain has value ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_host_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_selinux_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_subdomains_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_master_domain_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_refresh has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_selinux_refresh has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_automount_location has value default (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_ranges_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_enable_dns_sites is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_server_mode is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_views_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'IPA' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'idc01.ipa.mydomain.local:0' to service 'IPA' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [_ipa_servers_init] (0x0400): Added Server idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_extra_attrs has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_autofs_map_master_name has value auto.master (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_kdcinfo is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_use_tokengroups is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_rfc2307_fallback_to_local_users is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_disable_range_retrieval is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_min_id has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_max_id has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_pwdlockout_dn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Will look for idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in default keytab (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL found in keytab. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching IDC01$@IPA.MYDOMAIN.LOCAL found in keytab. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected primary: host/idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected realm: IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_sudo_search_base set to ou=SUDOers,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=SUDOers,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to cn=hbac,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_views_search_base set to cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_VIEWS][cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value ipaUniqueID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has value ipaNTSecurityIdentifier (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_auth_type has value ipaUserAuthType (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value ipaUserGroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_object_class_alt has value posixGroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value ipaUniqueID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has value ipaNTSecurityIdentifier (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_type has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_view_class has value nsContainer (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_view_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_overide_object_class has value ipaOverrideAnchor (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_anchor_uuid has value ipaAnchorUUID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_user_override_object_class has value ipaUserOverride (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_group_override_object_class has value ipaGroupOverride (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_update is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_refresh_interval has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_iface has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_ttl has value 1200 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_update_ptr is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_force_tcp is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_auth has value gss-tsig (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_create] (0x0400): Periodic task [Cleanup of ipa.mydomain.local] was created (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of ipa.mydomain.local]: scheduling task 10 seconds from now [1435328645] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sssm_ipa_id_init] (0x0100): The value of dns_discovery_domain will be ignored in ipa_server_mode (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_ccname_template has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_auth_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_keytab has value /etc/krb5.keytab (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_kpasswd has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_kpasswd has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_store_password_if_offline is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_renewable_lifetime has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_lifetime has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_renew_interval has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_fast has value try (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_fast_principal has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_enterprise_principal is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_kdcinfo is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0400): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0100): Option krb5_fast_principal set to host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_options] (0x0100): No KDC explicitly configured, using defaults. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=SUDOers,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value sudoRole (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runas has value sudoRunAs (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value sudoRunAsUser (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value sudoRunAsGroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value sudoNotBefore (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value sudoNotAfter (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [check_ipv4_addr] (0x0200): Loopback IPv4 address 127.0.0.1 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value automountMapName (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value automountKey (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [ipa.mydomain.local] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa.mydomain.local] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_domain has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_hostname has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_keytab has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_enable_dns_sites is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_access_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_enable_gc is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_access_control has value permissive (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_cache_timeout has value 5 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_interactive has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_remote_interactive has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_network has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_batch has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_service has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_permit has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_deny has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_default_right has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_backup_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_bind_dn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_authtok_type has value password (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_authtok has no binary value. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_search_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_network_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_opt_timeout has value 6 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_reqcert has value hard (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_scope has value sub (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_extra_attrs has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_scope has value sub (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_service_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_hostnames has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_ip has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_include_regexp is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_autofs_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_autofs_map_master_name has value auto.master (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_schema has value ad (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_offline_timeout has value 60 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_force_upper_case_realm is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_purge_cache_timeout has value 10800 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cacert has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cacertdir has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cert has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_key has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cipher_suite has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_id_use_start_tls is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_id_mapping is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_mech has value gssapi (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_authid has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_minssf has value -1 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_keytab has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_init_creds is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_backup_server has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_use_kdcinfo is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_pwd_policy has value none (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_referrals is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option account_cache_expiration has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_dns_service_name has value ldap (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_access_filter has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_netgroup_search_base has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_nesting_level has value 2 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_deref has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_account_expire_policy has value ad (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_access_order has value filter (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_backup_uri has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_dns_service_name has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_update_last_change is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_page_size has value 1000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_deref_threshold has value 10 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_connection_expire_timeout has value 900 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_disable_paging is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_default_domain has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_default_domain_sid has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_use_tokengroups is TRUE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_rfc2307_fallback_to_local_users is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_disable_range_retrieval is FALSE (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_min_id has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_max_id has value 0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_pwdlockout_dn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_entry_usn has value uSNChanged (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_rootdse_last_usn has value highestCommittedUSN (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_object_class has value user (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_name has value sAMAccountName (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_pwd has value unixUserPassword (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_gecos has value gecos (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_home_directory has value unixHomeDirectory (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shell has value loginShell (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_principal has value userPrincipalName (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_fullname has value name (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_member_of has value memberOf (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_uuid has value objectGUID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_objectsid has value objectSID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_primary_group has value primaryGroupID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_modify_timestamp has value whenChanged (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_entry_usn has value uSNChanged (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_last_change has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_min has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_max has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_warning has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_inactive has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_expire has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_flag has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_krb_last_pwd_change has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_krb_password_expiration has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_pwd_attribute has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_authorized_service has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_ns_account_lock has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_authorized_host has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_disabled has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_expiration_time has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ssh_public_key has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_auth_type has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_object_class has value group (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_object_class_alt has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_name has value name (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_pwd has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_member has value member (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_uuid has value objectGUID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_objectsid has value objectSID (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_modify_timestamp has value whenChanged (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_entry_usn has value uSNChanged (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_type has value groupType (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_object_class has value nisNetgroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_member has value memberNisNetgroup (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_triple has value nisNetgroupTriple (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_modify_timestamp has value modifyTimestamp (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_object_class has value ipService (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_name has value cn (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_port has value ipServicePort (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_entry_usn has no value (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ad_set_ad_id_options] (0x0100): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Will look for idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in default keytab (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL found in keytab. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching IDC01$@IPA.MYDOMAIN.LOCAL found in keytab. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected primary: host/idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected realm: IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to IPA.MYDOMAIN.LOCAL (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'mydomain.local' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'gc_mydomain.local' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'gc_mydomain.local' using 'tcp'. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'mydomain.local' using 'tcp'. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_fo_set_srv_lookup_plugin] (0x0400): Trying to set SRV lookup plugin to AD (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_fo_set_srv_lookup_plugin] (0x0400): SRV lookup plugin is now AD (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_domain_subdom_add] (0x0400): subdomain mydomain.local is a new one, will create a new sdap domain object (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_create] (0x0400): Periodic task [Cleanup of mydomain.local] was created (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of mydomain.local]: scheduling task 10 seconds from now [1435328645] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [become_user] (0x0200): Trying to become user [0][0]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [become_user] (0x0200): Already user [0]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [main] (0x0400): Backend provider (ipa.mydomain.local) started! (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435328645 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7fae43da19b0. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43da19b0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7fae43da1e40] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7fae43da3d00. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43da3d00 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7fae43da4560] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7fae43da5800. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43da5800 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7fae43da6230] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7fae43da74a0. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43da74a0 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7fae43da7ed0] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7fae43da9140. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43da9140 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7fae43daa190] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7fae43dab400. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7fae43dab400 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7fae43dabe30] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7fae43da4560] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [SSH] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'idc01.ipa.mydomain.local' in files (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'resolving name' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'name resolved' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://idc01.ipa.mydomain.local' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7fae43da7ed0] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7fae43da1e40] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [autofs] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7fae43dabe30] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [PAM] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7fae43daa190] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [PAC] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7fae43da6230] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [NSS] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [6447] finished successfully. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435415035] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/idc01.ipa.mydomain.local (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'idc01.ipa.mydomain.local' as 'working' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'working' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'idc01.ipa.mydomain.local' as 'working' (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ad_online_cb] (0x0400): The AD provider is online (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:55 2015) [sssd[be[ipa.mydomain.local]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Fri Jun 26 16:23:58 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Fri Jun 26 16:23:58 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Fri Jun 26 16:23:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_done] (0x0400): Found 3 domain controllers in domain mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_send] (0x0400): Resolving host dc03.mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc03.mydomain.local' in files (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc03.mydomain.local' in files (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc03.mydomain.local' in DNS (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc03.mydomain.local:389 (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc03.mydomain.local:389 (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=mydomain.local)(NtVer=\14\00\00\00))][]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_servers_done] (0x0400): Got 3 primary and 3 backup servers (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc02.mydomain.local:389' to service 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc03.mydomain.local:389' to service 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc01.mydomain.local:389' to service 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc01.mydomain.local:389' for service 'mydomain.local' is already present (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc02.mydomain.local:389' for service 'mydomain.local' is already present (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc03.mydomain.local:389' for service 'mydomain.local' is already present (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'mydomain.local' as 'resolved' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in files (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'resolving name' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc02.mydomain.local' in files (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in DNS (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'name resolved' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc02.mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc02.mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [6451] finished successfully. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435415039] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc02.mydomain.local' as 'working' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'working' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc02.mydomain.local' as 'working' (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectClass=ipaexternalgroup][dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ext_groups_done] (0x0400): [0] external groups found. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0080): User [account2 at otherdomain.com] not found in cache. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=nobody] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=account2] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account2)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Fri Jun 26 16:23:59 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Fri Jun 26 16:24:02 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_execute] (0x0400): Task [Cleanup of ipa.mydomain.local]: executing task, timeout 3600 seconds (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_done] (0x0400): Task [Cleanup of ipa.mydomain.local]: finished successfully (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of ipa.mydomain.local]: scheduling task 3600 seconds from last execution time [1435332245] (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_execute] (0x0400): Task [Cleanup of mydomain.local]: executing task, timeout 10800 seconds (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_groups] (0x0200): Found 2 expired group entries! (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_done] (0x0400): Task [Cleanup of mydomain.local]: finished successfully (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of mydomain.local]: scheduling task 10800 seconds from last execution time [1435339445] (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=idc01.ipa.mydomain.local)(sudoHost=idc01)(sudoHost=172.21.251.9)(sudoHost=172.21.251.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=SUDOers,dc=ipa,dc=mydomain,dc=local]. (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Received 0 rules (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435350245 (Fri Jun 26 16:24:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1435329545 From prasun.gera at gmail.com Fri Jun 26 17:10:21 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 26 Jun 2015 10:10:21 -0700 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <558D2E1A.5090109@redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> <558D03AB.3020807@redhat.com> <20150626101802.GG30758@mail.corp.redhat.com> <558D2E1A.5090109@redhat.com> Message-ID: > > More importantly, ipa-client-install is just a thin configuration tool. If > ipa-client-install is not available on your platform you can configure > everything manually and it will work (as long as the client is > standard-compliant). > > I.e. the client side is *in the worst case* (without ipa-client-install) > equally hard to setup as for any home-made solution. > > > Yes, on Ubuntu 12.04, the issue is probably more related to the script than the underlying packages, which I upgraded from their respective ppas. The most complete documentation for getting ipa running, ironically, comes from this bug report https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215 which is marked as won't fix. (This affects 12.04 btw which is lts). On FreeNAS, it has to do with Hiemdal v/s MIT kerberos. https://bugs.pcbsd.org/issues/2147 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Jun 26 18:06:22 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 26 Jun 2015 20:06:22 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <558D62DD.8020702@di.unimi.it> References: <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> Message-ID: <20150626180622.GU12661@p.redhat.com> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > On 06/26/2015 02:38 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>> Hi everybody, > >>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > >>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > >>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > >>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > >>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >>>>>>>>>> UPN (example: john.doe at otherdomain.com). > >>>>>>>>>> > >>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >>>>>>>>>> Manual configuration of krb5 and/or sssd? > >>>>>>>>> > >>>>>>>>> Have you tried to login to an IPA client or the server? Please try with > >>>>>>>>> an IPA server first. If this does not work it would be nice if you can > >>>>>>>>> send the SSSD log files from the IPA server which are generated during > >>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>>>>>>>> cached entries so that the logs will contain all needed calls to AD. > >>>>>>>>> > >>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > >>>>>>>>> code is available in the IPA provider as well, but I guess no one has > >>>>>>>>> actually tried this before. > >>>>>>>>> > >>>>>>>>> bye, > >>>>>>>>> Sumit > >>>>>>>> > >>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. > >>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful > >>>>>>>> login for account1 at mydomain.local and an unsuccessful login for > >>>>>>>> account2 at otherdomain.com done via ssh. > >>>>>>>> > >>>>>>>> Bye and thanks for your help > >>>>>>>> > >>>>>>> > >>>>>>> It looks like the request is not properly propagated to sub-domains (the > >>>>>>> trusted AD domain) but only send to the IPA domain. > >>>>>>> > >>>>>>> Would it be possible for you to run a test build of SSSD which might fix > >>>>>>> this? If yes, which version of SSSD are you currently using? Then I can > >>>>>>> prepare a test build with the patch on top of this version. > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>>> > >>>>>> > >>>>>> Hi, > >>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > >>>>>> any test. > >>>>>> > >>>>>> Here's the packages version for sssd: > >>>>>> > >>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > >>>>> > >>>>> Please try the packages at > >>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>>>> > >>>>> bye, > >>>>> Sumit > >>>> > >>>> Hi, > >>>> I've installed the new RPMs, now if I run on the server: > >>>> > >>>> id account1 at mydomain.local > >>>> id account2 at otherdomain.com > >>>> id account2 at sub.otherdomain.com > >>>> > >>>> all the users are found but I'm still unable to log in via ssh with the accounts > >>>> @otherdomain.com and @sub.otherdomain.com. > >>>> > >>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > >>> > >>> Bother, I forgot to add the fix to the pam responder as well, please try > >>> new packages from > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Hi, > >> I've updated all the packages but still no login. > >> > >> Logs follows. > > > > I found another issue in the logs which should be fixed by the build > > from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > > > Please send the sssd_pam log file as well it might contain more details > > about what goes wrong during authentication. > > > > bye, > > Sumit > > > > Hi, > packages update, sssd and kerberos services restarted, cache flushed but still > no login on the IPA server. > > As before, logs attached. I've also included the logs generated by the restart > of sssd service because there were no logs in sssd_pam.log when trying to > authenticate. > > Debug level is set to 6 in the sections: > > [domain/ipa.mydomain.local] > [sssd] > [nss] > [pam] > > of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to > increase it. > so far it is sufficient. I have another build for you to try at http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 Thank you for your patience. bye, Sumit From dpal at redhat.com Sat Jun 27 01:08:59 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 26 Jun 2015 21:08:59 -0400 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <20150623190246.GB3774@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <55810EBE.3050906@redhat.com> <74263835052DD843AEBD010BD87EE8DE1497E6@win10004.member.osthus.de> <20150617083557.GO3616@p.redhat.com> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> <20150617135623.GF24163@redhat.com> <5589AACD.8080907@redhat.com> <20150623190246.GB3774@redhat.com> Message-ID: <558DF7AB.8090801@redhat.com> On 06/23/2015 03:02 PM, Alexander Bokovoy wrote: > On Tue, 23 Jun 2015, Dmitri Pal wrote: >> On 06/17/2015 09:56 AM, Alexander Bokovoy wrote: >>> On Wed, 17 Jun 2015, Henry Hofmann wrote: >>>> Ok, how can I configure the map of source attributes (mail or any >>>> other) to compat tree? >>> Go back in archives in this list and read discussions about "Single >>> mail >>> deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the >>> compat tree as of right now. >>> >> Do we have a ticket for this? > No and I don't think it will be possible. slapi-nis is read-only view, > it needs to get these attributes from somewhere. Storing values for > specialized schema in ID overrides is probably going to be too much -- > how these source attributes to be managed? In the case of 'single mail' > it would need to be Kolab applications which would need to update such > attributes, how Kolab would do that? > > Enabling slapi-nis to be writeable is going to break a lot and in > general would not be possible. I am missing something. Where the Kolab and writability are coming from? The thread was about allowing email as an extra attribute in the compat tree. There is nothing about writiability. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 01:12:53 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 26 Jun 2015 21:12:53 -0400 Subject: [Freeipa-users] username case sensitivity In-Reply-To: <277c549fbecf47fcac21b35bc146506f@TCCCORPEXCH02.TCC.local> References: <9cfa2752940f4897b3cad87232ab8952@TCCCORPEXCH02.TCC.local> <20150515194431.GA1242@mail.corp.redhat.com> <20150517212321.GA15861@hendrix.redhat.com> <002b3de875284413aef030b385c9c0c0@TCCCORPEXCH02.TCC.local> <20150518080708.GE15861@hendrix.redhat.com> <277c549fbecf47fcac21b35bc146506f@TCCCORPEXCH02.TCC.local> Message-ID: <558DF895.5010807@redhat.com> On 05/18/2015 06:16 AM, Andy Thompson wrote: >> -----Original Message----- >> From: Jakub Hrozek [mailto:jhrozek at redhat.com] >> Sent: Monday, May 18, 2015 4:07 AM >> To: Andy Thompson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] username case sensitivity >> >> On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >>>> bounces at redhat.com] On Behalf Of Jakub Hrozek >>>> Sent: Sunday, May 17, 2015 5:23 PM >>>> To: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] username case sensitivity >>>> >>>> On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: >>>>> On (15/05/15 17:27), Andy Thompson wrote: >>>>>> Is there a way to enforce case sensitivity for trusted AD users? >>>>>> I am >>>>> trying to use username for ssh chroots and I can authenticated >>>>> with any case combination of but if ssh is set to match >>>>> on then the chroot is not enforced and the user is >>>>> dropped to their usual home directory. I found a case_sensitive >>>>> option for sssd but it >>>> does not >>>>> seem to have any affect. Running RHEL6.6 clients. >>>>> IPA domain is by default case sensitive. >>>>> So You will not change anything if you put "case_sensitive = true" >>>>> into domain section of sssd.conf. >>>>> >>>>> But SSSD will create subdomains for each AD domain. It is >>>>> different id_provider therefore different default values are used >>>>> for subdomains and for AD provider it is case *insensitive* by default. >>>>> >>>>> Currently there's no way how to change it for subdomains (AD >>>>> trusted >>>>> domains) >>>>> >>>> What are you using for the SSH matching? The way the case >>>> insensitiveness is implemented in SSSD is that all usernames are >>>> forcibly lowercased on output, so as long as SSH uses the standard >>>> NSS calls, you should be good with using the lowecase usernames.. >>>> >>> They were initially all in lower case and working when I tested and finalized >> the setup. I passed the credentials off and they used mixed case and the >> match stopped working. >> >> What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? > The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work. > > -andy > Do we have any follow up on this thread? Have we closed the loop and filed a ticket. I had couple complains of the similar matter during Red Hat Summit. I seems that this is one of the emerging issues for the trust environments. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 01:19:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 26 Jun 2015 21:19:51 -0400 Subject: [Freeipa-users] Apache htaccess replacement In-Reply-To: References: <20150519080315.GK6587@redhat.com> Message-ID: <558DFA37.1020708@redhat.com> On 05/19/2015 05:29 AM, thewebbie wrote: > > My requirements is to replace dozens of htaccess folders on one > server. Each folder requiring a user group. So Host based will not > work in this case > > Matthew Feinberg > > On May 19, 2015 4:03 AM, "Jan Pazdziora" > wrote: > > On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote: > > > > I have been attempting to use my 4.1.4 FreeIPA server to > authenticate > > folders on a web server as a replacement for the normal htaccess > feature. I > > do require group authentication. I have tried just about online > example and > > have only been able to get basic ldap and basic kerbos > authentication. How > > do I go about getting group based authentication working. > > If you do not insist on group based authentication but can use > the more generic host-based access control (which you should be able > to do because you have IPA), you can use mod_authnz_pam: > > http://www.adelton.com/apache/mod_authnz_pam/ > > http://www.freeipa.org/page/Web_App_Authentication > > The module is packaged in Fedoras, RHEL, and CentOS. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management > Engineering, Red Hat > > > Was this resolved in some way? -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jun 27 01:47:58 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 26 Jun 2015 21:47:58 -0400 Subject: [Freeipa-users] compat settings In-Reply-To: <511ED412-6929-41C9-AB33-9344CC09AA76@usm.lmu.de> References: <511ED412-6929-41C9-AB33-9344CC09AA76@usm.lmu.de> Message-ID: <558E00CE.30200@redhat.com> On 05/21/2015 02:59 AM, Rudolf Gabler wrote: > Hi to whom it may concern, > > > we used for many years a 2 location policy to separate email users > from unix users in order to not using the same passwords. So we had 2 > trees in our LDAP with the same user but different passwords. Sorry for reviving this thread a month later. I am a bit puzzled. On one hand I hear a lot of desire of the consolidation on the single account and making sure the password the user has is compliant with the central policies. On the other side I continue to come across the cases when single account needs more than one password. And I am really confused why? Would using OTP for example be a good enough alternative? What is the practical reason to force user to have more than one password in the enterprise environment? I wonder does OTP auth with IPA native tokens work against compat tree? It should... So with OTP it is always different password for two accounts. Should be good enough. No? What am I missing? Dmitri > > In freeipa (where we want to migrate now) I can use the accounts and > compat (for email) trees for this purpose and so I added a > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: userPassword=* > to the compat settings to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I'm not allowed to change the password i.e. with: > ldappasswd -x -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com > I get a result of: > > No such object (32) > Additional info: Failed to update password > > where as for the accounts tree the ldappasswd is working fine. > What additional setting may be required? > > Regards, > Rudi Gabler > > > > -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sat Jun 27 03:26:49 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 26 Jun 2015 23:26:49 -0400 (EDT) Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <558DF7AB.8090801@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> <20150617135623.GF24163@redhat.com> <5589AACD.8080907@redhat.com> <20150623190246.GB3774@redhat.com> <558DF7AB.8090801@redhat.com> Message-ID: <2039126197.9582354.1435375609154.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 06/23/2015 03:02 PM, Alexander Bokovoy wrote: > > On Tue, 23 Jun 2015, Dmitri Pal wrote: > >> On 06/17/2015 09:56 AM, Alexander Bokovoy wrote: > >>> On Wed, 17 Jun 2015, Henry Hofmann wrote: > >>>> Ok, how can I configure the map of source attributes (mail or any > >>>> other) to compat tree? > >>> Go back in archives in this list and read discussions about "Single > >>> mail > >>> deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the > >>> compat tree as of right now. > >>> > >> Do we have a ticket for this? > > No and I don't think it will be possible. slapi-nis is read-only view, > > it needs to get these attributes from somewhere. Storing values for > > specialized schema in ID overrides is probably going to be too much -- > > how these source attributes to be managed? In the case of 'single mail' > > it would need to be Kolab applications which would need to update such > > attributes, how Kolab would do that? > > > > Enabling slapi-nis to be writeable is going to break a lot and in > > general would not be possible. > I am missing something. Where the Kolab and writability are coming from? > The thread was about allowing email as an extra attribute in the compat > tree. > There is nothing about writiability. See https://docs.kolab.org/architecture-and-design/ldap.html, kolabd handles all modifications to LDAP triggered by other interfaces, including but not limited to the web UI. A whole list of attributes that may appear in LDAP for Kolab entries is here: https://git.kolab.org/diffusion/KS/browse/master/kolab3.schema -- / Alexander Bokovoy From prashant at apigee.com Sat Jun 27 03:36:39 2015 From: prashant at apigee.com (Prashant Bapat) Date: Sat, 27 Jun 2015 09:06:39 +0530 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module Message-ID: Hi , I'm exploring implementing a 2FA solution to my servers exposed to public. Mainly to secure SSH with 2FA. The SSH keys and users are already in FreeIPA. Is there a way to utilize the OTP inside FreeIPA during a user login to these servers ? A user will have to enter the TOTP code bases on whats configured in FreeIPA. Something along the lines of https://github.com/google/google-authenticator/tree/master/libpam Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sat Jun 27 04:47:00 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 27 Jun 2015 00:47:00 -0400 (EDT) Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: References: Message-ID: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hi , > > I'm exploring implementing a 2FA solution to my servers exposed to public. > Mainly to secure SSH with 2FA. The SSH keys and users are already in > FreeIPA. > > Is there a way to utilize the OTP inside FreeIPA during a user login to these > servers ? A user will have to enter the TOTP code bases on whats configured > in FreeIPA. Something along the lines of > https://github.com/google/google-authenticator/tree/master/libpam If you are using SSSD (pam_sss), it will automatically accept 2FA. You need to force OpenSSH to combine authentication methods, something like: AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam Look into sshd_config manual page for details. This is feature of OpenSSH 6.2 or later. -- / Alexander Bokovoy From prashant at apigee.com Sat Jun 27 07:36:46 2015 From: prashant at apigee.com (Prashant Bapat) Date: Sat, 27 Jun 2015 13:06:46 +0530 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> Message-ID: Aah ok ! Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended up using nss-pam-ldap, nscd and nslcd. However this looks promising. Only for the servers exposed to Internet I could use CentOS/Fedora and this method of authentication. Let me try this and come back to you. Thanks. --Prashant On 27 June 2015 at 10:17, Alexander Bokovoy wrote: > > > ----- Original Message ----- > > Hi , > > > > I'm exploring implementing a 2FA solution to my servers exposed to > public. > > Mainly to secure SSH with 2FA. The SSH keys and users are already in > > FreeIPA. > > > > Is there a way to utilize the OTP inside FreeIPA during a user login to > these > > servers ? A user will have to enter the TOTP code bases on whats > configured > > in FreeIPA. Something along the lines of > > https://github.com/google/google-authenticator/tree/master/libpam > If you are using SSSD (pam_sss), it will automatically accept 2FA. > > You need to force OpenSSH to combine authentication methods, something > like: > > AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive:pam > > Look into sshd_config manual page for details. This is feature of OpenSSH > 6.2 or later. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jun 27 13:01:37 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 09:01:37 -0400 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <2039126197.9582354.1435375609154.JavaMail.zimbra@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> <20150617135623.GF24163@redhat.com> <5589AACD.8080907@redhat.com> <20150623190246.GB3774@redhat.com> <558DF7AB.8090801@redhat.com> <2039126197.9582354.1435375609154.JavaMail.zimbra@redhat.com> Message-ID: <558E9EB1.6030600@redhat.com> On 06/26/2015 11:26 PM, Alexander Bokovoy wrote: > > ----- Original Message ----- >> On 06/23/2015 03:02 PM, Alexander Bokovoy wrote: >>> On Tue, 23 Jun 2015, Dmitri Pal wrote: >>>> On 06/17/2015 09:56 AM, Alexander Bokovoy wrote: >>>>> On Wed, 17 Jun 2015, Henry Hofmann wrote: >>>>>> Ok, how can I configure the map of source attributes (mail or any >>>>>> other) to compat tree? >>>>> Go back in archives in this list and read discussions about "Single >>>>> mail >>>>> deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the >>>>> compat tree as of right now. >>>>> >>>> Do we have a ticket for this? >>> No and I don't think it will be possible. slapi-nis is read-only view, >>> it needs to get these attributes from somewhere. Storing values for >>> specialized schema in ID overrides is probably going to be too much -- >>> how these source attributes to be managed? In the case of 'single mail' >>> it would need to be Kolab applications which would need to update such >>> attributes, how Kolab would do that? >>> >>> Enabling slapi-nis to be writeable is going to break a lot and in >>> general would not be possible. >> I am missing something. Where the Kolab and writability are coming from? >> The thread was about allowing email as an extra attribute in the compat >> tree. >> There is nothing about writiability. > See https://docs.kolab.org/architecture-and-design/ldap.html, kolabd handles all modifications to LDAP triggered by other interfaces, including but not limited to the web UI. > A whole list of attributes that may appear in LDAP for Kolab entries is here: > https://git.kolab.org/diffusion/KS/browse/master/kolab3.schema Sure but was the request in this thread driven by Kolab? I have not seen that in any of the emails. Why we assume that it is because of Kolab? -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 13:26:16 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 09:26:16 -0400 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: <20150624083122.GG11174@hendrix.redhat.com> References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> Message-ID: <558EA478.9040008@redhat.com> On 06/24/2015 04:31 AM, Jakub Hrozek wrote: > On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote: >> Thanks. It's good to know that it is fixed upstream. For discussion though, >> are any enhancements planned for dealing with installation/removal of ipa ? > Not sure, but please file bugs as you see them. > Yes, please be more specific . The bugs that were mentioned by Jakub are making its way into downstream. If there are any other issues you are concerned about please let us know. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 13:27:43 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 09:27:43 -0400 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: References: <098f97b60aeccf4d115bf6f0aea625e3@scunc.net> Message-ID: <558EA4CF.9060804@redhat.com> On 06/23/2015 06:15 PM, Matt . wrote: > Anyone some suggestions about this ? > > I'm thinking about adding from my second 3.x master where I first need > to split that cluster to make that happen. Was that resolved? > > > > 2015-06-22 22:57 GMT+02:00 Matt . : >> OK, >> >> I'm on the go here but I have some issue. >> >> When I install the replica server I get this error on the new replica: >> >> ipa : CRITICAL CA DS schema check failed. Make sure the PKI >> service on the remote master is operational. >> >> >> When I restart IPA on the old master I get this: >> >> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: >> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with >> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR >> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with >> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >> [ OK ] >> >> So the error on the replica is not that strange, but how to fix this >> on the master ? >> >> Matt >> >> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : >>> Am 22.06.2015 12:10, schrieb Matt .: >>>> Hi Guys, >>> >>> Hi Matt, >>> >>>> I found some good information about migrating from 3.3 to 4.x using >>>> replica's. >>>> >>>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >>>> CentOS doesn't provide 3.3. >>> >>> Could you please share an URL or something? >>> >>> Currently I'm here: >>> >>> * ipa-6 - CentOS 6.6: >>> ipa-admintools-3.0.0-42.el6.centos.x86_64 >>> ipa-client-3.0.0-42.el6.centos.x86_64 >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> ipa-python-3.0.0-42.el6.centos.x86_64 >>> ipa-server-3.0.0-42.el6.centos.x86_64 >>> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >>> sssd-ipa-1.11.6-30.el6_6.4.x86_64 >>> pki-ca-9.0.3-38.el6_6.noarch >>> >>> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, >>> bind-dyndb-ldap): >>> ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >>> ipa-client-4.1.0-18.el7.centos.3.x86_64 >>> ipa-python-4.1.0-18.el7.centos.3.x86_64 >>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>> pki-ca-10.1.2-7.el7.noarch >>> >>> -1. Update schema >>> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6: >>> ipa-6# python copy-schema-to-ca.py >>> >>> 0. clean up old/stale replication aggreements >>> ipa-replica-manage del --force ipa-6.example.com >>> ipa-csreplica-manage del --force ipa-6.example.com >>> >>> 1. prepare replication on ipa-6 for ipa-7 >>> ipa-replica-prepare ipa-7.example.com >>> >>> 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in >>> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. >>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >>> - >> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> >>> + >> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> >>> >>> 3. slow down the network a bit >>> (don't know how effective it is, as we already got 1GBit, but without >>> it, a timing bug in 389-ds-base is triggered - s. >>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >>> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms >>> burst 1540 >>> >>> 4. install replication (without CA for the moment) >>> ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >>> --setup-dns --mkhomedir --no-forwarders >>> >>> Up to now, everything works, but we need the CA too: >>> >>> 5. install ca >>> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >>> >>> But this won't work and I don't have a clue how to fix/proceed from here. >>> >>> # ipa-7: /var/log/ipareplica-ca-install.log >>> ipa : DEBUG stderr=pkispawn : WARNING ....... unable to >>> validate security domain user/password through REST interface. Interface not >>> available >>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: >>> Error while updating security domain: java.io.IOException: 2 >>> >>> ipa : CRITICAL failed to configure ca instance Command >>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero >>> exit status 1 >>> ipa : DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 382, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 372, in run_step >>> method() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 673, in __spawn_instance >>> raise RuntimeError('Configuration of CA failed') >>> RuntimeError: Configuration of CA failed >>> >>> # ipa-7: /var/log/pki/pki-tomcat/ca/system >>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build >>> CA chain. Error java.security.cert.CertificateException: Certificate is not >>> a PKCS #11 certificate >>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz >>> instance DirAclAuthz initialization failed and skipped, error=Property >>> internaldb.ldapconn.port missing value >>> >>> # ipa-7: /var/log/pki/pki-tomcat/ca/debug >>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master >>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML start hostname=ipa-6.example.com port=443 >>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: failed >>> to update security domain using admin port 443: >>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: now >>> trying agent port with client auth >>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML start hostname=ipa-6.example.com port=443 >>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() >>> nickname=subsystemCert cert-pki-ca >>> [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML: status=1 >>> >>> # ipa-6: /var/log/httpd/access_log >>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309 >>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >>> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 >>> >>> # ipa-6: /var/log/pki-ca/debug >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = >>> /ca/agent/ca/updateDomainXML >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='name' value='CA ipa-7.example.com 8443' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='eeclientauthsport' value='443' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='httpport' value='80' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='sport' value='443' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='dm' value='true' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='adminsport' value='443' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='list' value='CAList' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='clone' value='true' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='type' value='CA' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='agentsport' value='443' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='sessionID' value='-4812857165985662682' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>> name='host' value='ipa-7.example.com' >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML start >>> to service. >>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing... >>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: >>> authentication starts >>> [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2 >>> [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL >>> certificate >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA >>> Subsystem,O=EXAMPLE.COM >>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started >>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving client >>> certificate >>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client >>> certificate >>> [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() >>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true >>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >>> [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client certificate >>> found >>> [22/Jun/2015:15:12:59][TP-Processor5]: In LdapBoundConnFactory::getConn() >>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected true >>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >>> [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: create() >>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA >>> Subsystem,O=EXAMPLE.COM] authentication failure >>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 >>> 15:12:59 CEST 2015 id=caUpdateDomainXML time=11 >>> >>> # ipa-6: /var/log/pki-ca/system >>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot >>> authenticate agent with certificate Serial 0x272 Subject DN CN=CA >>> Subsystem,O=EXAMPLE.COM. Error: User not found >>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet >>> caUpdateDomainXML: Failed to authorize: Invalid Credential.. >>> >>> It would be great if someone could give a hint where to look and what user >>> can't authenticate and why. >>> >>> @Matt: For renaming the IdM server, see >>> https://access.redhat.com/solutions/174733 it could possibly help. >>> >>> b/r >>> H. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 13:32:07 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 09:32:07 -0400 Subject: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege In-Reply-To: <5589104E.2000306@redhat.com> References: <34ed5f582af9a2959036e9a995c32ff6.squirrel@webmail.nathanpeters.com> <55846FA8.8090508@redhat.com> <9552bac16a4bbc8c87e6157736a56a36.squirrel@webmail.nathanpeters.com> <558499E1.6080408@redhat.com> <5585CA58.7020409@redhat.com> <869AA3DC8CC741AEB83897FD6BDBEC46@Azul> <55886B89.1090508@redhat.com> <5589104E.2000306@redhat.com> Message-ID: <558EA5D7.4070905@redhat.com> On 06/23/2015 03:52 AM, Petr Vobornik wrote: > On 06/22/2015 10:09 PM, Rob Crittenden wrote: >> Nathan Peters wrote: >>> >>> >>> -----Original Message----- From: Rob Crittenden >>> Sent: Saturday, June 20, 2015 1:17 PM >>> To: Nathan Peters >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] invalid 'permission': cannot add >>> permission >>> "System: Read HBAC Rules" with bindtype "all" to a privilege >>> >>> Nathan Peters wrote: >>>> >>>> >>>> -----Original Message----- From: Rob Crittenden >>>> Sent: Friday, June 19, 2015 3:38 PM >>>> To: nathan at nathanpeters.com >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] invalid 'permission': cannot add >>>> permission >>>> "System: Read HBAC Rules" with bindtype "all" to a privilege >>>> >>>> nathan at nathanpeters.com wrote: >>>>>> nathan at nathanpeters.com wrote: >>>>>>> FreeIPA server 4.1.3 on CentOS 7 >>>>>>> >>>>>>> I am trying to create a set of privileges or roles that will allow >>>>>>> me to >>>>>>> create a user who has read-only access to as much of the FreeIPA >>>>>>> web UI >>>>>>> as >>>>>>> possible. Basically my manager want the type of view into FreeIPA >>>>>>> that >>>>>>> they have in AD using the 'AD Users and Computers program). >>>>>>> >>>>>>> I note that there are quite a few read permission in the >>>>>>> permissions >>>>>>> list. >>>>>>> I tried creating a new privilege called Read Only Administrator >>>>>>> and >>>>>>> giving them all the permission that have read only in the name. >>>>>>> >>>>>>> For some reason I can add all other system and full access >>>>>>> permissions >>>>>>> but >>>>>>> when I try to add a read only permission I get the following >>>>>>> error : >>>>>>> invalid 'permission': cannot add permission "System: Read HBAC >>>>>>> Rules" >>>>>>> with >>>>>>> bindtype "all" to a privilege >>>>>>> >>>>>>> This applies not just the HBAC rule, but anything that has Read in >>>>>>> the >>>>>>> name. >>>>>>> >>>>>>> How do I create a read only user without getting this error >>>>>>> message? >>>>>> >>>>>> You can't add a rule with bindtype all because this bindtype already >>>>>> allows all authenticated users the rights granted by the rule, in >>>>>> this >>>>>> case read access. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>> >>>>> That doesn't sound right. When I login to FreeIPA web ui with a user >>>>> who >>>>> is not part of any group, the only thing he can do is browse other >>>>> users >>>>> and update his own password and SSH key. He does not get the HBAC >>>>> menu >>>>> and definitely cannot browse HBAC rules. >>>> >>>> The UI handles those permissions differently. >>>> >>>> $ kinit someuser >>>> $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com >>>> >>>>> >>>>> Also, If I do this step backward and go directly to the RBAC -> >>>>> Permissions menu and choose a permission and edit it, I can add it >>>>> to a >>>>> privilege, but if I go to the privilege and try to add the >>>>> permission it >>>>> fails. This makes zero sense. >>>>> >>>>> I can post screenshots if that helps. >>>>> >>>> >>>> This is a bug. There is a function not available on the command line, >>>> permission_add_member, which incorrectly allows this. I opened >>>> https://fedorahosted.org/freeipa/ticket/5075 >>>> >>>> Regardless of whether it is added or not, it is a no-op because the >>>> whole idea of permissions is to grant access via groups and there >>>> is no >>>> group in this permission. It allows all authenticated users. >>>> >>>> rob >>>> >>>> What do you mean by it is a no-op? >>>> >>>> Here is what I did that worked: >>>> >>>> 1)Create privilege called "Read only privilege" >>>> >>>> 2)Go to each permission individually that has the world "Read" in >>>> it and >>>> add them to the "read only privilege" privilege one at a time. There >>>> was about 65 of them. This is fine because we are not apply this to >>>> users, only apply the permissions to the privilege. >>>> >>>> 3)Next, go back to the read-only privilege and add some group that >>>> contains users. >>>> >>>> 4)Login to the webui as a user that is in the group that was added to >>>> the privilege and now you can see all menu options just like an admin, >>>> but everything is read only and any attempt to make changes results >>>> in a >>>> message that you don't have permission to make that change. This is >>>> currently working exactly as I expect it to once I set it up the long >>>> way. >>>> >>>> Result : Member can now browse the entire web ui and see everything, >>>> hosts, users, rbac rules, hbac rules, groups etc but in read only mode >>>> as expected. >>>> >>>> I'm talking only about the issue where a permission with a bindrule of >>>> all cannot be added to a privilege. The fact that it can be added in >>>> the UI is a bug. >>>> >>>> It is the data in LDAP we really care about and a permission with a >>>> bindrule of all grants all authenticated users read access to that >>>> data, regardless of what you might or might not see in the UI. >>>> >>>> I'm not entirely sure how Petr does that though I always thought it >>>> was through LDAP effective rights which in effect should grant all >>>> users HBAC read access, so perhaps he determines it based on other >>>> things as well. >>>> >>>> rob >>> >>> So what is the correct way to grant full read-only permissions in the >>> web UI? The audience for this viewing is managers and they are non >>> technical and have no desire to login to an SSH shell and try to view >>> the data they need using the cli. >>> >>> They have seen me working in the web UI and really like how easy it is >>> to browse the interface. >>> >>> Is there any proper way to do this? Is it possible at all without >>> invoking that bug that I invoked to make it happen? >> >> That's a question for Petr. I don't know how the UI determines which >> tabs to make visible. I thought it was based on the effective rights but >> perhaps it is more complex than that. >> >> rob > > It's as described in #4. Web UI displays all tabs if a user is > assigned to at least one RBAC role either directly or indirectly > trough user group. Effective rights are used only for attributes > (attributeslevelrights). Object level rights are not provided to Web > UI yet. > > In other words: > 1. create empty RBAC role > 2. assign there all users who should read stuff. > > Exception is DNS (and maybe some other entries). DNS is not readable > by everybody by default. Is there any RFE that we need to file based on this conversation? -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 13:34:58 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 09:34:58 -0400 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <558841B5.3020605@redhat.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> <5588189D.5040300@gmail.com> <5588370B.2030209@redhat.com> <55883A48.2070104@gmail.com> <558841B5.3020605@redhat.com> Message-ID: <558EA682.5020708@redhat.com> On 06/22/2015 01:11 PM, Petr Vobornik wrote: > On 06/22/2015 06:39 PM, Janelle wrote: >> On 6/22/15 9:25 AM, Petr Vobornik wrote: >>> On 06/22/2015 04:15 PM, Janelle wrote: >>>> On 6/22/15 5:15 AM, Petr Vobornik wrote: >>>>> On 06/21/2015 08:35 AM, Janelle wrote: >>>>>> Hi, >>>>>> >>>>>> Sure. Just login as a normal user to the WEB UI. screen is blank: >>>>>> >>>>>> Of course, if you click on Actions - you will see those and you can >>>>>> click on >>>>>> them, but you can't do anything else. This is a vanilla server >>>>>> install, nothing >>>>>> fancy. Oh and there is no error message at all. Any browser = same >>>>>> results. >>>>>> >>>>>> Tried clearing cache, history, web data.. Everything. Many of my >>>>>> users report >>>>>> the same thing. This is 7.1 with IPA 4.1.7 >>>>>> >>>>>> Now the funny part - login as "admin" and everything works fine. But >>>>>> I certainly >>>>>> can't have everyone logging in as admin. :-) >>>>>> >>>>>> ~Janelle >>>>> >>>>> Do you see any error in browser console? >>>>> >>>>> Does this happen also to a user which doesn't have any RBAC role >>>>> assigned(either directly or indrectly)? >>>> AHA -- perhaps a clue: >>>> >>>> [Error] Failed to load resource: the server responded with a status of >>>> 401 (Unauthorized) (json, line 0) >>>> [Error] Failed to load resource: the server responded with a status of >>>> 401 (Unauthorized) (login_kerberos, line 0) >>>> [Error] Failed to load resource: the server responded with a status of >>>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>>> >>>> ~J >>> >>> These errors are expected. First two happens when user is not yet >>> authenticated. Third line is just about file for jquery debugging >>> which is not shipped with ipa. >>> >>> Could you inspect other json request? Mainly the 3 which are executed >>> on navigating to user details page (or after clicking on "refresh" >>> button on the page). Does the first result of first request (of the >>> three) contain user data as in >>> >>> >>> I'm unable to reproduce the issue with >>> ipa-server-4.1.0-18.el7_1.3.x86_64. >>> >>> Do these users have some special permissions/roles/rights? >> The user I did the same from is a User Administrator, however, all the >> other users are NOT. And if you watch closely, all the details do flash >> the screen, but then disappear. Refresh does nothing. The one thing - >> it works flawlessly for "admin" account. >> >> versions (I believe in the newest -- perhaps a bad idea) >> >> freeipa-client-4.1.4-1.el7.centos.x86_64 >> freeipa-server-4.1.4-1.el7.centos.x86_64 >> freeipa-python-4.1.4-1.el7.centos.x86_64 >> >> >> on a user screen after login - : >> >> [Error] Failed to load resource: the server responded with a status of >> 401 (Unauthorized) (json, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 401 (Unauthorized) (login_kerberos, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 401 (Unauthorized) (json, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 401 (Unauthorized) (login_kerberos, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >> [Error] Failed to load resource: the server responded with a status of >> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >> >> ~Janelle > > If I understand it correctly, you get bunch of 401 Unauthorized errors > after successful auth? This should not happen. I have seen something > similar when clients were couple minutes in a future than the ipa > server (assuming forms based auth is used, otherwise it would fail on > obtaining TGT) because session expires immediately if clients are more > than 20 mins ahead. Or when krb ticket TTL was less than 5 minutes. > > Are there any "200 Success" requests to "ipa/session/json" or > ipa/session/login_password in the network tab as shown on image: > https://pvoborni.fedorapeople.org/images/user_response_data.png after > successful login? Was this resolved or we need to file a ticket to track some bug? -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 13:42:14 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 09:42:14 -0400 Subject: [Freeipa-users] Kerberos principal add / create In-Reply-To: <3683162.hBkUp0eKiM@techz> References: <3683162.hBkUp0eKiM@techz> Message-ID: <558EA836.80402@redhat.com> On 06/21/2015 08:47 AM, G?nther J. Niederwimmer wrote: > Hello, > > I have a long way to found out the way to read from IPA the EMail addresses > :-( > > Now the way is read direct from the 386 server. sssd don't found more the one > address. > > OK. > > I found a readme that tell me to create a "special User" > > # dovecota, sysaccounts, etc, 4gjn.prv > dn: uid=dovecota,cn=sysaccounts,cn=etc,dc=xxxx,dc=xxxx > objectClass: account > objectClass: simplesecurityobject > objectClass: top > uid: dovecota > userPassword:: e1NTSEF9TWlKY0FWZkxTd3ZkS2dUZ0xyamV3bUJJbm9TLzRORTlwdU14c1E9PQ= > > > with this user now I can read passwd, uid, mail ,,,, > > but the question is, is it possible to add a kerberos principal to this user > with IPA ? > > thanks for a answer, I am sorry we are a bit confused by your message. What are you trying to accomplish? SSSD can read extra attributes per account and expose it over D-BUS for the applications. But I am not sure this is what you are looking for. Can you please describe the problem you are trying to solve? -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From janellenicole80 at gmail.com Sat Jun 27 14:54:49 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 27 Jun 2015 07:54:49 -0700 Subject: [Freeipa-users] blank user screen? (web UI) In-Reply-To: <558EA682.5020708@redhat.com> References: <5585D506.5080109@gmail.com> <55865B25.5090607@gmail.com> <5587FC75.5080907@redhat.com> <5588189D.5040300@gmail.com> <5588370B.2030209@redhat.com> <55883A48.2070104@gmail.com> <558841B5.3020605@redhat.com> <558EA682.5020708@redhat.com> Message-ID: <558EB939.9070602@gmail.com> On 6/27/15 6:34 AM, Dmitri Pal wrote: > On 06/22/2015 01:11 PM, Petr Vobornik wrote: >> On 06/22/2015 06:39 PM, Janelle wrote: >>> On 6/22/15 9:25 AM, Petr Vobornik wrote: >>>> On 06/22/2015 04:15 PM, Janelle wrote: >>>>> On 6/22/15 5:15 AM, Petr Vobornik wrote: >>>>>> On 06/21/2015 08:35 AM, Janelle wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Sure. Just login as a normal user to the WEB UI. screen is blank: >>>>>>> >>>>>>> Of course, if you click on Actions - you will see those and you can >>>>>>> click on >>>>>>> them, but you can't do anything else. This is a vanilla server >>>>>>> install, nothing >>>>>>> fancy. Oh and there is no error message at all. Any browser = same >>>>>>> results. >>>>>>> >>>>>>> Tried clearing cache, history, web data.. Everything. Many of my >>>>>>> users report >>>>>>> the same thing. This is 7.1 with IPA 4.1.7 >>>>>>> >>>>>>> Now the funny part - login as "admin" and everything works fine. >>>>>>> But >>>>>>> I certainly >>>>>>> can't have everyone logging in as admin. :-) >>>>>>> >>>>>>> ~Janelle >>>>>> >>>>>> Do you see any error in browser console? >>>>>> >>>>>> Does this happen also to a user which doesn't have any RBAC role >>>>>> assigned(either directly or indrectly)? >>>>> AHA -- perhaps a clue: >>>>> >>>>> [Error] Failed to load resource: the server responded with a >>>>> status of >>>>> 401 (Unauthorized) (json, line 0) >>>>> [Error] Failed to load resource: the server responded with a >>>>> status of >>>>> 401 (Unauthorized) (login_kerberos, line 0) >>>>> [Error] Failed to load resource: the server responded with a >>>>> status of >>>>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>>>> >>>>> ~J >>>> >>>> These errors are expected. First two happens when user is not yet >>>> authenticated. Third line is just about file for jquery debugging >>>> which is not shipped with ipa. >>>> >>>> Could you inspect other json request? Mainly the 3 which are executed >>>> on navigating to user details page (or after clicking on "refresh" >>>> button on the page). Does the first result of first request (of the >>>> three) contain user data as in >>>> >>>> >>>> I'm unable to reproduce the issue with >>>> ipa-server-4.1.0-18.el7_1.3.x86_64. >>>> >>>> Do these users have some special permissions/roles/rights? >>> The user I did the same from is a User Administrator, however, all the >>> other users are NOT. And if you watch closely, all the details do >>> flash >>> the screen, but then disappear. Refresh does nothing. The one thing - >>> it works flawlessly for "admin" account. >>> >>> versions (I believe in the newest -- perhaps a bad idea) >>> >>> freeipa-client-4.1.4-1.el7.centos.x86_64 >>> freeipa-server-4.1.4-1.el7.centos.x86_64 >>> freeipa-python-4.1.4-1.el7.centos.x86_64 >>> >>> >>> on a user screen after login - : >>> >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (json, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (login_kerberos, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (json, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 401 (Unauthorized) (login_kerberos, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> [Error] Failed to load resource: the server responded with a status of >>> 404 (Not Found) (jquery-2.0.3.min.map, line 0) >>> >>> ~Janelle >> >> If I understand it correctly, you get bunch of 401 Unauthorized >> errors after successful auth? This should not happen. I have seen >> something similar when clients were couple minutes in a future than >> the ipa server (assuming forms based auth is used, otherwise it would >> fail on obtaining TGT) because session expires immediately if clients >> are more than 20 mins ahead. Or when krb ticket TTL was less than 5 >> minutes. >> >> Are there any "200 Success" requests to "ipa/session/json" or >> ipa/session/login_password in the network tab as shown on image: >> https://pvoborni.fedorapeople.org/images/user_response_data.png after >> successful login? > > > Was this resolved or we need to file a ticket to track some bug? > Still not resolved. Sorry I got sidetracked on other issues this week - namely Marriage Equality -- Yay! :-) ~Janelle From yamakasi.014 at gmail.com Sat Jun 27 15:11:24 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 27 Jun 2015 17:11:24 +0200 Subject: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1) In-Reply-To: <558EA4CF.9060804@redhat.com> References: <098f97b60aeccf4d115bf6f0aea625e3@scunc.net> <558EA4CF.9060804@redhat.com> Message-ID: Hi, Not yet, I'm busy with it right now. I created a bugreport where I'm checking the reference bugs now, but I didn't saw a solution that fast. https://bugzilla.redhat.com/show_bug.cgi?id=1235766 I did do point 3 & 4. Matt 2015-06-27 15:27 GMT+02:00 Dmitri Pal : > On 06/23/2015 06:15 PM, Matt . wrote: >> >> Anyone some suggestions about this ? >> >> I'm thinking about adding from my second 3.x master where I first need >> to split that cluster to make that happen. > > > > Was that resolved? > > > >> >> >> >> 2015-06-22 22:57 GMT+02:00 Matt . : >>> >>> OK, >>> >>> I'm on the go here but I have some issue. >>> >>> When I install the replica server I get this error on the new replica: >>> >>> ipa : CRITICAL CA DS schema check failed. Make sure the PKI >>> service on the remote master is operational. >>> >>> >>> When I restart IPA on the old master I get this: >>> >>> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: >>> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR >>> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [ OK ] >>> >>> So the error on the replica is not that strange, but how to fix this >>> on the master ? >>> >>> Matt >>> >>> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : >>>> >>>> Am 22.06.2015 12:10, schrieb Matt .: >>>>> >>>>> Hi Guys, >>>> >>>> >>>> Hi Matt, >>>> >>>>> I found some good information about migrating from 3.3 to 4.x using >>>>> replica's. >>>>> >>>>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >>>>> CentOS doesn't provide 3.3. >>>> >>>> >>>> Could you please share an URL or something? >>>> >>>> Currently I'm here: >>>> >>>> * ipa-6 - CentOS 6.6: >>>> ipa-admintools-3.0.0-42.el6.centos.x86_64 >>>> ipa-client-3.0.0-42.el6.centos.x86_64 >>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>> ipa-python-3.0.0-42.el6.centos.x86_64 >>>> ipa-server-3.0.0-42.el6.centos.x86_64 >>>> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >>>> sssd-ipa-1.11.6-30.el6_6.4.x86_64 >>>> pki-ca-9.0.3-38.el6_6.noarch >>>> >>>> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, >>>> bind, >>>> bind-dyndb-ldap): >>>> ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >>>> ipa-client-4.1.0-18.el7.centos.3.x86_64 >>>> ipa-python-4.1.0-18.el7.centos.3.x86_64 >>>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>> pki-ca-10.1.2-7.el7.noarch >>>> >>>> -1. Update schema >>>> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6: >>>> ipa-6# python copy-schema-to-ca.py >>>> >>>> 0. clean up old/stale replication aggreements >>>> ipa-replica-manage del --force ipa-6.example.com >>>> ipa-csreplica-manage del --force ipa-6.example.com >>>> >>>> 1. prepare replication on ipa-6 for ipa-7 >>>> ipa-replica-prepare ipa-7.example.com >>>> >>>> 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in >>>> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >>>> - >>> >>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> >>>> + >>> >>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> >>>> >>>> 3. slow down the network a bit >>>> (don't know how effective it is, as we already got 1GBit, but >>>> without >>>> it, a timing bug in 389-ds-base is triggered - s. >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >>>> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency >>>> 1ms >>>> burst 1540 >>>> >>>> 4. install replication (without CA for the moment) >>>> ipa-replica-install >>>> /var/lib/ipa/replica-info-ipa-7.example.com.gpg >>>> --setup-dns --mkhomedir --no-forwarders >>>> >>>> Up to now, everything works, but we need the CA too: >>>> >>>> 5. install ca >>>> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >>>> >>>> But this won't work and I don't have a clue how to fix/proceed from >>>> here. >>>> >>>> # ipa-7: /var/log/ipareplica-ca-install.log >>>> ipa : DEBUG stderr=pkispawn : WARNING ....... unable >>>> to >>>> validate security domain user/password through REST interface. Interface >>>> not >>>> available >>>> pkispawn : ERROR ....... Exception from Java Configuration >>>> Servlet: >>>> Error while updating security domain: java.io.IOException: 2 >>>> >>>> ipa : CRITICAL failed to configure ca instance Command >>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero >>>> exit status 1 >>>> ipa : DEBUG Traceback (most recent call last): >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 382, in start_creation >>>> run_step(full_msg, method) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 372, in run_step >>>> method() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 673, in __spawn_instance >>>> raise RuntimeError('Configuration of CA failed') >>>> RuntimeError: Configuration of CA failed >>>> >>>> # ipa-7: /var/log/pki/pki-tomcat/ca/system >>>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot >>>> build >>>> CA chain. Error java.security.cert.CertificateException: Certificate is >>>> not >>>> a PKCS #11 certificate >>>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz >>>> instance DirAclAuthz initialization failed and skipped, error=Property >>>> internaldb.ldapconn.port missing value >>>> >>>> # ipa-7: /var/log/pki/pki-tomcat/ca/debug >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ipa-6.example.com port=443 >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: >>>> failed >>>> to update security domain using admin port 443: >>>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: >>>> now >>>> trying agent port with client auth >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ipa-6.example.com port=443 >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() >>>> nickname=subsystemCert cert-pki-ca >>>> [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML: status=1 >>>> >>>> # ipa-6: /var/log/httpd/access_log >>>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >>>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309 >>>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >>>> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 >>>> >>>> # ipa-6: /var/log/pki-ca/debug >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = >>>> /ca/agent/ca/updateDomainXML >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='name' value='CA ipa-7.example.com 8443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='eeclientauthsport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='httpport' value='80' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='sport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='dm' value='true' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='adminsport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='list' value='CAList' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='clone' value='true' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='type' value='CA' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='agentsport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='sessionID' value='-4812857165985662682' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='host' value='ipa-7.example.com' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML >>>> start >>>> to service. >>>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing... >>>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: >>>> authentication starts >>>> [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL >>>> certificate >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA >>>> Subsystem,O=EXAMPLE.COM >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving >>>> client >>>> certificate >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client >>>> certificate >>>> [22/Jun/2015:15:12:59][TP-Processor5]: In >>>> LdapBoundConnFactory::getConn() >>>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected >>>> true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client >>>> certificate >>>> found >>>> [22/Jun/2015:15:12:59][TP-Processor5]: In >>>> LdapBoundConnFactory::getConn() >>>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected >>>> true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: >>>> create() >>>> >>>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA >>>> Subsystem,O=EXAMPLE.COM] authentication failure >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 >>>> 15:12:59 CEST 2015 id=caUpdateDomainXML time=11 >>>> >>>> # ipa-6: /var/log/pki-ca/system >>>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot >>>> authenticate agent with certificate Serial 0x272 Subject DN CN=CA >>>> Subsystem,O=EXAMPLE.COM. Error: User not found >>>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet >>>> caUpdateDomainXML: Failed to authorize: Invalid Credential.. >>>> >>>> It would be great if someone could give a hint where to look and what >>>> user >>>> can't authenticate and why. >>>> >>>> @Matt: For renaming the IdM server, see >>>> https://access.redhat.com/solutions/174733 it could possibly help. >>>> >>>> b/r >>>> H. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project > > > > -- > Thank you, > Dmitri Pal > > Director of Engineering for IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Sat Jun 27 17:06:30 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 27 Jun 2015 19:06:30 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local Message-ID: Hi All, When I add a forwarder with policy to forward first, there is only forwarder and not a fallback to local when the record doesn't exist on the forward server. When I remove the forwardserver, the local lookup works great again. Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? Thanks, Matt From dpal at redhat.com Sat Jun 27 17:46:46 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 13:46:46 -0400 Subject: [Freeipa-users] svnserve authentication against IPA In-Reply-To: References: Message-ID: <558EE186.2070106@redhat.com> On 06/18/2015 05:09 AM, dbischof at hrz.uni-kassel.de wrote: > Hi, > > I have a svnserve (Subversion 1.6.11) running on my IPA server. > Currently, there's a separate user database with SASL auth: > > /etc/sasl2/svn.conf > --- > pwcheck_method: auxprop > auxprop_plugin: sasldb > sasldb_path: /etc/sasldb2 > mech_list: DIGEST-MD5 > --- > > XXX/testrepo/conf/svnserve.conf > --- > [general] > anon-access = none > authz-db = authz > realm = MYSUBDOMAIN.MYUNIVERSITY.DE > [sasl] > use-sasl = true > min-encryption = 128 > max-encryption = 256 > --- > > On a test system, I changed svnserve auth to saslauthd and IPA: > > /etc/sasl2/svn.conf > --- > pwcheck_method: saslauthd > auxprop_plugin: ldap > mech_list: PLAIN > ldapdb_mech: PLAIN > --- > > XXX/testrepo/conf/svnserve.conf > --- > [general] > anon-access = none > authz-db = authz > realm = MYSUBDOMAIN.MYUNIVERSITY.DE > [sasl] > use-sasl = true > min-encryption = 0 > max-encryption = 256 > --- > > /etc/saslauthd.conf > --- > ldap_servers: ldaps://localhost/ > ldap_search_base: > cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE > --- > > Though this setup basically works and svnserve and IPA are running on > the same machine I'm unhappy with PLAIN and "min-encryption = 0". > > What would you suggest to improve security/enable encryption in this > setup? I considered switching from svnserve to Apache, but that would > imply that my users will have to get used to something new. > > > Mit freundlichen Gruessen/With best regards, > > --Daniel. > It seems that no one on the list knows details about svn configuration so if you figure it out please share the results with the list. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Jun 27 17:49:18 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 13:49:18 -0400 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: Message-ID: <558EE21E.8080007@redhat.com> On 06/18/2015 04:41 AM, Markus.Moj at mc.ingenico.com wrote: > > Hi @all, > > I am new to freeIPA operating and are facing an issue with mail object > in freeIPA. We are running Jira from Atlassian and are trying to > authenticate against freeIPA. The authentication process is running > but mail object is not provided by freeIPA to Jira to inform users > about new events / trackers or whatsoever. If a test object is > displayed with ldapsearch mail attribute is available and set but is > not useable by Jira. > > How is it possibilt to inherit mail accounts in Jira to be able to > authenticate and use FreeIPA as IDM for Jira as well as for Liunx > systems. > > > Is there any documentation that explains what Jira expects in this case? I suspect Jira is looking for some specific object class that might not be set by IPA by default. You can add some object classes to IPA objects, that might potentially help to solve the problem but some pointers would helpful to understand the issue first. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jun 27 17:53:09 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 27 Jun 2015 13:53:09 -0400 Subject: [Freeipa-users] ssh key issues with IPA enabled servers In-Reply-To: References: <55805D43.7040005@redhat.com> <5580687D.4010806@redhat.com> , <994252180.3418252.1434489902745.JavaMail.zimbra@redhat.com> Message-ID: <558EE305.8070903@redhat.com> On 06/16/2015 06:51 PM, Steven Jones wrote: > Hi, > > I am trying to setup ssh keys into an IPA enabled server. This refuses to work asking for a password each time. If I drop the server out of IPA the ssh keys then work. > > I can ssh from a non-IPA RHEL7 server to an IPA enabled server but non-IPA user fine, but when I try to go to a IPA user it asks for the password. > > Am I missing a setting in IPA? or do I have a bug or ssh setting I am missing? > > regards > > Steven > Seems like an SSH configuration issue rather than SSSD/IPA issue. Please provide configuration files and logs to be able to troubleshoot from SSH and SSSD. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From abokovoy at redhat.com Sun Jun 28 13:19:19 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 28 Jun 2015 16:19:19 +0300 Subject: [Freeipa-users] Question for AD trust and Webservices In-Reply-To: <558E9EB1.6030600@redhat.com> References: <74263835052DD843AEBD010BD87EE8DE149307@win10004.member.osthus.de> <74263835052DD843AEBD010BD87EE8DE14988F@win10004.member.osthus.de> <20150617122000.GC24163@redhat.com> <74263835052DD843AEBD010BD87EE8DE1498CC@win10004.member.osthus.de> <20150617135623.GF24163@redhat.com> <5589AACD.8080907@redhat.com> <20150623190246.GB3774@redhat.com> <558DF7AB.8090801@redhat.com> <2039126197.9582354.1435375609154.JavaMail.zimbra@redhat.com> <558E9EB1.6030600@redhat.com> Message-ID: <20150628131919.GA19902@redhat.com> On Sat, 27 Jun 2015, Dmitri Pal wrote: >On 06/26/2015 11:26 PM, Alexander Bokovoy wrote: >> >>----- Original Message ----- >>>On 06/23/2015 03:02 PM, Alexander Bokovoy wrote: >>>>On Tue, 23 Jun 2015, Dmitri Pal wrote: >>>>>On 06/17/2015 09:56 AM, Alexander Bokovoy wrote: >>>>>>On Wed, 17 Jun 2015, Henry Hofmann wrote: >>>>>>>Ok, how can I configure the map of source attributes (mail or any >>>>>>>other) to compat tree? >>>>>>Go back in archives in this list and read discussions about "Single >>>>>>mail >>>>>>deployment in an FreeIPA-WindowsAD scenario". TLDR; not possible in the >>>>>>compat tree as of right now. >>>>>> >>>>>Do we have a ticket for this? >>>>No and I don't think it will be possible. slapi-nis is read-only view, >>>>it needs to get these attributes from somewhere. Storing values for >>>>specialized schema in ID overrides is probably going to be too much -- >>>>how these source attributes to be managed? In the case of 'single mail' >>>>it would need to be Kolab applications which would need to update such >>>>attributes, how Kolab would do that? >>>> >>>>Enabling slapi-nis to be writeable is going to break a lot and in >>>>general would not be possible. >>>I am missing something. Where the Kolab and writability are coming from? >>>The thread was about allowing email as an extra attribute in the compat >>>tree. >>>There is nothing about writiability. >>See https://docs.kolab.org/architecture-and-design/ldap.html, kolabd handles all modifications to LDAP triggered by other interfaces, including but not limited to the web UI. >>A whole list of attributes that may appear in LDAP for Kolab entries is here: >>https://git.kolab.org/diffusion/KS/browse/master/kolab3.schema >Sure but was the request in this thread driven by Kolab? I have not >seen that in any of the emails. >Why we assume that it is because of Kolab? Because we talked about the other thread and that one was about Kolab and Kolab expects to be able to write to kolabInetOrgPerson class. This thread is about email as an extra attribute in the compat tree and we cannot currently add anything like that because we don't have any source to take it from via already configured code paths. SSSD could generate email attribute off ID override but NSS interface doesn't provide any possibility to query it. Using InfoPipe to query such information requires additional configuration and code for both slapi-nis and SSSD -- SSSD has to export these attributes (not done by default on IPA master), slapi-nis needs to be configured to pull them in for AD users, but this functionality is completely missing. Technically, I could add such feature but it would require also another round of thread-aware locking around another channel of communication with SSSD, quite fragile one, unfortunately. So it is not possible now. -- / Alexander Bokovoy From abokovoy at redhat.com Sun Jun 28 13:25:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 28 Jun 2015 16:25:01 +0300 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: Message-ID: <20150628132501.GB19902@redhat.com> On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy From rob.verduijn at gmail.com Sun Jun 28 14:57:23 2015 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Sun, 28 Jun 2015 16:57:23 +0200 Subject: [Freeipa-users] certificate alert Message-ID: Hello, Is there an easy way to get alerts for soon to expire certificates in freeipa ? Because the day you forget to do the checks via the gui or cli is the day you will be regretting. Cheers Rob From abokovoy at redhat.com Sun Jun 28 15:06:16 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 28 Jun 2015 18:06:16 +0300 Subject: [Freeipa-users] certificate alert In-Reply-To: References: Message-ID: <20150628150616.GC19902@redhat.com> On Sun, 28 Jun 2015, Rob Verduijn wrote: >Hello, > >Is there an easy way to get alerts for soon to expire certificates in freeipa ? > >Because the day you forget to do the checks via the gui or cli is the >day you will be regretting. This is what certmonger is supposed to provide you. You can run 'ipa-getcert list' to get an output of tracked certificates on the host, including their expiration dates. It is trivial to run this command as part of a cron-based job and then receive reports via cron. -- / Alexander Bokovoy From giorgio at di.unimi.it Mon Jun 29 08:04:04 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Mon, 29 Jun 2015 10:04:04 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150626180622.GU12661@p.redhat.com> References: <20150624164526.GJ12661@p.redhat.com> <558BD658.40301@di.unimi.it> <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> Message-ID: <5590FBF4.7000104@di.unimi.it> On 06/26/2015 08:06 PM, Sumit Bose wrote: > On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: >> >> >> On 06/26/2015 02:38 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: >>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: >>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>>>>>>>>>> Hi everybody, >>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). >>>>>>>>>>>> >>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>>>>>>>>>> Manual configuration of krb5 and/or sssd? >>>>>>>>>>> >>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with >>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can >>>>>>>>>>> send the SSSD log files from the IPA server which are generated during >>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. >>>>>>>>>>> >>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the >>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has >>>>>>>>>>> actually tried this before. >>>>>>>>>>> >>>>>>>>>>> bye, >>>>>>>>>>> Sumit >>>>>>>>>> >>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. >>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. >>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful >>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for >>>>>>>>>> account2 at otherdomain.com done via ssh. >>>>>>>>>> >>>>>>>>>> Bye and thanks for your help >>>>>>>>>> >>>>>>>>> >>>>>>>>> It looks like the request is not properly propagated to sub-domains (the >>>>>>>>> trusted AD domain) but only send to the IPA domain. >>>>>>>>> >>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix >>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can >>>>>>>>> prepare a test build with the patch on top of this version. >>>>>>>>> >>>>>>>>> bye, >>>>>>>>> Sumit >>>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for >>>>>>>> any test. >>>>>>>> >>>>>>>> Here's the packages version for sssd: >>>>>>>> >>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch >>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 >>>>>>> >>>>>>> Please try the packages at >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>> >>>>>> Hi, >>>>>> I've installed the new RPMs, now if I run on the server: >>>>>> >>>>>> id account1 at mydomain.local >>>>>> id account2 at otherdomain.com >>>>>> id account2 at sub.otherdomain.com >>>>>> >>>>>> all the users are found but I'm still unable to log in via ssh with the accounts >>>>>> @otherdomain.com and @sub.otherdomain.com. >>>>>> >>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. >>>>> >>>>> Bother, I forgot to add the fix to the pam responder as well, please try >>>>> new packages from >>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>> >>>> Hi, >>>> I've updated all the packages but still no login. >>>> >>>> Logs follows. >>> >>> I found another issue in the logs which should be fixed by the build >>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . >>> >>> Please send the sssd_pam log file as well it might contain more details >>> about what goes wrong during authentication. >>> >>> bye, >>> Sumit >>> >> >> Hi, >> packages update, sssd and kerberos services restarted, cache flushed but still >> no login on the IPA server. >> >> As before, logs attached. I've also included the logs generated by the restart >> of sssd service because there were no logs in sssd_pam.log when trying to >> authenticate. >> >> Debug level is set to 6 in the sections: >> >> [domain/ipa.mydomain.local] >> [sssd] >> [nss] >> [pam] >> >> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to >> increase it. >> > > so far it is sufficient. I have another build for you to try at > http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > > Thank you for your patience. Thanks for your help!! Still no successful login.. Logs attached Bye -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -------------- next part -------------- (Mon Jun 29 09:59:24 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 09:59:24 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 09:59:24 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Jun 29 09:59:24 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f774af44760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:24 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Mon Jun 29 09:59:24 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f774af44760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:24 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 09:59:24 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Jun 29 09:59:24 2015) [sssd[pam]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 09:59:24 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f774af44760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:47 2015) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Mon Jun 29 09:59:48 2015) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Jun 29 09:59:48 2015) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x7f5f935c1c50 (Mon Jun 29 09:59:48 2015) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x7f5f935bf040 (Mon Jun 29 09:59:48 2015) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Mon Jun 29 09:59:48 2015) [sssd[pam]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_process_init] (0x0400): Responder Initialization complete (Mon Jun 29 09:59:48 2015) [sssd[pam]] [get_trusted_uids] (0x0400): All UIDs are allowed. (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 09:59:48 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f5f9266a760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f5f9266a760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:48 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 09:59:48 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Jun 29 09:59:48 2015) [sssd[pam]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 09:59:48 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f5f9266a760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: otherdomain.com (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): user: not set (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: fido.sm.di.otherdomain.com (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14169 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f5f9266a760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f5f9266a760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: otherdomain.com (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): user: not set (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: fido.sm.di.otherdomain.com (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14169 (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f5f92668ef0:3:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f5f92668ef0:3:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f5f9266a760:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed (Mon Jun 29 09:59:56 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f5f92668ef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f5f92668ef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f5f92668ef0:3:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is account2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): user: account2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: fido.sm.di.otherdomain.com (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14169 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f5f92668ef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 39 (Mon Jun 29 10:00:00 2015) [sssd[pam]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Mon Jun 29 09:59:24 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Mon Jun 29 09:59:24 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f0dd57c06f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:24 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Mon Jun 29 09:59:24 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f0dd57c06f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:24 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Jun 29 09:59:24 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 09:59:24 2015) [sssd[nss]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 09:59:24 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f0dd57c06f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:24 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Mon Jun 29 09:59:24 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Mon Jun 29 09:59:47 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Mon Jun 29 09:59:48 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Jun 29 09:59:48 2015) [sssd[nss]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7f61846b7160 (Mon Jun 29 09:59:48 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7f61846b72f0 (Mon Jun 29 09:59:48 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Mon Jun 29 09:59:48 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/sbin/nologin in /etc/shells (Mon Jun 29 09:59:48 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P[^@]+)@?(?P[^@]*$)]. (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:48 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Jun 29 09:59:48 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 09:59:48 2015) [sssd[nss]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 09:59:48 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Mon Jun 29 09:59:48 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f618381fe80:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f618381fe80:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f618381fe80:1:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f618381fe80:1:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f618381fe80:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f618381fe80:1:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [nobody]. (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nobody' matched without domain, user is nobody (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [nobody] from [] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nobody at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f618381fe80:3:nobody at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=nobody] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f618381fe80:3:nobody at ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Jun 29 09:59:52 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f618381fe80:3:nobody at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Jun 29 09:59:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f61838216f0:domains at ipa.mydomain.local] (Mon Jun 29 10:00:00 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=idc01.ipa.mydomain.local)(sudoHost=idc01)(sudoHost=172.21.251.9)(sudoHost=172.21.251.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=SUDOers,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Received 0 rules (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435586373 (Mon Jun 29 09:59:33 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1435565673 (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.IPA.MYDOMAIN.LOCAL], [2][No such file or directory] (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of ipa.mydomain.local] (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of mydomain.local] (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed NSS client (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed PAC client (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed PAM client (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed SUDO client (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed autofs client (Mon Jun 29 09:59:47 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed SSH client (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option lookup_family_order has value ipv4_first (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_resolver_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_resolver_op_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_discovery_domain has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c069359c0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_ipa.mydomain.local,1) (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_ipa.mydomain.local.14159,guid=d72187e35191da3835348efb5590faf4 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_domain has value ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_host_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_selinux_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_subdomains_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_master_domain_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_refresh has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_selinux_refresh has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_automount_location has value default (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_ranges_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_enable_dns_sites is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_server_mode is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_views_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'IPA' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'idc01.ipa.mydomain.local:0' to service 'IPA' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [_ipa_servers_init] (0x0400): Added Server idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_extra_attrs has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_autofs_map_master_name has value auto.master (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_kdcinfo is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_use_tokengroups is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_rfc2307_fallback_to_local_users is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_disable_range_retrieval is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_min_id has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_max_id has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_pwdlockout_dn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Will look for idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in default keytab (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching IDC01$@IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected primary: host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected realm: IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_sudo_search_base set to ou=SUDOers,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=SUDOers,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to cn=hbac,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_views_search_base set to cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_VIEWS][cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value ipaUniqueID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has value ipaNTSecurityIdentifier (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_auth_type has value ipaUserAuthType (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value ipaUserGroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_object_class_alt has value posixGroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value ipaUniqueID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has value ipaNTSecurityIdentifier (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_type has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_view_class has value nsContainer (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_view_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_overide_object_class has value ipaOverrideAnchor (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_anchor_uuid has value ipaAnchorUUID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_user_override_object_class has value ipaUserOverride (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_group_override_object_class has value ipaGroupOverride (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_update is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_refresh_interval has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_iface has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_ttl has value 1200 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_update_ptr is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_force_tcp is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_auth has value gss-tsig (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_create] (0x0400): Periodic task [Cleanup of ipa.mydomain.local] was created (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of ipa.mydomain.local]: scheduling task 10 seconds from now [1435564798] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sssm_ipa_id_init] (0x0100): The value of dns_discovery_domain will be ignored in ipa_server_mode (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_ccname_template has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_auth_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_keytab has value /etc/krb5.keytab (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_kpasswd has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_kpasswd has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_store_password_if_offline is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_renewable_lifetime has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_lifetime has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_renew_interval has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_fast has value try (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_fast_principal has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_enterprise_principal is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_kdcinfo is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0400): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0100): Option krb5_fast_principal set to host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_options] (0x0100): No KDC explicitly configured, using defaults. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=SUDOers,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value sudoRole (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runas has value sudoRunAs (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value sudoRunAsUser (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value sudoRunAsGroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value sudoNotBefore (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value sudoNotAfter (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [check_ipv4_addr] (0x0200): Loopback IPv4 address 127.0.0.1 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value automountMapName (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value automountKey (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [ipa.mydomain.local] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa.mydomain.local] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_domain has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_hostname has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_keytab has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_enable_dns_sites is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_access_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_enable_gc is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_access_control has value permissive (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_cache_timeout has value 5 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_interactive has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_remote_interactive has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_network has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_batch has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_service has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_permit has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_deny has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_default_right has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_backup_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_bind_dn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_authtok_type has value password (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_authtok has no binary value. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_search_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_network_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_opt_timeout has value 6 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_reqcert has value hard (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_scope has value sub (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_extra_attrs has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_scope has value sub (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_service_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_hostnames has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_ip has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_include_regexp is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_autofs_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_autofs_map_master_name has value auto.master (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_schema has value ad (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_offline_timeout has value 60 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_force_upper_case_realm is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_purge_cache_timeout has value 10800 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cacert has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cacertdir has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cert has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_key has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cipher_suite has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_id_use_start_tls is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_id_mapping is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_mech has value gssapi (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_authid has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_minssf has value -1 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_keytab has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_init_creds is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_backup_server has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_use_kdcinfo is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_pwd_policy has value none (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_referrals is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option account_cache_expiration has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_dns_service_name has value ldap (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_access_filter has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_netgroup_search_base has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_nesting_level has value 2 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_deref has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_account_expire_policy has value ad (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_access_order has value filter (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_backup_uri has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_dns_service_name has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_update_last_change is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_page_size has value 1000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_deref_threshold has value 10 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_connection_expire_timeout has value 900 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_disable_paging is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_default_domain has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_default_domain_sid has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_use_tokengroups is TRUE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_rfc2307_fallback_to_local_users is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_disable_range_retrieval is FALSE (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_min_id has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_max_id has value 0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_pwdlockout_dn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_entry_usn has value uSNChanged (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_rootdse_last_usn has value highestCommittedUSN (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_object_class has value user (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_name has value sAMAccountName (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_pwd has value unixUserPassword (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_gecos has value gecos (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_home_directory has value unixHomeDirectory (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shell has value loginShell (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_principal has value userPrincipalName (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_fullname has value name (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_member_of has value memberOf (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_uuid has value objectGUID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_objectsid has value objectSID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_primary_group has value primaryGroupID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_modify_timestamp has value whenChanged (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_entry_usn has value uSNChanged (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_last_change has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_min has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_max has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_warning has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_inactive has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_expire has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_flag has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_krb_last_pwd_change has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_krb_password_expiration has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_pwd_attribute has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_authorized_service has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_ns_account_lock has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_authorized_host has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_disabled has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_expiration_time has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ssh_public_key has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_auth_type has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_object_class has value group (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_object_class_alt has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_name has value name (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_pwd has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_member has value member (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_uuid has value objectGUID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_objectsid has value objectSID (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_modify_timestamp has value whenChanged (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_entry_usn has value uSNChanged (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_type has value groupType (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_object_class has value nisNetgroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_member has value memberNisNetgroup (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_triple has value nisNetgroupTriple (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_modify_timestamp has value modifyTimestamp (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_object_class has value ipService (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_name has value cn (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_port has value ipServicePort (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_entry_usn has no value (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ad_set_ad_id_options] (0x0100): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Will look for idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in default keytab (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching IDC01$@IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected primary: host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected realm: IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'mydomain.local' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'gc_mydomain.local' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'gc_mydomain.local' using 'tcp'. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'mydomain.local' using 'tcp'. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_fo_set_srv_lookup_plugin] (0x0400): Trying to set SRV lookup plugin to AD (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_fo_set_srv_lookup_plugin] (0x0400): SRV lookup plugin is now AD (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_domain_subdom_add] (0x0400): subdomain mydomain.local is a new one, will create a new sdap domain object (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_create] (0x0400): Periodic task [Cleanup of mydomain.local] was created (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of mydomain.local]: scheduling task 10 seconds from now [1435564798] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [become_user] (0x0200): Trying to become user [0][0]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [become_user] (0x0200): Already user [0]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [main] (0x0400): Backend provider (ipa.mydomain.local) started! (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435564798 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f1c069609b0. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c069609b0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f1c06960e40] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f1c06962d00. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c06962d00 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f1c06963560] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f1c06964800. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c06964800 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f1c06965230] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f1c069664a0. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c069664a0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f1c06966ed0] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f1c06968140. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c06968140 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f1c06969190] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f1c06965230] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'idc01.ipa.mydomain.local' in files (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'resolving name' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'name resolved' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://idc01.ipa.mydomain.local' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f1c06960e40] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [SSH] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f1c06969190] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [autofs] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f1c06966ed0] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [PAM] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f1c06984eb0. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f1c06984eb0 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f1c06985670] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f1c06985670] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [PAC] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f1c06963560] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [NSS] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14167] finished successfully. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435651188] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'idc01.ipa.mydomain.local' as 'working' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'working' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'idc01.ipa.mydomain.local' as 'working' (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ad_online_cb] (0x0400): The AD provider is online (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:48 2015) [sssd[be[ipa.mydomain.local]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_done] (0x0400): Found 3 domain controllers in domain mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_send] (0x0400): Resolving host dc02.mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in files (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc02.mydomain.local' in files (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in DNS (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc02.mydomain.local:389 (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc02.mydomain.local:389 (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=mydomain.local)(NtVer=\14\00\00\00))][]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_servers_done] (0x0400): Got 3 primary and 3 backup servers (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc02.mydomain.local:389' to service 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc01.mydomain.local:389' to service 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc03.mydomain.local:389' to service 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc03.mydomain.local:389' for service 'mydomain.local' is already present (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc01.mydomain.local:389' for service 'mydomain.local' is already present (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc02.mydomain.local:389' for service 'mydomain.local' is already present (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'mydomain.local' as 'resolved' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in files (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'resolving name' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc02.mydomain.local' in files (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in DNS (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'name resolved' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc02.mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc02.mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14171] finished successfully. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435651192] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc02.mydomain.local' as 'working' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'working' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc02.mydomain.local' as 'working' (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectClass=ipaexternalgroup][dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ext_groups_done] (0x0400): [0] external groups found. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0080): User [account2 at otherdomain.com] not found in cache. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=nobody] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=account2] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account2)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Mon Jun 29 09:59:52 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'gc_mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain mydomain.local (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_done] (0x0400): Found 3 domain controllers in domain mydomain.local (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_send] (0x0400): Resolving host dc02.mydomain.local (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in files (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc02.mydomain.local' in files (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in DNS (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc02.mydomain.local:389 (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc02.mydomain.local:389 (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=mydomain.local)(NtVer=\14\00\00\00))][]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'gc'. Will use DNS discovery domain 'Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'gc'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_servers_done] (0x0400): Got 3 primary and 3 backup servers (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc02.mydomain.local:3268' to service 'gc_mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc03.mydomain.local:3268' to service 'gc_mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc01.mydomain.local:3268' to service 'gc_mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc01.mydomain.local:3268' for service 'gc_mydomain.local' is already present (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc03.mydomain.local:3268' for service 'gc_mydomain.local' is already present (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc02.mydomain.local:3268' for service 'gc_mydomain.local' is already present (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'gc_mydomain.local' as 'resolved' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc02.mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc02.mydomain.local:3268' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc02.mydomain.local: [172.21.251.12] TTL 3600 (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Jun 29 09:59:56 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14173] finished successfully. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435651197] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'dc02.mydomain.local' as 'working' (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc02.mydomain.local' as 'working' (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 3268 of duplicate server 'dc02.mydomain.local' as 'working' (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-513 will be downloaded (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=group)(name=*))][CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): A group with the same GID [0] was removed from the cache (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): sysdb_add_group failed (while renaming group) for: SophosUser at mydomain.local [0]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 1. Ignoring. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): A group with the same GID [0] was removed from the cache (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): sysdb_add_group failed (while renaming group) for: SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local [0]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0080): User [account2 at otherdomain.com] not found in cache. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account2 at mydomain.local (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: fido.sm.di.otherdomain.com (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 14169 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14174] finished successfully. (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][mydomain.local] (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_execute] (0x0400): Task [Cleanup of ipa.mydomain.local]: executing task, timeout 3600 seconds (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_done] (0x0400): Task [Cleanup of ipa.mydomain.local]: finished successfully (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of ipa.mydomain.local]: scheduling task 3600 seconds from last execution time [1435568398] (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_execute] (0x0400): Task [Cleanup of mydomain.local]: executing task, timeout 10800 seconds (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_groups] (0x0200): Found 2 expired group entries! (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_done] (0x0400): Task [Cleanup of mydomain.local]: finished successfully (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of mydomain.local]: scheduling task 10800 seconds from last execution time [1435575598] (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=idc01.ipa.mydomain.local)(sudoHost=idc01)(sudoHost=172.21.251.9)(sudoHost=172.21.251.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=SUDOers,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Received 0 rules (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435586398 (Mon Jun 29 09:59:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1435565698 From jhrozek at redhat.com Mon Jun 29 08:17:33 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 29 Jun 2015 10:17:33 +0200 Subject: [Freeipa-users] username case sensitivity In-Reply-To: <558DF895.5010807@redhat.com> References: <9cfa2752940f4897b3cad87232ab8952@TCCCORPEXCH02.TCC.local> <20150515194431.GA1242@mail.corp.redhat.com> <20150517212321.GA15861@hendrix.redhat.com> <002b3de875284413aef030b385c9c0c0@TCCCORPEXCH02.TCC.local> <20150518080708.GE15861@hendrix.redhat.com> <277c549fbecf47fcac21b35bc146506f@TCCCORPEXCH02.TCC.local> <558DF895.5010807@redhat.com> Message-ID: <20150629081733.GA6442@hendrix.redhat.com> On Fri, Jun 26, 2015 at 09:12:53PM -0400, Dmitri Pal wrote: > On 05/18/2015 06:16 AM, Andy Thompson wrote: > >>-----Original Message----- > >>From: Jakub Hrozek [mailto:jhrozek at redhat.com] > >>Sent: Monday, May 18, 2015 4:07 AM > >>To: Andy Thompson > >>Cc: freeipa-users at redhat.com > >>Subject: Re: [Freeipa-users] username case sensitivity > >> > >>On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote: > >>>>-----Original Message----- > >>>>From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > >>>>bounces at redhat.com] On Behalf Of Jakub Hrozek > >>>>Sent: Sunday, May 17, 2015 5:23 PM > >>>>To: freeipa-users at redhat.com > >>>>Subject: Re: [Freeipa-users] username case sensitivity > >>>> > >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > >>>>>On (15/05/15 17:27), Andy Thompson wrote: > >>>>>>Is there a way to enforce case sensitivity for trusted AD users? > >>>>>>I am > >>>>>trying to use username for ssh chroots and I can authenticated > >>>>>with any case combination of but if ssh is set to match > >>>>>on then the chroot is not enforced and the user is > >>>>>dropped to their usual home directory. I found a case_sensitive > >>>>>option for sssd but it > >>>>does not > >>>>>seem to have any affect. Running RHEL6.6 clients. > >>>>>IPA domain is by default case sensitive. > >>>>>So You will not change anything if you put "case_sensitive = true" > >>>>>into domain section of sssd.conf. > >>>>> > >>>>>But SSSD will create subdomains for each AD domain. It is > >>>>>different id_provider therefore different default values are used > >>>>>for subdomains and for AD provider it is case *insensitive* by default. > >>>>> > >>>>>Currently there's no way how to change it for subdomains (AD > >>>>>trusted > >>>>>domains) > >>>>> > >>>>What are you using for the SSH matching? The way the case > >>>>insensitiveness is implemented in SSSD is that all usernames are > >>>>forcibly lowercased on output, so as long as SSH uses the standard > >>>>NSS calls, you should be good with using the lowecase usernames.. > >>>> > >>>They were initially all in lower case and working when I tested and finalized > >>the setup. I passed the credentials off and they used mixed case and the > >>match stopped working. > >> > >>What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? > >The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work. > > > >-andy > > > Do we have any follow up on this thread? Have we closed the loop and filed a > ticket. > I had couple complains of the similar matter during Red Hat Summit. > I seems that this is one of the emerging issues for the trust environments. I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit wrote. Do we have a way to track these requests? Andy, if you have some test machines, could you give 6.7 a try? From lslebodn at redhat.com Mon Jun 29 08:53:02 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 29 Jun 2015 10:53:02 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: References: <1435247245.22563.63.camel@willson.usersys.redhat.com> <558C4486.70101@alumni.ethz.ch> <558C48C0.80503@redhat.com> <558D03AB.3020807@redhat.com> <20150626101802.GG30758@mail.corp.redhat.com> <558D2E1A.5090109@redhat.com> Message-ID: <20150629085301.GB21782@mail.corp.redhat.com> On (26/06/15 10:10), Prasun Gera wrote: >> >> More importantly, ipa-client-install is just a thin configuration tool. If >> ipa-client-install is not available on your platform you can configure >> everything manually and it will work (as long as the client is >> standard-compliant). >> >> I.e. the client side is *in the worst case* (without ipa-client-install) >> equally hard to setup as for any home-made solution. >> >> >> > >Yes, on Ubuntu 12.04, the issue is probably more related to the script than >the underlying packages, which I upgraded from their respective ppas. The >most complete documentation for getting ipa running, ironically, comes from >this bug report >https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215 which is >marked as won't fix. (This affects 12.04 btw which is lts). > >On FreeNAS, it has to do with Hiemdal v/s MIT kerberos. >https://bugs.pcbsd.org/issues/2147 SSSD on FreeBSD is compiled with MIT kerberos (/usr/local/*) and not with default Heimdal which is in standard paths. LS From pspacek at redhat.com Mon Jun 29 09:20:02 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Jun 2015 11:20:02 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: References: Message-ID: <55910DC2.30807@redhat.com> On 27.6.2015 19:06, Matt . wrote: > Hi All, > > When I add a forwarder with policy to forward first, there is only > forwarder and not a fallback to local when the record doesn't exist on > the forward server. > > When I remove the forwardserver, the local lookup works great again. > > Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? Forwarders in FreeIPA behave in the same way as in BIND 9.9 and the behavior you describe seems to be okay. The behavior is summarized in a nice table here: http://www.freeipa.org/page/V4/Forward_zones#Use_Cases In other words, there is no thing like 'look into this zone and look into that zone if the first zone does not contain an answer'. Such behavior would break the very basic principle of DNS - division to independent, self-contained zones. What are you trying to achieve? What is the use-case? Please note that in FreeIPA < 4.1 zones with non-empty 'forwarders' attribute were automatically configured as forward zones. The split to pure forward and master zones happened in FreeIPA 4.1. -- Petr^2 Spacek From giorgio at di.unimi.it Mon Jun 29 09:24:00 2015 From: giorgio at di.unimi.it (Giorgio Biacchi) Date: Mon, 29 Jun 2015 11:24:00 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150629083008.GA4748@p.redhat.com> References: <20150625105633.GN12661@p.redhat.com> <558BE0AE.3020603@di.unimi.it> <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> <5590FBF4.7000104@di.unimi.it> <20150629083008.GA4748@p.redhat.com> Message-ID: <55910EB0.90406@di.unimi.it> On 06/29/2015 10:30 AM, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: >> On 06/26/2015 08:06 PM, Sumit Bose wrote: >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: >>>> >>>> >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>>>>>>>>>>>> Hi everybody, >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux >>>>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). >>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative >>>>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). >>>>>>>>>>>>>> >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? >>>>>>>>>>>>> >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can >>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated during >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>>>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. >>>>>>>>>>>>> >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has >>>>>>>>>>>>> actually tried this before. >>>>>>>>>>>>> >>>>>>>>>>>>> bye, >>>>>>>>>>>>> Sumit >>>>>>>>>>>> >>>>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. >>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful >>>>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for >>>>>>>>>>>> account2 at otherdomain.com done via ssh. >>>>>>>>>>>> >>>>>>>>>>>> Bye and thanks for your help >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It looks like the request is not properly propagated to sub-domains (the >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. >>>>>>>>>>> >>>>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can >>>>>>>>>>> prepare a test build with the patch on top of this version. >>>>>>>>>>> >>>>>>>>>>> bye, >>>>>>>>>>> Sumit >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for >>>>>>>>>> any test. >>>>>>>>>> >>>>>>>>>> Here's the packages version for sssd: >>>>>>>>>> >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 >>>>>>>>> >>>>>>>>> Please try the packages at >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>>>>>>>> >>>>>>>>> bye, >>>>>>>>> Sumit >>>>>>>> >>>>>>>> Hi, >>>>>>>> I've installed the new RPMs, now if I run on the server: >>>>>>>> >>>>>>>> id account1 at mydomain.local >>>>>>>> id account2 at otherdomain.com >>>>>>>> id account2 at sub.otherdomain.com >>>>>>>> >>>>>>>> all the users are found but I'm still unable to log in via ssh with the accounts >>>>>>>> @otherdomain.com and @sub.otherdomain.com. >>>>>>>> >>>>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. >>>>>>> >>>>>>> Bother, I forgot to add the fix to the pam responder as well, please try >>>>>>> new packages from >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>>> >>>>>> >>>>>> Hi, >>>>>> I've updated all the packages but still no login. >>>>>> >>>>>> Logs follows. >>>>> >>>>> I found another issue in the logs which should be fixed by the build >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . >>>>> >>>>> Please send the sssd_pam log file as well it might contain more details >>>>> about what goes wrong during authentication. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>> >>>> Hi, >>>> packages update, sssd and kerberos services restarted, cache flushed but still >>>> no login on the IPA server. >>>> >>>> As before, logs attached. I've also included the logs generated by the restart >>>> of sssd service because there were no logs in sssd_pam.log when trying to >>>> authenticate. >>>> >>>> Debug level is set to 6 in the sections: >>>> >>>> [domain/ipa.mydomain.local] >>>> [sssd] >>>> [nss] >>>> [pam] >>>> >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to >>>> increase it. >>>> >>> >>> so far it is sufficient. I have another build for you to try at >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 >>> >>> Thank you for your patience. >> >> Thanks for your help!! >> >> Still no successful login.. Logs attached > > Please increase the debug level at least for the domain log to 9 and > attach the krb5_child log as well. > Debug level increased and logs attached.. I'm sending this email again because I forgot to reply to the list... Bye -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -------------- next part -------------- (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [become_user] (0x0200): Trying to become user [1539411202][1539411202]. (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [main] (0x0400): Will perform online auth (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [OTHERDOMAIN.COM] (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "OTHERDOMAIN.COM"] (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [map_krb5_error] (0x0020): 1065: [-1765328230][Cannot find KDC for realm "OTHERDOMAIN.COM"] (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon Jun 29 09:59:57 2015) [[sssd[krb5_child[14174]]]] [main] (0x0400): krb5_child completed successfully (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [main] (0x0400): krb5_child started. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [unpack_buffer] (0x1000): total buffer size: [131] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [unpack_buffer] (0x0100): cmd [241] uid [1539411202] gid [1539411202] validate [true] enterprise principal [false] offline [false] UPN [account2 at OTHERDOMAIN.COM] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [unpack_buffer] (0x2000): No old ccache (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1539411202] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [match_principal] (0x1000): Principal matched to the sample (host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL). (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [become_user] (0x0200): Trying to become user [1539411202][1539411202]. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [main] (0x2000): Running as [1539411202][1539411202]. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [k5c_setup] (0x2000): Running as [1539411202][1539411202]. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [main] (0x0400): Will perform online auth (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [OTHERDOMAIN.COM] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.793081: Getting initial credentials for account2 at OTHERDOMAIN.COM (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.795981: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.796074: Retrieving host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/OTHERDOMAIN.COM\@OTHERDOMAIN.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.MYDOMAIN.LOCAL with result: -1765328243/Matching credential not found (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.796147: Sending request (169 bytes) to OTHERDOMAIN.COM (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.799178: Retrying AS request with master KDC (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.799216: Getting initial credentials for account2 at OTHERDOMAIN.COM (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.799247: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.799282: Retrieving host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/OTHERDOMAIN.COM\@OTHERDOMAIN.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.MYDOMAIN.LOCAL with result: -1765328243/Matching credential not found (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [sss_child_krb5_trace_cb] (0x4000): [14326] 1435567150.799319: Sending request (169 bytes) to OTHERDOMAIN.COM (master) (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "OTHERDOMAIN.COM"] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [map_krb5_error] (0x0020): 1065: [-1765328230][Cannot find KDC for realm "OTHERDOMAIN.COM"] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [pack_response_packet] (0x2000): response packet size: [4] (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [k5c_send_data] (0x4000): Response sent. (Mon Jun 29 10:39:10 2015) [[sssd[krb5_child[14326]]]] [main] (0x0400): krb5_child completed successfully -------------- next part -------------- (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14169 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Jun 29 09:59:57 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f5f92668ef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][mydomain.local] (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Mon Jun 29 09:59:57 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 39 (Mon Jun 29 10:00:00 2015) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Mon Jun 29 10:38:57 2015) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Jun 29 10:38:57 2015) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x7f4317200c50 (Mon Jun 29 10:38:57 2015) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x7f43171fe040 (Mon Jun 29 10:38:57 2015) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Mon Jun 29 10:38:57 2015) [sssd[pam]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_process_init] (0x0400): Responder Initialization complete (Mon Jun 29 10:38:57 2015) [sssd[pam]] [get_trusted_uids] (0x0400): All UIDs are allowed. (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 10:38:57 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4316b8e760:domains at ipa.mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Mon Jun 29 10:38:57 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4316b8e760:domains at ipa.mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 10:38:57 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Jun 29 10:38:58 2015) [sssd[pam]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 10:38:58 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f4316b8e760:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): user: not set (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: host01.srv.otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14321 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4316b8e760:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4316b8e760:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): user: not set (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: host01.srv.otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14321 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4316b8cef0:3:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4316b8cef0:3:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f4316b8e760:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4316b8cef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4316b8cef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f4316b8cef0:3:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is account2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): user: account2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: host01.srv.otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 14321 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: account2 at otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Jun 29 10:39:10 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f4316b8cef0:3:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Mon Jun 29 10:39:10 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 39 (Mon Jun 29 10:39:14 2015) [sssd[pam]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Mon Jun 29 10:37:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Mon Jun 29 10:37:56 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Mon Jun 29 10:37:56 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jun 29 10:37:56 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jun 29 10:37:56 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [root]. (Mon Jun 29 10:37:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 10:37:56 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Mon Jun 29 10:37:56 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 10:37:56 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Mon Jun 29 10:37:56 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Mon Jun 29 10:38:57 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Jun 29 10:38:57 2015) [sssd[nss]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7f41f55e4160 (Mon Jun 29 10:38:57 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7f41f55e42f0 (Mon Jun 29 10:38:57 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Mon Jun 29 10:38:57 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/sbin/nologin in /etc/shells (Mon Jun 29 10:38:57 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P[^@]+)@?(?P[^@]*$)]. (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 10:38:57 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][] (Mon Jun 29 10:38:57 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Jun 29 10:38:57 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 10:38:58 2015) [sssd[nss]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 10:38:58 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:38:58 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Mon Jun 29 10:38:58 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Mon Jun 29 10:39:04 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jun 29 10:39:04 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f4142e80:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f4142e80:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Jun 29 10:39:04 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ipa.mydomain.local/account2 at otherdomain.com] to negative cache (Mon Jun 29 10:39:04 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f4142e80:1:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [mydomain.local][4097][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f4142e80:1:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f4142e80:1:account2 at otherdomain.com:U at ipa.mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f4142e80:1:account2 at otherdomain.com:U at mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [nobody]. (Mon Jun 29 10:39:06 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nobody' matched without domain, user is nobody (Mon Jun 29 10:39:06 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [nobody] from [] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nobody at ipa.mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f4142e80:3:nobody at ipa.mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.mydomain.local][4099][1][name=nobody] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f4142e80:3:nobody at ipa.mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Jun 29 10:39:06 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f4142e80:3:nobody at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [account2 at otherdomain.com]. (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [account2 at otherdomain.com] does not exist in [ipa.mydomain.local]! (negative cache) (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Jun 29 10:39:10 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [account2 at otherdomain.com@mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f41f41446f0:domains at ipa.mydomain.local] (Mon Jun 29 10:39:14 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! -------------- next part -------------- (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 10:37:56 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 10:38:26 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.IPA.MYDOMAIN.LOCAL], [2][No such file or directory] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of ipa.mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed PAC client (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed autofs client (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed PAM client (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed SUDO client (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed NSS client (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_destructor] (0x0400): Removed SSH client (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option lookup_family_order has value ipv4_first (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_resolver_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_resolver_op_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dns_discovery_domain has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [confdb_get_domain_internal] (0x0400): No enumeration for [ipa.mydomain.local]! (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_domain_init_internal] (0x0200): DB File for ipa.mydomain.local: /var/lib/sss/db/cache_ipa.mydomain.local.ldb (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49976dbc30 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49976dc540 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49976dbc30 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49976dc540 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49976dbc30 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49976dd6b0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49976f16e0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49976dd6b0 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49976f16e0 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49976dd6b0 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49976dca20 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49976dcb50 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49976dca20 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49976dcb50 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49976dca20 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f49976f19c0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f49976f2970/0x7f49976f1840 (15), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976dcaf0 (15), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_ipa.mydomain.local,1) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_timeout] (0x2000): 0x7f49976f2f50 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976dcaf0 (15), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976f1840 (15), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_ipa.mydomain.local.14312 to a link /var/lib/sss/pipes/private/sbus-dp_ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_ipa.mydomain.local.14312,guid=ea1840bb53f6fb45cbde4ed755910421 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f49976dd020/0x7f49976f24f0 (16), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Loading backend [ipa] with path [/usr/lib64/sssd/libsss_ipa.so]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_domain has value ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_host_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_selinux_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_subdomains_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_master_domain_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_refresh has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_selinux_refresh has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_automount_location has value default (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_ranges_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_enable_dns_sites is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_server_mode is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ipa_views_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'IPA' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'idc01.ipa.mydomain.local:0' to service 'IPA' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [_ipa_servers_init] (0x0400): Added Server idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_user_extra_attrs has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_autofs_map_master_name has value auto.master (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_kdcinfo is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_use_tokengroups is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_rfc2307_fallback_to_local_users is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_disable_range_retrieval is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_min_id has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_max_id has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option ldap_pwdlockout_dn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Will look for idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in default keytab (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x4000): Trying to find principal idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x4000): Trying to find principal IDC01$@IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching IDC01$@IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [match_principal] (0x1000): Principal matched to the sample (host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL). (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected primary: host/idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected realm: IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_sudo_search_base set to ou=SUDOers,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=SUDOers,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to cn=hbac,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_id_options] (0x0100): Option ipa_views_search_base set to cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [IPA_VIEWS][cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value ipaUniqueID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has value ipaNTSecurityIdentifier (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_auth_type has value ipaUserAuthType (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value ipaUserGroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_object_class_alt has value posixGroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value ipaUniqueID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has value ipaNTSecurityIdentifier (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_type has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_view_class has value nsContainer (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_view_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_overide_object_class has value ipaOverrideAnchor (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_anchor_uuid has value ipaAnchorUUID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_user_override_object_class has value ipaUserOverride (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ipa_group_override_object_class has value ipaGroupOverride (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_update is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_refresh_interval has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_iface has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_ttl has value 1200 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_update_ptr is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_force_tcp is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option dyndns_auth has value gss-tsig (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997705b90 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997709b20 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997709b20 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_create] (0x0400): Periodic task [Cleanup of ipa.mydomain.local] was created (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of ipa.mydomain.local]: scheduling task 10 seconds from now [1435567147] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997704e90 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997705f80 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997704e90 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997705f80 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997704e90 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_update_view_name] (0x4000): View name already in place. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sssm_ipa_id_init] (0x0100): The value of dns_discovery_domain will be ignored in ipa_server_mode (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x2000): ID backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_ccname_template has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_auth_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_keytab has value /etc/krb5.keytab (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_kpasswd has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_backup_kpasswd has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_store_password_if_offline is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_renewable_lifetime has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_lifetime has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_renew_interval has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_fast has value try (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_fast_principal has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_enterprise_principal is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_get_options] (0x0400): Option krb5_use_kdcinfo is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0400): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0100): Option krb5_fast_principal set to host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_options] (0x0100): No KDC explicitly configured, using defaults. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x2000): AUTH backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x2000): CHPASS backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sssm_ipa_sudo_init] (0x2000): Initializing IPA sudo handler (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_sudo_init] (0x2000): Initializing sudo IPA back end (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_init] (0x2000): Initializing sudo LDAP back end (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=SUDOers,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value sudoRole (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runas has value sudoRunAs (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value sudoRunAsUser (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value sudoRunAsGroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value sudoNotBefore (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value sudoNotAfter (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [check_ipv4_addr] (0x0200): Loopback IPv4 address 127.0.0.1 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_get_ip_addresses] (0x2000): Found IP address: 172.21.251.9 in network 172.21.251.0/24 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_get_hostnames_send] (0x2000): Found fqdn: idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_get_hostnames_send] (0x2000): Found hostname: idc01 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x2000): SUDO backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sssm_ipa_autofs_init] (0x2000): Initializing IPA autofs handler (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_autofs_init] (0x2000): Initializing autofs LDAP back end (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_autofs_options] (0x1000): Option ldap_autofs_search_base set to cn=default,cn=automount,dc=ipa,dc=mydomain,dc=local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=ipa,dc=mydomain,dc=local][SUBTREE][] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value automountMapName (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value automountKey (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x2000): autofs backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x4000): selinux backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x4000): HOST backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [get_config_status] (0x4000): IPA subdomain provider is configured implicit. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499770eb10 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499770ebd0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499770eb10 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499770ebd0 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499770eb10 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [new_subdomain] (0x0400): Creating [mydomain.local] as subdomain of [ipa.mydomain.local]! (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [ipa.mydomain.local] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa.mydomain.local] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_domain has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_hostname has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_keytab has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_enable_dns_sites is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_access_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_enable_gc is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_access_control has value permissive (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_cache_timeout has value 5 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_interactive has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_remote_interactive has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_network has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_batch has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_service has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_permit has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_map_deny has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ad_gpo_default_right has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_backup_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_bind_dn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_authtok_type has value password (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_default_authtok has no binary value. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_search_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_network_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_opt_timeout has value 6 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_reqcert has value hard (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_scope has value sub (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_search_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_user_extra_attrs has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_scope has value sub (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_search_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_service_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_hostnames has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_ip has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sudo_include_regexp is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_autofs_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_autofs_map_master_name has value auto.master (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_schema has value ad (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_offline_timeout has value 60 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_force_upper_case_realm is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_purge_cache_timeout has value 10800 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cacert has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cacertdir has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cert has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_key has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_tls_cipher_suite has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_id_use_start_tls is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_id_mapping is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_mech has value gssapi (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_authid has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_minssf has value -1 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_keytab has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_init_creds is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_backup_server has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_realm has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option krb5_use_kdcinfo is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_pwd_policy has value none (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_referrals is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option account_cache_expiration has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_dns_service_name has value ldap (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_access_filter has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_netgroup_search_base has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_group_nesting_level has value 2 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_deref has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_account_expire_policy has value ad (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_access_order has value filter (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_backup_uri has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_dns_service_name has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_chpass_update_last_change is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_page_size has value 1000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_deref_threshold has value 10 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_connection_expire_timeout has value 900 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_disable_paging is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_default_domain has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_default_domain_sid has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_use_tokengroups is TRUE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_rfc2307_fallback_to_local_users is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_disable_range_retrieval is FALSE (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_min_id has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_max_id has value 0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [dp_copy_options_ex] (0x0400): Option ldap_pwdlockout_dn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_entry_usn has value uSNChanged (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_rootdse_last_usn has value highestCommittedUSN (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_object_class has value user (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_name has value sAMAccountName (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_pwd has value unixUserPassword (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_gecos has value gecos (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_home_directory has value unixHomeDirectory (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shell has value loginShell (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_principal has value userPrincipalName (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_fullname has value name (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_member_of has value memberOf (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_uuid has value objectGUID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_objectsid has value objectSID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_primary_group has value primaryGroupID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_modify_timestamp has value whenChanged (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_entry_usn has value uSNChanged (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_last_change has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_min has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_max has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_warning has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_inactive has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_expire has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_shadow_flag has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_krb_last_pwd_change has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_krb_password_expiration has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_pwd_attribute has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_authorized_service has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_ns_account_lock has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_authorized_host has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_disabled has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_expiration_time has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_ssh_public_key has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_user_auth_type has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_object_class has value group (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_object_class_alt has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_name has value name (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_pwd has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_member has value member (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_uuid has value objectGUID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_objectsid has value objectSID (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_modify_timestamp has value whenChanged (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_entry_usn has value uSNChanged (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_group_type has value groupType (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_object_class has value nisNetgroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_member has value memberNisNetgroup (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_triple has value nisNetgroupTriple (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_netgroup_modify_timestamp has value modifyTimestamp (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_object_class has value ipService (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_name has value cn (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_port has value ipServicePort (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_copy_map] (0x0400): Option ldap_service_entry_usn has no value (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ad_set_ad_id_options] (0x0100): Option krb5_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Will look for idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in default keytab (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x4000): Trying to find principal idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x4000): Trying to find principal IDC01$@IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x0400): No principal matching IDC01$@IPA.MYDOMAIN.LOCAL found in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL in keytab. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [match_principal] (0x1000): Principal matched to the sample (host/idc01.ipa.mydomain.local at IPA.MYDOMAIN.LOCAL). (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected primary: host/idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [select_principal_from_keytab] (0x0200): Selected realm: IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/idc01.ipa.mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to IPA.MYDOMAIN.LOCAL (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_ad_ctx_new] (0x4000): No extra attrs set. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'mydomain.local' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_new_service] (0x0400): Creating new service 'gc_mydomain.local' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'gc_mydomain.local' using 'tcp'. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'mydomain.local' using 'tcp'. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_fo_set_srv_lookup_plugin] (0x0400): Trying to set SRV lookup plugin to AD (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_fo_set_srv_lookup_plugin] (0x0400): SRV lookup plugin is now AD (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_domain_subdom_add] (0x0400): subdomain mydomain.local is a new one, will create a new sdap domain object (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for mydomain.local (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_create] (0x0400): Periodic task [Cleanup of mydomain.local] was created (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of mydomain.local]: scheduling task 10 seconds from now [1435567147] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_process_init] (0x4000): Get-Subdomains backend target successfully loaded from provider [ipa]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [become_user] (0x0200): Trying to become user [0][0]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [become_user] (0x0200): Already user [0]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [main] (0x0400): Backend provider (ipa.mydomain.local) started! (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499771afb0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499771b0e0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499771afb0 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499771b0e0 "ltdb_timeout" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499771afb0 "ltdb_callback" (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435567147 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49976f19c0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49976f19c0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976dcaf0 (15), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976f1840 (15), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976dcaf0 (15), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976f1840 (15), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976dcaf0 (15), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976f1840 (15), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976dcaf0 (15), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2970/0x7f49976f1840 (15), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_remove_timeout] (0x2000): 0x7f49976f2f50 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49976f19c0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f499771c9b0. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f499771c9b0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f49976f2ad0/0x7f49976f2f00 (19), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f499770c6e0 (19), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f499771ce40] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f499770c6e0 (19), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f49976f2f00 (19), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f499770c6e0 (19), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f49976f2f00 (19), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f499771ed00. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f499771ed00 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f499771f2b0/0x7f499771db30 (20), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db80 (20), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f499771f560] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771ed00 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db80 (20), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db30 (20), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db80 (20), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db30 (20), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f4997720800. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f4997720800 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f4997720f80/0x7f4997720360 (21), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f49977203b0 (21), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f4997721230] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f49977203b0 (21), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f4997720360 (21), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f49977203b0 (21), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f4997720360 (21), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f49977224a0. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f49977224a0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f4997722c20/0x7f4997722000 (22), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722050 (22), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f4997722ed0] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49977224a0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722050 (22), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722000 (22), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722050 (22), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722000 (22), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f4997724140. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f4997724140 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f4997724ee0/0x7f4997723ca0 (23), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723cf0 (23), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f4997725190] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997724140 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723cf0 (23), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723ca0 (23), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723cf0 (23), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723ca0 (23), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723cf0 (23), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723ca0 (23), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723cf0 (23), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997724ee0/0x7f4997723ca0 (23), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db80 (20), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db30 (20), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db80 (20), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f499771f2b0/0x7f499771db30 (20), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722050 (22), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722000 (22), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722050 (22), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997722c20/0x7f4997722000 (22), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997724140 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f4997725190] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997724140 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Queue is empty, running request immediately. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'idc01.ipa.mydomain.local' is 'name not resolved' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [get_port_status] (0x1000): Port status of port 0 for server 'idc01.ipa.mydomain.local' is 'neutral' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'idc01.ipa.mydomain.local' is 'name not resolved' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [resolv_is_address] (0x4000): [idc01.ipa.mydomain.local] does not look like an IP address (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'idc01.ipa.mydomain.local' in files (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'resolving name' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'name resolved' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://idc01.ipa.mydomain.local' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x4000): Using file descriptor [24] for LDAP connection. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997724140 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://idc01.ipa.mydomain.local:389/??base] with fd [24]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49977320d0], ldap[0x7f4997722670] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [changeLog] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [firstchangenumber] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastchangenumber] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastUSN] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49977320d0], ldap[0x7f4997722670] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x4000): USN value: 21403 (int: 21403) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'idc01.ipa.mydomain.local' is 'name resolved' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'idc01.ipa.mydomain.local' is 'name resolved' (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [14319] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [14319] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49977224a0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f4997722ed0] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [SSH] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49977224a0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49977224a0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771ed00 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f499771f560] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [autofs] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771ed00 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771ed00 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f499770c6e0 (19), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f49976f2f00 (19), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f499770c6e0 (19), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49976f2ad0/0x7f49976f2f00 (19), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f499771ce40] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [PAM] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x7f4997740ec0. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_init_connection] (0x0400): Adding connection 0x7f4997740ec0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_add_watch] (0x2000): 0x7f49977413d0/0x7f49977351c0 (26), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977364e0 (26), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x7f4997741680] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997740ec0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977364e0 (26), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977351c0 (26), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977364e0 (26), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977351c0 (26), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977364e0 (26), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977351c0 (26), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977364e0 (26), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f49977413d0/0x7f49977351c0 (26), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997740ec0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f4997741680] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [PAC] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997740ec0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997740ec0 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f49977203b0 (21), R/- (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f4997720360 (21), -/W (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f49977203b0 (21), R/- (enabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_toggle_watch] (0x4000): 0x7f4997720f80/0x7f4997720360 (21), -/W (disabled) (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0x7f4997721230] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [client_registration] (0x0100): Added Frontend client [NSS] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [] (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:38:57 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x1000): Waiting for child [14319]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14319] finished successfully. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435653537] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1435568037 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/idc01.ipa.mydomain.local (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'idc01.ipa.mydomain.local' as 'working' (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'idc01.ipa.mydomain.local' as 'working' (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'idc01.ipa.mydomain.local' as 'working' (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=IPA.MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997731ac0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997748e30 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997731ac0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997748e30 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997731ac0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x4000): Checking if we need the forest name for [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997731a60 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997731b20 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997731a60 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997731b20 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997731a60 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977318b0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997731970 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977318b0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997731970 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977318b0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977343c0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499774ac30 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977343c0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499774ac30 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977343c0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 7 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipa.mydomain.local,cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733ba0], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Queued request filed successfully. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Queued request filed successfully. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Queued request filed successfully. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Queued request filed successfully. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Queued request filed successfully. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Request queue is empty. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_reset_timeouts_cb] (0x4000): Resetting last_refreshed and disabled_until. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ad_online_cb] (0x0400): The AD provider is online (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49976f19c0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [rotateLogs] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [rotateLogs] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49976db400], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=IPA.MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49976db400], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49976db400], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997733cd0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997735780 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997733cd0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997735780 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997733cd0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997734b30], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997734b30], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997734b30], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x4000): Checking if we need the forest name for [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997733fd0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997734d60 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997733fd0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997734d60 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997733fd0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997731aa0 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997743080 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997731aa0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997743080 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997731aa0 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997746090 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997743080 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997746090 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997743080 "ltdb_timeout" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997746090 "ltdb_callback" (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997734b30], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997734b30], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipa.mydomain.local,cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997734b30], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:38:58 2015) [sssd[be[ipa.mydomain.local]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49976f19c0 (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [resetOffline] (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [resetOffline] (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 10:39:03 2015) [sssd[be[ipa.mydomain.local]]] [check_if_online] (0x2000): Backend is already online, nothing to do. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_reset_timeouts_cb] (0x4000): Resetting last_refreshed and disabled_until. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Queue is empty, running request immediately. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733160], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=IPA.MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733160], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997733160], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997748f50 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997749080 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997748f50 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997749080 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997748f50 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997743250], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997743250], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997743250], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x4000): Checking if we need the forest name for [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997726450 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997726510 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997726450 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997726510 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997726450 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997736200 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977362c0 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997736200 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977362c0 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997736200 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977264f0 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997736150 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977264f0 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997736150 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977264f0 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997737800], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997737800], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipa.mydomain.local,cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997737800], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Request queue is empty. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49976db400], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997733f20 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997732c90 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997733f20 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997732c90 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997733f20 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=account2 at otherdomain.com)) (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997746100 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977333c0 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997746100 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977333c0 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997746100 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997746110 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997735b50 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997746110 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997735b50 "ltdb_timeout" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997746110 "ltdb_callback" (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49976db400], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain mydomain.local (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_done] (0x0400): Found 3 domain controllers in domain mydomain.local (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_send] (0x0400): Resolving host dc02.mydomain.local (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_is_address] (0x4000): [dc02.mydomain.local] does not look like an IP address (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc02.mydomain.local' in files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc02.mydomain.local' in DNS (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc02.mydomain.local:389 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x4000): Using file descriptor [28] for LDAP connection. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc02.mydomain.local:389/??base] with fd [28]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc02.mydomain.local:389 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.12 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=mydomain.local)(NtVer=\14\00\00\00))][]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997745610], connected[1], ops[0x7f4997733cd0], ldap[0x7f499771a3c0] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [netlogon] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997745610], connected[1], ops[0x7f4997733cd0], ldap[0x7f499771a3c0] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7f4997745610], connected[1], ops[(nil)], ldap[0x7f499771a3c0], destructor_lock[0], release_memory[0] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_servers_done] (0x0400): Got 3 primary and 3 backup servers (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc01.mydomain.local:389' to service 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc03.mydomain.local:389' to service 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc02.mydomain.local:389' to service 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc03.mydomain.local:389' for service 'mydomain.local' is already present (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc01.mydomain.local:389' for service 'mydomain.local' is already present (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc02.mydomain.local:389' for service 'mydomain.local' is already present (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'mydomain.local' as 'resolved' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'dc01.mydomain.local' is 'name not resolved' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_is_address] (0x4000): [dc01.mydomain.local] does not look like an IP address (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc01.mydomain.local' in files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc01.mydomain.local' as 'resolving name' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc01.mydomain.local' in files (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc01.mydomain.local' in DNS (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc01.mydomain.local' as 'name resolved' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc01.mydomain.local: [172.21.251.11] TTL 3600 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x4000): Using file descriptor [28] for LDAP connection. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc01.mydomain.local:389/??base] with fd [28]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997743280], ldap[0x7f49977209d0] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [currentTime] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [subschemaSubentry] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [dsServiceName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [schemaNamingContext] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [configurationNamingContext] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [rootDomainNamingContext] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPPolicies] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [highestCommittedUSN] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [dnsHostName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ldapServiceName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverName] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedCapabilities] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [isSynchronized] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [isGlobalCatalogReady] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainFunctionality] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [forestFunctionality] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainControllerFunctionality] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997743280], ldap[0x7f49977209d0] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x4000): USN value: 5312476 (int: 5312476) (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service mydomain.local (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'dc01.mydomain.local' is 'name resolved' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'dc01.mydomain.local' is 'name resolved' (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc01.mydomain.local: [172.21.251.11] TTL 3600 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [14323] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [14323] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[(nil)], ldap[0x7f49977209d0] (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:04 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x1000): Waiting for child [14323]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14323] finished successfully. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435653545] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1435568045 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc01.mydomain.local' as 'working' (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc01.mydomain.local' as 'working' (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc01.mydomain.local' as 'working' (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x1000): Mapping user [account2 at mydomain.local] objectSID [S-1-5-21-1710311407-3537505305-1030735119-11202] to unix ID (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x2000): Adding originalDN [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150625135244.0Z] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [544] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997768600 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977686c0 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997768600 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977686c0 "ltdb_timeout" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997768600 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776ad10 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776add0 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776ad10 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776add0 "ltdb_timeout" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776ad10 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [account2 at mydomain.local] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776b690 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997768e00 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776b690 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997768e00 "ltdb_timeout" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776b690 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_users] (0x4000): User 0 processed! (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x4000): Saving 1 Users - Done (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997757ca0 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977368c0 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997757ca0 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977368c0 "ltdb_timeout" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997757ca0 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997737480 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977586f0 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997737480 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977586f0 "ltdb_timeout" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997737480 "ltdb_callback" (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[(nil)], ldap[0x7f49977209d0] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49977343f0], ldap[0x7f4997722670] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectClass=ipaexternalgroup][dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f499774b710], ldap[0x7f4997722670] (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:05 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_reset_timeouts_cb] (0x4000): Resetting last_refreshed and disabled_until. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f499774b710], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ext_groups_done] (0x0400): [0] external groups found. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997759190 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997732c90 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997759190 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997732c90 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997759190 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0080): User [account2 at otherdomain.com] not found in cache. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_add_ext_groups_step] (0x4000): No external groups memberships found. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=nobody] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997759c90 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499774b590 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997759c90 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499774b590 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997759c90 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nobody)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997740ac0], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997732c90 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977597c0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997732c90 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977597c0 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997732c90 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=nobody)) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977597c0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997732c90 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997732c90 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977597c0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997735530 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997735530 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49977224a0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=account2] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=account2))]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49977343f0], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=account2))]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=account2)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f49977343f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x1000): Mapping user [account2 at mydomain.local] objectSID [S-1-5-21-1710311407-3537505305-1030735119-11202] to unix ID (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x2000): Adding originalDN [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150625135244.0Z] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [544] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997769f00 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997769fc0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997769f00 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997769fc0 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997769f00 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776b690 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776b750 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776b690 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776b750 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776b690 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [account2 at mydomain.local] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997774520 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776c100 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997774520 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776c100 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997774520 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_users] (0x4000): User 0 processed! (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_users_done] (0x4000): Saving 1 Users - Done (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997734710 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997759190 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997734710 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997759190 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997734710 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977597c0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757bf0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757bf0 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[(nil)], ldap[0x7f49977209d0] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997759650], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))]. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997759830 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757c60 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997759830 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757c60 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997759830 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997734710 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997756ba0 (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997734710 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997756ba0 "ltdb_timeout" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997734710 "ltdb_callback" (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x4000): SID [S-1-5-21-1710311407-3537505305-1030735119-11202] not found in ext group hash. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0400): No external groupmemberships found. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [ipa_add_ext_groups_step] (0x4000): No external groups memberships found. (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:06 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f49976f19c0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_execute] (0x0400): Task [Cleanup of ipa.mydomain.local]: executing task, timeout 3600 seconds (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1435567147)(!(lastLogin=*)))) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997736ab0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997759190 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997736ab0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997759190 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997736ab0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1435567147))) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977323f0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997759650 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977323f0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997759650 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977323f0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_done] (0x0400): Task [Cleanup of ipa.mydomain.local]: finished successfully (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of ipa.mydomain.local]: scheduling task 3600 seconds from last execution time [1435570747] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_execute] (0x0400): Task [Cleanup of mydomain.local]: executing task, timeout 10800 seconds (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1435567147)(!(lastLogin=*)))) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499775cdd0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997759190 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499775cdd0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997759190 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499775cdd0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_users] (0x0200): Found 1 expired user entries! (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_users] (0x4000): About to delete user account200 at mydomain.local (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499773fbc0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977368c0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499773fbc0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977368c0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499773fbc0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977597c0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997759650 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997759050 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499775dc50 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997759650 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997759050 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499775dc50 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997759050 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1435567147))) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997753ac0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997755ee0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997753ac0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997755ee0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997753ac0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_groups] (0x0200): Found 5 expired group entries! (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997705b90 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997756030 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997756030 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_groups] (0x2000): About to delete group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977697d0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977377f0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977697d0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977377f0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977697d0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997705b90 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997756030 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977578c0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757080 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997756030 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977578c0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757080 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977578c0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997705b90 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757080 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757080 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977426e0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997756030 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997756030 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977426e0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977735d0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977735d0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_groups] (0x2000): About to delete group Domain Users at mydomain.local (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997705b90 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499775a390 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499775a390 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977794e0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997705b90 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977794e0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997768d70 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997735990 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997705b90 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977794e0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997768d70 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997735990 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997768d70 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499775a390 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977426e0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499775a390 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977426e0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499775a390 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [cleanup_groups] (0x2000): About to delete group SophosUser at mydomain.local (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997705b90 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977426e0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977426e0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997705b90 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499775a390 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757c70 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499775a390 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977772d0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997737650 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757c70 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499775a390 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977772d0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997737650 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977772d0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_done] (0x0400): Task [Cleanup of mydomain.local]: finished successfully (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [be_ptask_schedule] (0x0400): Task [Cleanup of mydomain.local]: scheduling task 10800 seconds from last execution time [1435577947] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=idc01.ipa.mydomain.local)(sudoHost=idc01)(sudoHost=172.21.251.9)(sudoHost=172.21.251.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=SUDOers,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997740ac0], ldap[0x7f4997722670] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=SUDOers,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Received 0 rules (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997759050 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499775dc50 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997759050 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499775dc50 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997759050 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499775dc50 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997759050 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499775dc50 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997759050 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499775dc50 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997757bf0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977589e0 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997757bf0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977589e0 "ltdb_timeout" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997757bf0 "ltdb_callback" (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1435588747 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1435568047 (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:07 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Queue is empty, running request immediately. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=IPA.MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=MYDOMAIN.LOCAL_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997757ac0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997755e60 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997757ac0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997755e60 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997757ac0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x4000): Checking if we need the forest name for [cn=mydomain.local,cn=ad,cn=trusts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997753bb0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977318b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997753bb0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977318b0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997753bb0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977426e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977427a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977427a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977426e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977427a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977427a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977426e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipa.mydomain.local,cn=ad,cn=etc,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997755930], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Request queue is empty. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Queue is empty, running request immediately. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Request queue is empty. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f4997720800 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Queue is empty, running request immediately. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Request queue is empty. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_get_subdomains] (0x0400): Got get subdomains [otherdomain.com] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Queue is empty, running request immediately. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_request] (0x4000): Adding request to queue. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_queue_next_request] (0x4000): Request queue is empty. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [ipa.mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997732c90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977597c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997732c90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977597c0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997732c90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipa,dc=mydomain,dc=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(krbPrincipalName=account2 at otherdomain.com)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f4997759650], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977597c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757bf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757bf0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977597c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=account2 at otherdomain.com)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997758550 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997736ab0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997758550 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997736ab0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997758550 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997757bf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997757a10 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997757bf0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997757a10 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997757bf0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [account2 at otherdomain.com] found. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=account2 at otherdomain.com:U] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997756ba0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997748dc0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997756ba0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997748dc0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997756ba0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f49977343f0], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=account2 at otherdomain.com))]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'gc_mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_dc_servers_done] (0x0400): Found 3 domain controllers in domain mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_send] (0x0400): Resolving host dc03.mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_is_address] (0x4000): [dc03.mydomain.local] does not look like an IP address (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc03.mydomain.local' in files (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc03.mydomain.local' in files (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc03.mydomain.local' in DNS (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc03.mydomain.local:389 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x4000): Using file descriptor [29] for LDAP connection. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc03.mydomain.local:389/??base] with fd [29]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc03.mydomain.local:389 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.13 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=mydomain.local)(NtVer=\14\00\00\00))][]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f499775dc50], connected[1], ops[0x7f4997736e30], ldap[0x7f499775dcc0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [netlogon] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f499775dc50], connected[1], ops[0x7f4997736e30], ldap[0x7f499775dcc0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7f499775dc50], connected[1], ops[(nil)], ldap[0x7f499775dcc0], destructor_lock[0], release_memory[0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'gc'. Will use DNS discovery domain 'Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.Default-First-Site-Name._sites.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'gc'. Will use DNS discovery domain 'mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_discover_srv_done] (0x0400): Got 3 servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_srv_plugin_servers_done] (0x0400): Got 3 primary and 3 backup servers (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc01.mydomain.local:3268' to service 'gc_mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc03.mydomain.local:3268' to service 'gc_mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc02.mydomain.local:3268' to service 'gc_mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc02.mydomain.local:3268' for service 'gc_mydomain.local' is already present (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc03.mydomain.local:3268' for service 'gc_mydomain.local' is already present (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_add_server_to_list] (0x0400): Server 'dc01.mydomain.local:3268' for service 'gc_mydomain.local' is already present (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'gc_mydomain.local' as 'resolved' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'dc01.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc01.mydomain.local: [172.21.251.11] TTL 3600 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.mydomain.local:3268' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x4000): Using file descriptor [29] for LDAP connection. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc01.mydomain.local:3268/??base] with fd [29]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997740ac0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [currentTime] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [subschemaSubentry] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [dsServiceName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [schemaNamingContext] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [configurationNamingContext] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [rootDomainNamingContext] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPPolicies] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [highestCommittedUSN] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [dnsHostName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [ldapServiceName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedCapabilities] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [isSynchronized] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [isGlobalCatalogReady] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainFunctionality] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [forestFunctionality] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainControllerFunctionality] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997740ac0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x4000): USN value: 5312476 (int: 5312476) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/idc01.ipa.mydomain.local, IPA.MYDOMAIN.LOCAL, 86400) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'dc01.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc01.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'dc01.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc01.mydomain.local: [172.21.251.11] TTL 3600 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 87 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [14325] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [14325] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[(nil)], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x1000): Waiting for child [14325]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14325] finished successfully. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_IPA.MYDOMAIN.LOCAL], expired on [1435653550] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1435568050 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/idc01.ipa.mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'dc01.mydomain.local' as 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [set_server_common_status] (0x0100): Marking server 'dc01.mydomain.local' as 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_set_port_status] (0x0400): Marking port 3268 of duplicate server 'dc01.mydomain.local' as 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x2000): Old USN: 5312476, New USN: 5312476 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(userPrincipalName=account2 at otherdomain.com)(objectclass=user)(objectSID=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997759c90], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997759c90], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_user] (0x4000): Storing the user (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Save user (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object account2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Processing user account2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x1000): Mapping user [account2 at mydomain.local] objectSID [S-1-5-21-1710311407-3537505305-1030735119-11202] to unix ID (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x2000): Adding originalDN [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150625135244.0Z] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Adding user principal [account2 at OTHERDOMAIN.COM] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [544] to attributes of [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [account2 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_user] (0x0400): Storing info for user account2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777ba30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777baf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777ba30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777baf0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777ba30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777b980 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777ba40 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777b980 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777ba40 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777b980 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [account2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776b770 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776cda0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776b770 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776cda0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776b770 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_remove_attrs] (0x2000): Removing attribute [homeDirectory] from [account2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997784ef0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776b770 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997784ef0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776b770 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997784ef0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [account2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d900 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777b380 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d900 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777b380 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d900 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [account2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d220 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e9f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d220 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e9f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d220 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_user] (0x4000): Commit change (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776b820 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776b950 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776b820 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776b950 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776b820 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777c150 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997768c70 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777c150 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997768c70 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777c150 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_user] (0x4000): Process user's groups (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 7 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[(nil)], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997732d10], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=account2 at otherdomain.com,OU=Personale,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [tokenGroups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997732d10], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-1710311407-3537505305-1030735119-1107] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776b820 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776b950 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776b820 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776b950 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776b820 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1107 will be downloaded (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-1710311407-3537505305-1030735119-1608] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777c1f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776b770 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777c1f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776b770 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777c1f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-1608 will be downloaded (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-1710311407-3537505305-1030735119-513] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777fc90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777fad0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777fc90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777fad0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777fc90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-1710311407-3537505305-1030735119-513 will be downloaded (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1107)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499777c1f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499777c1f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=SophosUser,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499777c1f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499777c1f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499777c1f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499777c1f0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000004. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=SophosUser,CN=Users,DC=mydomain,DC=local] into hash table [groups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=SophosUser,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Domain\20Users,CN=Users,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777f300 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777f430 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777f300 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777f430 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777f300 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Domain\20Users,CN=Users,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777ecf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777edb0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777ecf0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777edb0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777ecf0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=Domain Users,CN=Users,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [CN=SophosUser,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Members of group [CN=SophosUser,CN=Users,DC=mydomain,DC=local] will be processed individually (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[(nil)], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d5b0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=group)(name=*))][CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 7 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d670], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d670], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d670], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000002. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=Domain Users,CN=Users,DC=mydomain,DC=local] into hash table [groups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773d30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773e60 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773d30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773e60 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773d30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e3b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777cc10 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e3b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777cc10 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e3b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e2b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e370 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e2b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e370 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e2b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997774810 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773d00 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997774810 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773d00 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997774810 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773d00 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997774810 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773d00 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997774810 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773d00 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777c7f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997774810 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777c7f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997774810 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777c7f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777c7f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997776050 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777c7f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997776050 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777c7f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777ce20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977762d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777ce20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977762d0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777ce20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777ce20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997776650 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777ce20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997776650 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777ce20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997775c40 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777ce20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997775c40 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777ce20 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997775c40 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Looking up 5/5 members of group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Members of group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] will be processed individually (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977755c0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977755c0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977755c0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d690], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d690], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d690], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777e2f0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777e2f0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777e2f0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777c950], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777c950], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777c950], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997776c80], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997776c80], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997776c80], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777fde0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977721c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777fde0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977721c0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777fde0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773b30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773bf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773b30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773bf0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773b30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e100 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e1c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e100 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e1c0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e100 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e100 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e1c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e100 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e1c0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e100 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e000 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e0c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e000 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e0c0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e000 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x4000): AD group [Domain Users at mydomain.local] has type flags 0x80000002. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x1000): Mapping group [Domain Users at mydomain.local] objectSID [S-1-5-21-1710311407-3537505305-1030735119-513] to unix ID (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=Domain Users,CN=Users,DC=mydomain,DC=local] to attributes of [Domain Users at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150622151551.0Z] to attributes of [Domain Users at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997777ab0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997777be0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997777ab0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997777be0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997777ab0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x1000): Group Domain Users at mydomain.local does not exist. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997777030 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977770f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997777030 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977770f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997777030 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997777540 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997777600 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997777540 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997777600 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997777540 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997779b80 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997779cb0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997779b80 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997779cb0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997779b80 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997792050 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997792110 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997792050 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997792410 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977924d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997792110 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997792050 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997792410 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977924d0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997792410 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x4000): Group 0 processed! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUser at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUser at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x4000): AD group [SophosUser at mydomain.local] has type flags 0x80000004. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUser at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=SophosUser,CN=Users,DC=mydomain,DC=local] to attributes of [SophosUser at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20140625115932.0Z] to attributes of [SophosUser at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUser at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977948e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775df0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977948e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775df0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977948e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x1000): Group SophosUser at mydomain.local does not exist. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977948e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997792690 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977948e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997792690 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977948e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997792740 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997776e50 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997792740 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997776e50 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997792740 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777a190 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777c1f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777a190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977772a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777d1b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777c1f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777a190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977772a0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777d1b0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977772a0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x1000): sysdb_set_group_attr failed. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x1000): sysdb_add_group failed: [EEXIST]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997790ed0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977744a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997790ed0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977744a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997790ed0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777a190 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997792690 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777a190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997793d20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775df0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997792690 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777a190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997793d20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775df0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997793d20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): A group with the same GID [0] was removed from the cache (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997777730 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977744a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997777730 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977744a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997777730 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997790ed0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997778700 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997790ed0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997778700 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997790ed0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997771f60 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997779dd0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997771f60 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977996b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997799770 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997779dd0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997771f60 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977996b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997799770 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977996b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x1000): sysdb_set_group_attr failed. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): sysdb_add_group failed (while renaming group) for: SophosUser at mydomain.local [0]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUser at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUser at mydomain.local]: [File exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 1. Ignoring. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(gidNumber=1539400513)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997793d20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997778c30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997793d20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997778c30 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997793d20 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d3e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997777730 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d3e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997777730 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d3e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997777730 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997794730 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997777730 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997778a70 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997779000 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997794730 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997777730 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997778a70 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997779000 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997778a70 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x4000): Group 0 members processed! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-1608)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[(nil)], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_subdom_reset_timeouts_cb] (0x4000): Resetting last_refreshed and disabled_until. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776ad60], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=SophosUserTmpRn\0ACNF:10eb1e79-892c-43ab-9735-0bf3cc30f264,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776ad60], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776ad60], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776ad60], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776ad60], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000004. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=SophosUserTmpRn\0ACNF:10eb1e79-892c-43ab-9735-0bf3cc30f264,CN=Users,DC=mydomain,DC=local] into hash table [groups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=SophosUserTmpRn\0ACNF:10eb1e79-892c-43ab-9735-0bf3cc30f264,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Domain\20Users,CN=Users,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997774210 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997774340 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997774210 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997774340 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997774210 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Domain\20Users,CN=Users,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e520 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777dcf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e520 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777dcf0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e520 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=Domain Users,CN=Users,DC=mydomain,DC=local] found in cache, skipping (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Looking up 0/1 members of group [CN=SophosUserTmpRn\0ACNF:10eb1e79-892c-43ab-9735-0bf3cc30f264,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x4000): AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local] has type flags 0x80000004. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Filtering AD group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=SophosUserTmpRn\0ACNF:10eb1e79-892c-43ab-9735-0bf3cc30f264,CN=Users,DC=mydomain,DC=local] to attributes of [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20140626093322.0Z] to attributes of [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772440 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772570 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772440 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772570 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772440 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x1000): Group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local does not exist. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977736c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773780 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977736c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773780 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977736c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d660 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997774140 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d660 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997774140 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d660 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977759d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775a90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977759d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977740f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e2a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775a90 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977759d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977740f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e2a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977740f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x1000): sysdb_set_group_attr failed. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x1000): sysdb_add_group failed: [EEXIST]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499778d120 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777dcf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499778d120 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777dcf0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499778d120 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977730d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977745d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977730d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773480 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775b40 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977745d0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977730d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773480 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775b40 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773480 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): A group with the same GID [0] was removed from the cache (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977747a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773e70 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977747a0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773e70 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977747a0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997775730 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775860 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997775730 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775860 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997775730 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772510 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772670 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772510 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777cb30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777cbf0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772670 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772510 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777cb30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777cbf0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777cb30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x1000): sysdb_set_group_attr failed. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_add_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0080): sysdb_add_group failed (while renaming group) for: SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local [0]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_store_group_with_gid] (0x0040): Could not store group SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0080): Failed to save group [SophosUserTmpRn CNF:10eb1e79-892c-43ab-9735-0bf3cc30f264 at mydomain.local]: [File exists] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776dbe0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776dbe0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776dbe0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776dbe0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776dbe0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f499776dbe0], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000002. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=Domain Users,CN=Users,DC=mydomain,DC=local] into hash table [groups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777cff0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777d120 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777cff0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777d120 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777cff0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773270 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777c970 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773270 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777c970 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773270 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772460 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772520 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772460 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772520 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772460 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977726f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977727b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977726f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977727b0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977726f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772a30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977726f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772a30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977726f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772a30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772a30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773970 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772a30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773970 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772a30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773af0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773e60 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773af0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773e60 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773af0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977741f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772990 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977741f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772990 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977741f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977741f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977726f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977741f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977726f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977741f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773e60 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773d30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773e60 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773d30 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773e60 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Looking up 5/5 members of group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Members of group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] will be processed individually (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[(nil)], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777c880], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777c880], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d1d0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d1d0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d1d0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997775010], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997775010], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997775010], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977732d0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977732d0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977732d0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997775a50], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997775a50], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997775a50], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d620 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777c7f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d620 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777c7f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d620 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997770c90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997771f30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997770c90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997771f30 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997770c90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997770c90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772f30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997770c90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772f30 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997770c90 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977724c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772580 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977724c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772580 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977724c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977755f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772410 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977755f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772410 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977755f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x4000): AD group [Domain Users at mydomain.local] has type flags 0x80000002. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x1000): Mapping group [Domain Users at mydomain.local] objectSID [S-1-5-21-1710311407-3537505305-1030735119-513] to unix ID (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=Domain Users,CN=Users,DC=mydomain,DC=local] to attributes of [Domain Users at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150622151551.0Z] to attributes of [Domain Users at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977768a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977769d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977768a0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977769d0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977768a0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977743e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977744a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977743e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977777f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977774c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977744a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977743e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977777f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977774c0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977777f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x4000): Group 0 processed! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(gidNumber=1539400513)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499778c6b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977768a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499778c6b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977768a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499778c6b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997777ee0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977769d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997777ee0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977769d0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997777ee0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d6c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997774500 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d6c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977763e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997778960 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997774500 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d6c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977763e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997778960 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977763e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x4000): Group 0 members processed! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-1710311407-3537505305-1030735119-1107] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772890 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772950 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772890 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772950 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772890 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-1710311407-3537505305-1030735119-1608] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997770a30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777c1f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997770a30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777c1f0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997770a30 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-1710311407-3537505305-1030735119-513] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776dbe0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e230 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776dbe0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e230 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776dbe0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777c1f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e740 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777c1f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e740 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777c1f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [account2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777b9f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777bb20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777b9f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d680 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997771ff0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777bb20 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777b9f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d680 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777b450 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777b510 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997771ff0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d680 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777b450 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997774770 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997774830 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777b510 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777b450 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997774770 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e140 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499778a2e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997774830 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997774770 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e140 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499778a2e0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e140 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_done] (0x4000): Initgroups done (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_initgr_done] (0x1000): Mapping primary group to unix ID (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1710311407-3537505305-1030735119-513)(objectClass=group)(name=*))][dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[(nil)], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997759190], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Domain Users,CN=Users,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997759190], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997759190], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997759190], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[0x7f4997759190], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000002. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=Domain Users,CN=Users,DC=mydomain,DC=local] into hash table [groups] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777d060 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777d190 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777d060 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777d190 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777d060 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772170 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772230 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772170 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772230 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772170 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e490 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777cc90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e490 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777cc90 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e490 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e190 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e320 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e320 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777fbb0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777fc70 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777fbb0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777fc70 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777fbb0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777cc40 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977727d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777cc40 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977727d0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777cc40 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772190 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777cb90 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777cb90 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997772190 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773180 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997772190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773180 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997772190 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977720e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773370 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977720e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773370 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977720e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977720e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e170 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977720e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e170 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977720e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_split_members] (0x4000): [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] is unknown object (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Looking up 5/5 members of group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_process_send] (0x2000): Members of group [CN=Domain Users,CN=Users,DC=mydomain,DC=local] will be processed individually (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f49977458a0], connected[1], ops[(nil)], ldap[0x7f49977209d0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d6b0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d6b0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=Test Palo Alto,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d6b0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d6b0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777d6b0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test4,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977722e0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977722e0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f49977722e0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test3,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777e530], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777e530], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f499777e530], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test2,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.11 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997771eb0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997771eb0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[0x7f4997771eb0], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=test,OU=Test,OU=Utenti Mydomain,DC=mydomain,DC=local] into hash table [users] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 5 users found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test2,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777cd70 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777cea0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777cd70 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777cea0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777cd70 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test4 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test4,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777e480 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777e5b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777e480 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777e5b0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777e480 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997773eb0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997773fe0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997773eb0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997773fe0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997773eb0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test_pa at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Test\20Palo\20Alto,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977724e0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f49977725a0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977724e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f49977725a0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977724e0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object test3 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=test3,OU=Test,OU=Utenti\20Mydomain,DC=mydomain,DC=local)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977728b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997772970 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977728b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997772970 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977728b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x4000): AD group [Domain Users at mydomain.local] has type flags 0x80000002. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x1000): Mapping group [Domain Users at mydomain.local] objectSID [S-1-5-21-1710311407-3537505305-1030735119-513] to unix ID (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=Domain Users,CN=Users,DC=mydomain,DC=local] to attributes of [Domain Users at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150622151551.0Z] to attributes of [Domain Users at mydomain.local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Group has 5 members (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test_pa at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test4 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test3 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test2 at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [test at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_group] (0x0400): Storing info for group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997775850 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775980 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997775850 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775980 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997775850 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977753c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997776500 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977753c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777b3f0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777b4b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997776500 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977753c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777b3f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777a980 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997775310 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777b4b0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777b3f0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777a980 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997775310 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777a980 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x4000): Group 0 processed! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_primary_name] (0x0400): Processing object Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Processing group Domain Users at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(gidNumber=1539400513)) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499778c9d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499778a730 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499778c9d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499778a730 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499778c9d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sysdb_search_users] (0x2000): No such entry (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Users at mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499778c9d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997776ef0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499778c9d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997776ef0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499778c9d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977726b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499778af30 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977726b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977799d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997779cc0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499778af30 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977726b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977799d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997774080 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499778b3b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997779cc0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977799d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997774080 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499777b2b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777b370 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499778b3b0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997774080 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499777b2b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f49977964d0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997778020 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777b370 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499777b2b0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f49977964d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997778020 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f49977964d0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_save_groups] (0x4000): Group 0 members processed! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776d8c0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499777ee50 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776d8c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499777ee50 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776d8c0 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499775dc50 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f4997755df0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499775dc50 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f4997755df0 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499775dc50 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_print_server] (0x2000): Searching 172.21.251.9 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=mydomain,dc=local]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997760920], connected[1], ops[(nil)], ldap[0x7f4997733ef0] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[0x7f499776e180], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1710311407-3537505305-1030735119-11202))]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f4997755830 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776e340 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f4997755830 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776e340 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f4997755830 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [find_ipa_ext_memberships] (0x0080): User [account2 at otherdomain.com] not found in cache. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_add_ext_groups_step] (0x4000): No external groups memberships found. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f4997727830], connected[1], ops[(nil)], ldap[0x7f4997722670] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f499771c9b0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.mydomain.local] to [mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): domain: mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): user: account2 at mydomain.local (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): service: sshd (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): tty: ssh (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): ruser: (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): rhost: host01.srv.otherdomain.com (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): priv: 1 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): cli_pid: 14321 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [pam_print_data] (0x0100): logon name: not set (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f499776ce70 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f499776e340 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Running timer event 0x7f499776ce70 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Destroying timer event 0x7f499776e340 "ltdb_timeout" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ldb] (0x4000): Ending timer event 0x7f499776ce70 "ltdb_callback" (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [account2 at mydomain.local] found. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'idc01.ipa.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_port_status] (0x1000): Port status of port 0 for server 'idc01.ipa.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [get_server_status] (0x1000): Status of server 'idc01.ipa.mydomain.local' is 'working' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_resolve_server_process] (0x0200): Found address for server idc01.ipa.mydomain.local: [172.21.251.9] TTL 7200 (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://idc01.ipa.mydomain.local' (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [14326] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [14326] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x1000): Waiting for child [14326]. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [child_sig_handler] (0x0100): child [14326] finished successfully. (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][mydomain.local] (Mon Jun 29 10:39:10 2015) [sssd[be[ipa.mydomain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][mydomain.local] From christopher.lamb at ch.ibm.com Mon Jun 29 09:26:01 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 29 Jun 2015 11:26:01 +0200 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: <20150628132501.GB19902@redhat.com> References: <20150628132501.GB19902@redhat.com> Message-ID: Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Mon Jun 29 11:16:55 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 29 Jun 2015 13:16:55 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: <55910DC2.30807@redhat.com> References: <55910DC2.30807@redhat.com> Message-ID: Hi, The zones are on both servers, just not all records are, this has a reason. One server is maintained by a script, the other one only forwards to it if needed. The idea is that it does a local lookup, when it doesn't find the record locally, it forwards to it's forwarder to see if it has an "answer". I thought this was working but isn't and following your table it should. What are my options ? Thanks, Matt 2015-06-29 11:20 GMT+02:00 Petr Spacek : > On 27.6.2015 19:06, Matt . wrote: >> Hi All, >> >> When I add a forwarder with policy to forward first, there is only >> forwarder and not a fallback to local when the record doesn't exist on >> the forward server. >> >> When I remove the forwardserver, the local lookup works great again. >> >> Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? > > Forwarders in FreeIPA behave in the same way as in BIND 9.9 and the behavior > you describe seems to be okay. > > The behavior is summarized in a nice table here: > http://www.freeipa.org/page/V4/Forward_zones#Use_Cases > > In other words, there is no thing like 'look into this zone and look into that > zone if the first zone does not contain an answer'. Such behavior would break > the very basic principle of DNS - division to independent, self-contained > zones. What are you trying to achieve? What is the use-case? > > Please note that in FreeIPA < 4.1 zones with non-empty 'forwarders' attribute > were automatically configured as forward zones. The split to pure forward and > master zones happened in FreeIPA 4.1. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Mon Jun 29 11:44:46 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Jun 2015 13:44:46 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: References: <55910DC2.30807@redhat.com> Message-ID: <55912FAE.1080403@redhat.com> On 29.6.2015 13:16, Matt . wrote: > Hi, > > The zones are on both servers, just not all records are, this has a > reason. One server is maintained by a script, the other one only > forwards to it if needed. > > The idea is that it does a local lookup, when it doesn't find the > record locally, it forwards to it's forwarder to see if it has an > "answer". > > I thought this was working but isn't and following your table it should. I'm sorry but I do not understand. Could you please give us specific examples? - what data you have in what zones and on what server - what is your forwarding configuration - what is the result you get - what is the expected result Also, please add output from command: $ rpm -q bind-dyndb-ldap bind ipa-server Thanks. > What are my options ? We will see once I understand your requirement :-) Petr^2 Spacek > 2015-06-29 11:20 GMT+02:00 Petr Spacek : >> On 27.6.2015 19:06, Matt . wrote: >>> Hi All, >>> >>> When I add a forwarder with policy to forward first, there is only >>> forwarder and not a fallback to local when the record doesn't exist on >>> the forward server. >>> >>> When I remove the forwardserver, the local lookup works great again. >>> >>> Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? >> >> Forwarders in FreeIPA behave in the same way as in BIND 9.9 and the behavior >> you describe seems to be okay. >> >> The behavior is summarized in a nice table here: >> http://www.freeipa.org/page/V4/Forward_zones#Use_Cases >> >> In other words, there is no thing like 'look into this zone and look into that >> zone if the first zone does not contain an answer'. Such behavior would break >> the very basic principle of DNS - division to independent, self-contained >> zones. What are you trying to achieve? What is the use-case? >> >> Please note that in FreeIPA < 4.1 zones with non-empty 'forwarders' attribute >> were automatically configured as forward zones. The split to pure forward and >> master zones happened in FreeIPA 4.1. >> >> -- >> Petr^2 Spacek -- Petr^2 Spacek From tde3000 at gmail.com Mon Jun 29 11:57:04 2015 From: tde3000 at gmail.com (John Stein) Date: Mon, 29 Jun 2015 11:57:04 +0000 Subject: [Freeipa-users] reverse lookup dns records in trust setup Message-ID: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? If I put them in IdM, how will the AD know which requests to forward to the IdM? It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, or am I supposed to configure the IdM server to create the A record upon client registration and the manually create the PTR record in AD? Is there another solution that eludes me? Thank you very much, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Mon Jun 29 12:07:22 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 29 Jun 2015 14:07:22 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: <55912FAE.1080403@redhat.com> References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> Message-ID: Hi Petr, Bot servers have zone: domain.tld Server1 (192.168.1.1) has: domain.tld foo A 192.168.1.10 bar A 192.168.1.20 Server2 (192.168.2.1) has: domain.tld candy A 192.168.2.100 I have a forward first on Server1 to the IP of Server2 So when my DNS server on my client is 192.168.1.1 and I do a nslookup candy.domain.tld it should not lookup locally but on the forward (Server2). But when I lookup foo.domain.tld it should get a reply of Server1 rpm -q bind-dyndb-ldap bind ipa-server bind-dyndb-ldap-2.3-6.el6_6.x86_64 bind-9.8.2-0.30.rc1.el6_6.3.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 It would also be great if this is possible between IPA 3 and 4. Thanks for your help so far! Cheers, Matt 2015-06-29 13:44 GMT+02:00 Petr Spacek : > On 29.6.2015 13:16, Matt . wrote: >> Hi, >> >> The zones are on both servers, just not all records are, this has a >> reason. One server is maintained by a script, the other one only >> forwards to it if needed. >> >> The idea is that it does a local lookup, when it doesn't find the >> record locally, it forwards to it's forwarder to see if it has an >> "answer". >> >> I thought this was working but isn't and following your table it should. > > I'm sorry but I do not understand. > > Could you please give us specific examples? > - what data you have in what zones and on what server > - what is your forwarding configuration > - what is the result you get > - what is the expected result > > Also, please add output from command: > $ rpm -q bind-dyndb-ldap bind ipa-server > > Thanks. > >> What are my options ? > We will see once I understand your requirement :-) > > Petr^2 Spacek > >> 2015-06-29 11:20 GMT+02:00 Petr Spacek : >>> On 27.6.2015 19:06, Matt . wrote: >>>> Hi All, >>>> >>>> When I add a forwarder with policy to forward first, there is only >>>> forwarder and not a fallback to local when the record doesn't exist on >>>> the forward server. >>>> >>>> When I remove the forwardserver, the local lookup works great again. >>>> >>>> Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? >>> >>> Forwarders in FreeIPA behave in the same way as in BIND 9.9 and the behavior >>> you describe seems to be okay. >>> >>> The behavior is summarized in a nice table here: >>> http://www.freeipa.org/page/V4/Forward_zones#Use_Cases >>> >>> In other words, there is no thing like 'look into this zone and look into that >>> zone if the first zone does not contain an answer'. Such behavior would break >>> the very basic principle of DNS - division to independent, self-contained >>> zones. What are you trying to achieve? What is the use-case? >>> >>> Please note that in FreeIPA < 4.1 zones with non-empty 'forwarders' attribute >>> were automatically configured as forward zones. The split to pure forward and >>> master zones happened in FreeIPA 4.1. >>> >>> -- >>> Petr^2 Spacek > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From sbose at redhat.com Mon Jun 29 13:11:57 2015 From: sbose at redhat.com (Sumit Bose) Date: Mon, 29 Jun 2015 15:11:57 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <55910EB0.90406@di.unimi.it> References: <20150625121022.GO12661@p.redhat.com> <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> <5590FBF4.7000104@di.unimi.it> <20150629083008.GA4748@p.redhat.com> <55910EB0.90406@di.unimi.it> Message-ID: <20150629131157.GC4748@p.redhat.com> On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > >>>> > >>>> > >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>>>> Hi everybody, > >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > >>>>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > >>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > >>>>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > >>>>>>>>>>>>> > >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with > >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can > >>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated during > >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>>>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has > >>>>>>>>>>>>> actually tried this before. > >>>>>>>>>>>>> > >>>>>>>>>>>>> bye, > >>>>>>>>>>>>> Sumit > >>>>>>>>>>>> > >>>>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. > >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful > >>>>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for > >>>>>>>>>>>> account2 at otherdomain.com done via ssh. > >>>>>>>>>>>> > >>>>>>>>>>>> Bye and thanks for your help > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> It looks like the request is not properly propagated to sub-domains (the > >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > >>>>>>>>>>> > >>>>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix > >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can > >>>>>>>>>>> prepare a test build with the patch on top of this version. > >>>>>>>>>>> > >>>>>>>>>>> bye, > >>>>>>>>>>> Sumit > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Hi, > >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > >>>>>>>>>> any test. > >>>>>>>>>> > >>>>>>>>>> Here's the packages version for sssd: > >>>>>>>>>> > >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>> > >>>>>>>>> Please try the packages at > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>>>>>>>> > >>>>>>>>> bye, > >>>>>>>>> Sumit > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> I've installed the new RPMs, now if I run on the server: > >>>>>>>> > >>>>>>>> id account1 at mydomain.local > >>>>>>>> id account2 at otherdomain.com > >>>>>>>> id account2 at sub.otherdomain.com > >>>>>>>> > >>>>>>>> all the users are found but I'm still unable to log in via ssh with the accounts > >>>>>>>> @otherdomain.com and @sub.otherdomain.com. > >>>>>>>> > >>>>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > >>>>>>> > >>>>>>> Bother, I forgot to add the fix to the pam responder as well, please try > >>>>>>> new packages from > >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>>> > >>>>>> > >>>>>> Hi, > >>>>>> I've updated all the packages but still no login. > >>>>>> > >>>>>> Logs follows. > >>>>> > >>>>> I found another issue in the logs which should be fixed by the build > >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > >>>>> > >>>>> Please send the sssd_pam log file as well it might contain more details > >>>>> about what goes wrong during authentication. > >>>>> > >>>>> bye, > >>>>> Sumit > >>>>> > >>>> > >>>> Hi, > >>>> packages update, sssd and kerberos services restarted, cache flushed but still > >>>> no login on the IPA server. > >>>> > >>>> As before, logs attached. I've also included the logs generated by the restart > >>>> of sssd service because there were no logs in sssd_pam.log when trying to > >>>> authenticate. > >>>> > >>>> Debug level is set to 6 in the sections: > >>>> > >>>> [domain/ipa.mydomain.local] > >>>> [sssd] > >>>> [nss] > >>>> [pam] > >>>> > >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to > >>>> increase it. > >>>> > >>> > >>> so far it is sufficient. I have another build for you to try at > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > >>> > >>> Thank you for your patience. > >> > >> Thanks for your help!! > >> > >> Still no successful login.. Logs attached > > > > Please increase the debug level at least for the domain log to 9 and > > attach the krb5_child log as well. > > > > Debug level increased and logs attached.. > > I'm sending this email again because I forgot to reply to the list... Unfortunately the IPA KDC cannot redirect the Kerberos request to the AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll try to figure out if this can be bypassed by tuning sssd.conf and krb5.conf. Please allow 2 days for setting up a suitable environment and testing different configurations. bye, Sumit From pspacek at redhat.com Mon Jun 29 13:37:12 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Jun 2015 15:37:12 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> Message-ID: <55914A08.1090300@redhat.com> On 29.6.2015 14:07, Matt . wrote: > Hi Petr, > > > Bot servers have zone: > > domain.tld > > Server1 (192.168.1.1) has: > > domain.tld > foo A 192.168.1.10 > bar A 192.168.1.20 > > > Server2 (192.168.2.1) has: > > domain.tld > candy A 192.168.2.100 > > > I have a forward first on Server1 to the IP of Server2 > > So when my DNS server on my client is 192.168.1.1 and I do a nslookup > candy.domain.tld it should not lookup locally but on the forward > (Server2). But when I lookup foo.domain.tld it should get a reply of > Server1 Okay, now I understand it. It is not possible now and it will likely never be possible because it breaks the basic principles of DNS. You are expected to have one set of servers which are authoritative for a given zone and this set of servers should synchronized databases among each other. If you really want to split responsibility for different records to multiple servers then you should create sub-domains and do proper delegation for sub-domains. For example, server 1 might be authoritative for zone domain.tld. This domain can contain delegation to server2 for names candy.domain.tld and so on. I hope this helps. Petr^2 Spacek > > rpm -q bind-dyndb-ldap bind ipa-server > bind-dyndb-ldap-2.3-6.el6_6.x86_64 > bind-9.8.2-0.30.rc1.el6_6.3.x86_64 > ipa-server-3.0.0-42.el6.centos.x86_64 > > It would also be great if this is possible between IPA 3 and 4. > > Thanks for your help so far! > > Cheers, > > Matt > > 2015-06-29 13:44 GMT+02:00 Petr Spacek : >> On 29.6.2015 13:16, Matt . wrote: >>> Hi, >>> >>> The zones are on both servers, just not all records are, this has a >>> reason. One server is maintained by a script, the other one only >>> forwards to it if needed. >>> >>> The idea is that it does a local lookup, when it doesn't find the >>> record locally, it forwards to it's forwarder to see if it has an >>> "answer". >>> >>> I thought this was working but isn't and following your table it should. >> >> I'm sorry but I do not understand. >> >> Could you please give us specific examples? >> - what data you have in what zones and on what server >> - what is your forwarding configuration >> - what is the result you get >> - what is the expected result >> >> Also, please add output from command: >> $ rpm -q bind-dyndb-ldap bind ipa-server >> >> Thanks. >> >>> What are my options ? >> We will see once I understand your requirement :-) >> >> Petr^2 Spacek >> >>> 2015-06-29 11:20 GMT+02:00 Petr Spacek : >>>> On 27.6.2015 19:06, Matt . wrote: >>>>> Hi All, >>>>> >>>>> When I add a forwarder with policy to forward first, there is only >>>>> forwarder and not a fallback to local when the record doesn't exist on >>>>> the forward server. >>>>> >>>>> When I remove the forwardserver, the local lookup works great again. >>>>> >>>>> Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? >>>> >>>> Forwarders in FreeIPA behave in the same way as in BIND 9.9 and the behavior >>>> you describe seems to be okay. >>>> >>>> The behavior is summarized in a nice table here: >>>> http://www.freeipa.org/page/V4/Forward_zones#Use_Cases >>>> >>>> In other words, there is no thing like 'look into this zone and look into that >>>> zone if the first zone does not contain an answer'. Such behavior would break >>>> the very basic principle of DNS - division to independent, self-contained >>>> zones. What are you trying to achieve? What is the use-case? >>>> >>>> Please note that in FreeIPA < 4.1 zones with non-empty 'forwarders' attribute >>>> were automatically configured as forward zones. The split to pure forward and >>>> master zones happened in FreeIPA 4.1. From jhrozek at redhat.com Mon Jun 29 13:49:37 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 29 Jun 2015 15:49:37 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150629131157.GC4748@p.redhat.com> References: <558C1051.8010205@di.unimi.it> <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> <5590FBF4.7000104@di.unimi.it> <20150629083008.GA4748@p.redhat.com> <55910EB0.90406@di.unimi.it> <20150629131157.GC4748@p.redhat.com> Message-ID: <20150629134937.GC6442@hendrix.redhat.com> On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > >>>> > > >>>> > > >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > > >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > > >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > > >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > > >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > > >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > > >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > > >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > > >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > > >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > > >>>>>>>>>>>>>> Hi everybody, > > >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > > >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > > >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > > >>>>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > > >>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > > >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > > >>>>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > > >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with > > >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can > > >>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated during > > >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > > >>>>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > > >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has > > >>>>>>>>>>>>> actually tried this before. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> bye, > > >>>>>>>>>>>>> Sumit > > >>>>>>>>>>>> > > >>>>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. > > >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > > >>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful > > >>>>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for > > >>>>>>>>>>>> account2 at otherdomain.com done via ssh. > > >>>>>>>>>>>> > > >>>>>>>>>>>> Bye and thanks for your help > > >>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> It looks like the request is not properly propagated to sub-domains (the > > >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > > >>>>>>>>>>> > > >>>>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix > > >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can > > >>>>>>>>>>> prepare a test build with the patch on top of this version. > > >>>>>>>>>>> > > >>>>>>>>>>> bye, > > >>>>>>>>>>> Sumit > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> Hi, > > >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > > >>>>>>>>>> any test. > > >>>>>>>>>> > > >>>>>>>>>> Here's the packages version for sssd: > > >>>>>>>>>> > > >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > > >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>> > > >>>>>>>>> Please try the packages at > > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > >>>>>>>>> > > >>>>>>>>> bye, > > >>>>>>>>> Sumit > > >>>>>>>> > > >>>>>>>> Hi, > > >>>>>>>> I've installed the new RPMs, now if I run on the server: > > >>>>>>>> > > >>>>>>>> id account1 at mydomain.local > > >>>>>>>> id account2 at otherdomain.com > > >>>>>>>> id account2 at sub.otherdomain.com > > >>>>>>>> > > >>>>>>>> all the users are found but I'm still unable to log in via ssh with the accounts > > >>>>>>>> @otherdomain.com and @sub.otherdomain.com. > > >>>>>>>> > > >>>>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > > >>>>>>> > > >>>>>>> Bother, I forgot to add the fix to the pam responder as well, please try > > >>>>>>> new packages from > > >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > >>>>>>> > > >>>>>>> bye, > > >>>>>>> Sumit > > >>>>>>> > > >>>>>> > > >>>>>> Hi, > > >>>>>> I've updated all the packages but still no login. > > >>>>>> > > >>>>>> Logs follows. > > >>>>> > > >>>>> I found another issue in the logs which should be fixed by the build > > >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > >>>>> > > >>>>> Please send the sssd_pam log file as well it might contain more details > > >>>>> about what goes wrong during authentication. > > >>>>> > > >>>>> bye, > > >>>>> Sumit > > >>>>> > > >>>> > > >>>> Hi, > > >>>> packages update, sssd and kerberos services restarted, cache flushed but still > > >>>> no login on the IPA server. > > >>>> > > >>>> As before, logs attached. I've also included the logs generated by the restart > > >>>> of sssd service because there were no logs in sssd_pam.log when trying to > > >>>> authenticate. > > >>>> > > >>>> Debug level is set to 6 in the sections: > > >>>> > > >>>> [domain/ipa.mydomain.local] > > >>>> [sssd] > > >>>> [nss] > > >>>> [pam] > > >>>> > > >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to > > >>>> increase it. > > >>>> > > >>> > > >>> so far it is sufficient. I have another build for you to try at > > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > > >>> > > >>> Thank you for your patience. > > >> > > >> Thanks for your help!! > > >> > > >> Still no successful login.. Logs attached > > > > > > Please increase the debug level at least for the domain log to 9 and > > > attach the krb5_child log as well. > > > > > > > Debug level increased and logs attached.. > > > > I'm sending this email again because I forgot to reply to the list... > > Unfortunately the IPA KDC cannot redirect the Kerberos request to the > AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll > try to figure out if this can be bypassed by tuning sssd.conf and > krb5.conf. (Without seeing the logs, just throwing in an idea) Would it help to try out the subdomain_inherit option to point principal to something that doesn't exist for a subdomain and let sssd guess the principal based on the realm name? From pspacek at redhat.com Mon Jun 29 13:50:23 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Jun 2015 15:50:23 +0200 Subject: [Freeipa-users] reverse lookup dns records in trust setup In-Reply-To: References: Message-ID: <55914D1F.4050704@redhat.com> On 29.6.2015 13:57, John Stein wrote: > Hi, > > I have an AD and IdM server. > AD domain - john.com > IdM domain - linux.john.com > > each spans multiple netwrok segments, with some segments having both linux > and windows machines. > > the IdM is configured to forward DNS requests to AD (forward first), and > the AD is configured to forward requests in the linux.john.com domain to > the IdM. > > However, I'm having a problem regarding reverse lookup zones. Where should > they be so they can be accessed from both linux and windows machines? >From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. > If I put them in IdM, how will the AD know which requests to forward to the > IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). > It seems to me that I need to somehow register them at the AD, so the A > record is in the IdM server and the PTR is in the AD. Is it possible to do > it automatically, "host/" principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. Thank you! -- Petr^2 Spacek From christopher.lamb at ch.ibm.com Mon Jun 29 14:08:02 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 29 Jun 2015 16:08:02 +0200 Subject: [Freeipa-users] FreeIPA mail object to use in 3rd party tool In-Reply-To: References: <20150628132501.GB19902@redhat.com> Message-ID: Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from cwd_directory_attribute where directory_id = 10001; +--------------------------------------------+---------------------------------------------------------------------+ | attribute_name | attribute_value | +--------------------------------------------+---------------------------------------------------------------------+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn | dc=my,dc=silly,dc=example,dc=com | | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames) | | ldap.group.name | cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | xxxxxxxxx | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389 | | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email | mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname | givenName | | ldap.user.group | memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn | uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use | false | | ldap.usermembership.use.for.groups | false | +--------------------------------------------+---------------------------------------------------------------------+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: Alexander Bokovoy , Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 29.06.2015 11:27 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute ////////////////////////////////////////////////////////////////////////////////////////////////////////////// Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root at xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: lamb at ch.example.com krbPrincipalName: bilbo at my.silly.example.COM givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175800010 gidNumber: 1175800010 krbPasswordExpiration: 20150831183039Z krbLastPwdChange: 20150602183039Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 That is much more like it: Performing the query with an ldap user and password gives me many more attributes, including the desired mail attribute. Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non- anonymous bind), and report back ... (unless there is a way to configure which attributes are available to anonymous binds ...) Cheers Chris From: Alexander Bokovoy To: Markus.Moj at mc.ingenico.com Cc: freeipa-users at redhat.com Date: 28.06.2015 15:26 Subject: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by: freeipa-users-bounces at redhat.com On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote: >Hi @all, > > > >I am new to freeIPA operating and are facing an issue with mail object >in freeIPA. We are running Jira from Atlassian and are trying to >authenticate against freeIPA. The authentication process is running but >mail object is not provided by freeIPA to Jira to inform users about >new events / trackers or whatsoever. If a test object is displayed with >ldapsearch mail attribute is available and set but is not useable by >Jira. > >How is it possibilt to inherit mail accounts in Jira to be able to >authenticate and use FreeIPA as IDM for Jira as well as for Liunx >systems. This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when configuring Jira. If that's the case, then Jira gets results from both cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is enabled. In the compat tree you have RFC2307 schema which doesn't include mail attribute and slapi-nis always answers first over LDAP queries that apply to cn=compat,$SUFFIX so you are ending up with two LDAP entries returned for each individual IPA users, one from the compat tree without mail attribute, another one is the original entry from cn=users,cn=accounts,$SUFFIX. Jira most likely expects a single entry response and if gets more, only evaluates the first entry -- the one that is returned by the compat tree and which doesn't have mail attribute. You can solve this issue by bounding your query to cn=accounts,$SUFFIX to only return primary IPA user/group entries. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Mon Jun 29 14:10:06 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 29 Jun 2015 16:10:06 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: <55914A08.1090300@redhat.com> References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> <55914A08.1090300@redhat.com> Message-ID: Hi Petr, Yes I understand why this is "not possible". The idea was to have a managed DNS server from scripting and one for "other usage" by clients who only need to know about the "unknown" records on Server1, this as it should forward most and only do specific local lookups. Your subdomain solution might be something if I want to go this way. Thanks! Matt 2015-06-29 15:37 GMT+02:00 Petr Spacek : > On 29.6.2015 14:07, Matt . wrote: >> Hi Petr, >> >> >> Bot servers have zone: >> >> domain.tld >> >> Server1 (192.168.1.1) has: >> >> domain.tld >> foo A 192.168.1.10 >> bar A 192.168.1.20 >> >> >> Server2 (192.168.2.1) has: >> >> domain.tld >> candy A 192.168.2.100 >> >> >> I have a forward first on Server1 to the IP of Server2 >> >> So when my DNS server on my client is 192.168.1.1 and I do a nslookup >> candy.domain.tld it should not lookup locally but on the forward >> (Server2). But when I lookup foo.domain.tld it should get a reply of >> Server1 > > Okay, now I understand it. It is not possible now and it will likely never be > possible because it breaks the basic principles of DNS. > > You are expected to have one set of servers which are authoritative for a > given zone and this set of servers should synchronized databases among each other. > > If you really want to split responsibility for different records to multiple > servers then you should create sub-domains and do proper delegation for > sub-domains. > > For example, server 1 might be authoritative for zone domain.tld. This domain > can contain delegation to server2 for names candy.domain.tld and so on. > > I hope this helps. > > Petr^2 Spacek > > >> >> rpm -q bind-dyndb-ldap bind ipa-server >> bind-dyndb-ldap-2.3-6.el6_6.x86_64 >> bind-9.8.2-0.30.rc1.el6_6.3.x86_64 >> ipa-server-3.0.0-42.el6.centos.x86_64 >> >> It would also be great if this is possible between IPA 3 and 4. >> >> Thanks for your help so far! >> >> Cheers, >> >> Matt >> >> 2015-06-29 13:44 GMT+02:00 Petr Spacek : >>> On 29.6.2015 13:16, Matt . wrote: >>>> Hi, >>>> >>>> The zones are on both servers, just not all records are, this has a >>>> reason. One server is maintained by a script, the other one only >>>> forwards to it if needed. >>>> >>>> The idea is that it does a local lookup, when it doesn't find the >>>> record locally, it forwards to it's forwarder to see if it has an >>>> "answer". >>>> >>>> I thought this was working but isn't and following your table it should. >>> >>> I'm sorry but I do not understand. >>> >>> Could you please give us specific examples? >>> - what data you have in what zones and on what server >>> - what is your forwarding configuration >>> - what is the result you get >>> - what is the expected result >>> >>> Also, please add output from command: >>> $ rpm -q bind-dyndb-ldap bind ipa-server >>> >>> Thanks. >>> >>>> What are my options ? >>> We will see once I understand your requirement :-) >>> >>> Petr^2 Spacek >>> >>>> 2015-06-29 11:20 GMT+02:00 Petr Spacek : >>>>> On 27.6.2015 19:06, Matt . wrote: >>>>>> Hi All, >>>>>> >>>>>> When I add a forwarder with policy to forward first, there is only >>>>>> forwarder and not a fallback to local when the record doesn't exist on >>>>>> the forward server. >>>>>> >>>>>> When I remove the forwardserver, the local lookup works great again. >>>>>> >>>>>> Is this known to 3.0 servers or has it been a bug or am I doing somethin wrong ? >>>>> >>>>> Forwarders in FreeIPA behave in the same way as in BIND 9.9 and the behavior >>>>> you describe seems to be okay. >>>>> >>>>> The behavior is summarized in a nice table here: >>>>> http://www.freeipa.org/page/V4/Forward_zones#Use_Cases >>>>> >>>>> In other words, there is no thing like 'look into this zone and look into that >>>>> zone if the first zone does not contain an answer'. Such behavior would break >>>>> the very basic principle of DNS - division to independent, self-contained >>>>> zones. What are you trying to achieve? What is the use-case? >>>>> >>>>> Please note that in FreeIPA < 4.1 zones with non-empty 'forwarders' attribute >>>>> were automatically configured as forward zones. The split to pure forward and >>>>> master zones happened in FreeIPA 4.1. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From sbose at redhat.com Mon Jun 29 14:31:53 2015 From: sbose at redhat.com (Sumit Bose) Date: Mon, 29 Jun 2015 16:31:53 +0200 Subject: [Freeipa-users] UPN suffixes in AD trust In-Reply-To: <20150629134937.GC6442@hendrix.redhat.com> References: <20150625154426.GQ12661@p.redhat.com> <558C33B2.5020508@di.unimi.it> <20150626123855.GS12661@p.redhat.com> <558D62DD.8020702@di.unimi.it> <20150626180622.GU12661@p.redhat.com> <5590FBF4.7000104@di.unimi.it> <20150629083008.GA4748@p.redhat.com> <55910EB0.90406@di.unimi.it> <20150629131157.GC4748@p.redhat.com> <20150629134937.GC6442@hendrix.redhat.com> Message-ID: <20150629143152.GA31810@p.redhat.com> On Mon, Jun 29, 2015 at 03:49:37PM +0200, Jakub Hrozek wrote: > On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > > > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > > > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > >>>> > > > >>>> > > > >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > > > >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > > > >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > > > >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > > > >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > > > >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > > > >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > > > >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > > > >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > > > >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > > > >>>>>>>>>>>>>> Hi everybody, > > > >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on > > > >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > > > >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and logon on a linux > > > >>>>>>>>>>>>>> host joined to IPA server using AD credentials (username at mydomain.local). > > > >>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes (otherdomain.com > > > >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative > > > >>>>>>>>>>>>>> UPN (example: john.doe at otherdomain.com). > > > >>>>>>>>>>>>>> > > > >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD? > > > >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please try with > > > >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if you can > > > >>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated during > > > >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > > > >>>>>>>>>>>>> cached entries so that the logs will contain all needed calls to AD. > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > > > >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no one has > > > >>>>>>>>>>>>> actually tried this before. > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> bye, > > > >>>>>>>>>>>>> Sumit > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> First of all let me say that i feel like I'm missing some config somewhere.. > > > >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > > > >>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs for a successful > > > >>>>>>>>>>>> login for account1 at mydomain.local and an unsuccessful login for > > > >>>>>>>>>>>> account2 at otherdomain.com done via ssh. > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> Bye and thanks for your help > > > >>>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>>> It looks like the request is not properly propagated to sub-domains (the > > > >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > > > >>>>>>>>>>> > > > >>>>>>>>>>> Would it be possible for you to run a test build of SSSD which might fix > > > >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then I can > > > >>>>>>>>>>> prepare a test build with the patch on top of this version. > > > >>>>>>>>>>> > > > >>>>>>>>>>> bye, > > > >>>>>>>>>>> Sumit > > > >>>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> Hi, > > > >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for > > > >>>>>>>>>> any test. > > > >>>>>>>>>> > > > >>>>>>>>>> Here's the packages version for sssd: > > > >>>>>>>>>> > > > >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > > > >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>> > > > >>>>>>>>> Please try the packages at > > > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > > >>>>>>>>> > > > >>>>>>>>> bye, > > > >>>>>>>>> Sumit > > > >>>>>>>> > > > >>>>>>>> Hi, > > > >>>>>>>> I've installed the new RPMs, now if I run on the server: > > > >>>>>>>> > > > >>>>>>>> id account1 at mydomain.local > > > >>>>>>>> id account2 at otherdomain.com > > > >>>>>>>> id account2 at sub.otherdomain.com > > > >>>>>>>> > > > >>>>>>>> all the users are found but I'm still unable to log in via ssh with the accounts > > > >>>>>>>> @otherdomain.com and @sub.otherdomain.com. > > > >>>>>>>> > > > >>>>>>>> In attachment the logs for unsuccessful login for user account2 at otherdomain.com. > > > >>>>>>> > > > >>>>>>> Bother, I forgot to add the fix to the pam responder as well, please try > > > >>>>>>> new packages from > > > >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > > >>>>>>> > > > >>>>>>> bye, > > > >>>>>>> Sumit > > > >>>>>>> > > > >>>>>> > > > >>>>>> Hi, > > > >>>>>> I've updated all the packages but still no login. > > > >>>>>> > > > >>>>>> Logs follows. > > > >>>>> > > > >>>>> I found another issue in the logs which should be fixed by the build > > > >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > > >>>>> > > > >>>>> Please send the sssd_pam log file as well it might contain more details > > > >>>>> about what goes wrong during authentication. > > > >>>>> > > > >>>>> bye, > > > >>>>> Sumit > > > >>>>> > > > >>>> > > > >>>> Hi, > > > >>>> packages update, sssd and kerberos services restarted, cache flushed but still > > > >>>> no login on the IPA server. > > > >>>> > > > >>>> As before, logs attached. I've also included the logs generated by the restart > > > >>>> of sssd service because there were no logs in sssd_pam.log when trying to > > > >>>> authenticate. > > > >>>> > > > >>>> Debug level is set to 6 in the sections: > > > >>>> > > > >>>> [domain/ipa.mydomain.local] > > > >>>> [sssd] > > > >>>> [nss] > > > >>>> [pam] > > > >>>> > > > >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to > > > >>>> increase it. > > > >>>> > > > >>> > > > >>> so far it is sufficient. I have another build for you to try at > > > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > > > >>> > > > >>> Thank you for your patience. > > > >> > > > >> Thanks for your help!! > > > >> > > > >> Still no successful login.. Logs attached > > > > > > > > Please increase the debug level at least for the domain log to 9 and > > > > attach the krb5_child log as well. > > > > > > > > > > Debug level increased and logs attached.. > > > > > > I'm sending this email again because I forgot to reply to the list... > > > > Unfortunately the IPA KDC cannot redirect the Kerberos request to the > > AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll > > try to figure out if this can be bypassed by tuning sssd.conf and > > krb5.conf. > > (Without seeing the logs, just throwing in an idea) > > Would it help to try out the subdomain_inherit option to point principal > to something that doesn't exist for a subdomain and let sssd guess the > principal based on the realm name? Unfortunately not for this use case, because the principals should be used at the login prompt and to recognize them we have to read them first. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Mon Jun 29 15:11:42 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Jun 2015 17:11:42 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> <55914A08.1090300@redhat.com> Message-ID: <5591602E.8010006@redhat.com> On 29.6.2015 16:10, Matt . wrote: > Hi Petr, > > Yes I understand why this is "not possible". The idea was to have a > managed DNS server from scripting and one for "other usage" by clients > who only need to know about the "unknown" records on Server1, this as > it should forward most and only do specific local lookups. > > Your subdomain solution might be something if I want to go this way. I still do not understand the use case. Why not let scripts to modify records on one single server? -- Petr^2 Spacek From aebruno2 at buffalo.edu Mon Jun 29 16:13:55 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 29 Jun 2015 12:13:55 -0400 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id Message-ID: <20150629161355.GA28575@dead.ccr.buffalo.edu> Our dirsrv access logs on our freeipa master server are getting flooded with this: [29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" [29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 tag=101 nentries=0 etime=0 notes=P All from the same conn=215758. Logs get rotated every minute. logconv.pl is showing Searches: 265803 (3322.54/sec) (199352.25/min) How can I figure out which ip address this query is coming from? Is there a way to fetch the ip using the connection id? conn=215758? Thanks in advance. --Andrew From yamakasi.014 at gmail.com Mon Jun 29 16:22:55 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 29 Jun 2015 18:22:55 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: <5591602E.8010006@redhat.com> References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> <55914A08.1090300@redhat.com> <5591602E.8010006@redhat.com> Message-ID: Hi, Because it can happen that hostnames are used twice, but one for each network. This sounds a little bit odd, but it has something todo with hostnames that are needed, public names and internal names. But as both networks have their own DNS servers, some records are just not provisioned so need to be added manually to the non-managed server. 2015-06-29 17:11 GMT+02:00 Petr Spacek : > On 29.6.2015 16:10, Matt . wrote: >> Hi Petr, >> >> Yes I understand why this is "not possible". The idea was to have a >> managed DNS server from scripting and one for "other usage" by clients >> who only need to know about the "unknown" records on Server1, this as >> it should forward most and only do specific local lookups. >> >> Your subdomain solution might be something if I want to go this way. > > I still do not understand the use case. Why not let scripts to modify records > on one single server? > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Mon Jun 29 16:26:45 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Jun 2015 18:26:45 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> <55914A08.1090300@redhat.com> <5591602E.8010006@redhat.com> Message-ID: <559171C5.10609@redhat.com> On 29.6.2015 18:22, Matt . wrote: > Hi, > > Because it can happen that hostnames are used twice, but one for each network. > > This sounds a little bit odd, but it has something todo with hostnames > that are needed, public names and internal names. But as both networks > have their own DNS servers, some records are just not provisioned so > need to be added manually to the non-managed server. Okay, so you basically wants 'DNS views'. There is only once advice about that: "Do not do that" :-) I would highly recommend you to read and follow following articles: http://www.freeipa.org/page/Deployment_Recommendations#DNS http://www.freeipa.org/page/DNS#Internal-only_domains Sure, in already deployed network it is not easy but be assured that getting rid of DNS views/split-brain DNS it will save you a lot of headaches in the long term. I'm sorry for uncomforting answers... Petr Spacek @ Red Hat > 2015-06-29 17:11 GMT+02:00 Petr Spacek : >> On 29.6.2015 16:10, Matt . wrote: >>> Hi Petr, >>> >>> Yes I understand why this is "not possible". The idea was to have a >>> managed DNS server from scripting and one for "other usage" by clients >>> who only need to know about the "unknown" records on Server1, this as >>> it should forward most and only do specific local lookups. >>> >>> Your subdomain solution might be something if I want to go this way. >> >> I still do not understand the use case. Why not let scripts to modify records >> on one single server? >> >> -- >> Petr^2 Spacek From rmeggins at redhat.com Mon Jun 29 16:29:24 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 29 Jun 2015 10:29:24 -0600 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id In-Reply-To: <20150629161355.GA28575@dead.ccr.buffalo.edu> References: <20150629161355.GA28575@dead.ccr.buffalo.edu> Message-ID: <55917264.8020902@redhat.com> On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: > Our dirsrv access logs on our freeipa master server are getting flooded > with this: > > [29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH > base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 > filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword > gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" > > [29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 > tag=101 nentries=0 etime=0 notes=P > > All from the same conn=215758. Logs get rotated every minute. > > logconv.pl is showing > > Searches: 265803 (3322.54/sec) (199352.25/min) > > > How can I figure out which ip address this query is coming from? Is > there a way to fetch the ip using the connection id? conn=215758? grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access* Unfortunately, if it has been rotated away, you won't be able to get the information from the access log. > > Thanks in advance. > > --Andrew > From yamakasi.014 at gmail.com Mon Jun 29 16:33:30 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 29 Jun 2015 18:33:30 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: <559171C5.10609@redhat.com> References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> <55914A08.1090300@redhat.com> <5591602E.8010006@redhat.com> <559171C5.10609@redhat.com> Message-ID: Hi Petr, No problem at all! I can remove/move things easily... but this splitbrain really makes these 2 networks standing on their own, which is what I need. Both are provisioned but not all the same. It gives me the flexibility we need, that's why it's not difficult to move, as it's flexible at the moment. Thanks again for the heads up! Matt 2015-06-29 18:26 GMT+02:00 Petr Spacek : > On 29.6.2015 18:22, Matt . wrote: >> Hi, >> >> Because it can happen that hostnames are used twice, but one for each network. >> >> This sounds a little bit odd, but it has something todo with hostnames >> that are needed, public names and internal names. But as both networks >> have their own DNS servers, some records are just not provisioned so >> need to be added manually to the non-managed server. > > Okay, so you basically wants 'DNS views'. There is only once advice about > that: "Do not do that" :-) > > I would highly recommend you to read and follow following articles: > > http://www.freeipa.org/page/Deployment_Recommendations#DNS > http://www.freeipa.org/page/DNS#Internal-only_domains > > Sure, in already deployed network it is not easy but be assured that getting > rid of DNS views/split-brain DNS it will save you a lot of headaches in the > long term. > > I'm sorry for uncomforting answers... > > Petr Spacek @ Red Hat > >> 2015-06-29 17:11 GMT+02:00 Petr Spacek : >>> On 29.6.2015 16:10, Matt . wrote: >>>> Hi Petr, >>>> >>>> Yes I understand why this is "not possible". The idea was to have a >>>> managed DNS server from scripting and one for "other usage" by clients >>>> who only need to know about the "unknown" records on Server1, this as >>>> it should forward most and only do specific local lookups. >>>> >>>> Your subdomain solution might be something if I want to go this way. >>> >>> I still do not understand the use case. Why not let scripts to modify records >>> on one single server? >>> >>> -- >>> Petr^2 Spacek > From aebruno2 at buffalo.edu Mon Jun 29 16:34:25 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 29 Jun 2015 12:34:25 -0400 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id In-Reply-To: <55917264.8020902@redhat.com> References: <20150629161355.GA28575@dead.ccr.buffalo.edu> <55917264.8020902@redhat.com> Message-ID: <20150629163425.GA827@dead.ccr.buffalo.edu> On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: > On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: > >Our dirsrv access logs on our freeipa master server are getting flooded > >with this: > > > >[29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH > >base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 > >filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword > >gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" > > > >[29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 > >tag=101 nentries=0 etime=0 notes=P > > > >All from the same conn=215758. Logs get rotated every minute. > > > >logconv.pl is showing > > > >Searches: 265803 (3322.54/sec) (199352.25/min) > > > > > >How can I figure out which ip address this query is coming from? Is > >there a way to fetch the ip using the connection id? conn=215758? > > grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access* > > Unfortunately, if it has been rotated away, you won't be able to get the > information from the access log. > No luck .. looks like it has been rotated away. Any other thoughts? Is it correct to assume this is all coming from a single host? My thinking is that if I can kill the query coming from the host that it would solve the problem. From aebruno2 at buffalo.edu Mon Jun 29 17:02:09 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 29 Jun 2015 13:02:09 -0400 Subject: [Freeipa-users] dirsrv access logs flooded from single connection id In-Reply-To: <20150629163425.GA827@dead.ccr.buffalo.edu> References: <20150629161355.GA28575@dead.ccr.buffalo.edu> <55917264.8020902@redhat.com> <20150629163425.GA827@dead.ccr.buffalo.edu> Message-ID: <20150629170209.GB827@dead.ccr.buffalo.edu> On Mon, Jun 29, 2015 at 12:34:25PM -0400, Andrew E. Bruno wrote: > On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: > > On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: > > >Our dirsrv access logs on our freeipa master server are getting flooded > > >with this: > > > > > >[29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH > > >base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0 > > >filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword > > >gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid" > > > > > >[29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0 > > >tag=101 nentries=0 etime=0 notes=P > > > > > >All from the same conn=215758. Logs get rotated every minute. > > > > > >logconv.pl is showing > > > > > >Searches: 265803 (3322.54/sec) (199352.25/min) > > > > > > > > >How can I figure out which ip address this query is coming from? Is > > >there a way to fetch the ip using the connection id? conn=215758? > > > > grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access* > > > > Unfortunately, if it has been rotated away, you won't be able to get the > > information from the access log. > > > > No luck .. looks like it has been rotated away. Any other thoughts? > > Is it correct to assume this is all coming from a single host? My > thinking is that if I can kill the query coming from the host that it > would solve the problem. Found the host using tcpdump. Thanks again for the help, --Andrew From aellert at numeezy.com Mon Jun 29 17:37:31 2015 From: aellert at numeezy.com (Alexandre Ellert) Date: Mon, 29 Jun 2015 19:37:31 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service Message-ID: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> Hello, I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) Ipa server doesn?t restart correctly (using systemctl restart ipa or reboot the whole server) : # ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful and I have to force the start process : # ipactl start -f Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Starting ipa-otpd Service ipa: INFO: The ipactl command was successful But, as you see the pki-tomcatd is unable to start. I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) I don?t know how to fix that error and also don?t know if it is the root cause. Thanks for your help and please tell me if you need more information. Alexandre From sbingram at gmail.com Mon Jun 29 22:22:18 2015 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 29 Jun 2015 15:22:18 -0700 Subject: [Freeipa-users] 3rd party certificate for WebUI only Message-ID: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From umarzuki at gmail.com Tue Jun 30 03:17:03 2015 From: umarzuki at gmail.com (Umarzuki Mochlis) Date: Tue, 30 Jun 2015 11:17:03 +0800 Subject: [Freeipa-users] freeipa sudden stop Message-ID: Every once in a week suddenly IPA service would failed and only realized when zimbra that using authentication with it failed during user log in. So I had to type in below commands one by one each time this happened. systemctl start dirsrv at DOMAIN-COM.service systemctl start krb5kdc.service systemctl start kadmin.service systemctl start ipa_memcached.service systemctl start httpd.service # cat /etc/redhat-release Fedora release 18 (Spherical Cow) # rpm -qa | grep freeipa freeipa-admintools-3.1.0-2.fc18.x86_64 freeipa-server-3.1.0-2.fc18.x86_64 freeipa-client-3.1.0-2.fc18.x86_64 freeipa-server-selinux-3.1.0-2.fc18.x86_64 freeipa-python-3.1.0-2.fc18.x86_64 I was told this this IPA server is a master IPA. I could not find crash log in /var/log/messages other then when I failed to start certain services or "service ipa start" Any idea where I should exactly be looking in to? Log messages attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: messages-20150628 Type: application/octet-stream Size: 214798 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: messages Type: application/octet-stream Size: 13160 bytes Desc: not available URL: From Alexander.Frolushkin at megafon.ru Tue Jun 30 04:08:37 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 30 Jun 2015 04:08:37 +0000 Subject: [Freeipa-users] Unfamiliar message and crashes Message-ID: Hello. What does message NSMMReplicationPlugin - agmt="cn=cloneAgreement1-host1.domain.com-pki-tomcat" (host2:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later. mean? A lot of these message appeared in error dirsrv log yesterday, and several crashes ns-slapd[31026]: segfault at 25 ip 00007f7aa499c800 sp 00007f7a4b7e14f0 error 4 in libslapd.so.0.0.0[7f7aa4948000+11c000] also noticed... Any thoughts, what to do? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Tue Jun 30 05:34:58 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 30 Jun 2015 07:34:58 +0200 Subject: [Freeipa-users] freeipa sudden stop In-Reply-To: References: Message-ID: <55922A82.7040502@redhat.com> On 30/06/15 05:17, Umarzuki Mochlis wrote: > Every once in a week suddenly IPA service would failed and only > realized when zimbra that using authentication with it failed during > user log in. > > So I had to type in below commands one by one each time this happened. > > systemctl start dirsrv at DOMAIN-COM.service > systemctl start krb5kdc.service > systemctl start kadmin.service > systemctl start ipa_memcached.service > systemctl start httpd.service > > # cat /etc/redhat-release > Fedora release 18 (Spherical Cow) > > # rpm -qa | grep freeipa > freeipa-admintools-3.1.0-2.fc18.x86_64 > freeipa-server-3.1.0-2.fc18.x86_64 > freeipa-client-3.1.0-2.fc18.x86_64 > freeipa-server-selinux-3.1.0-2.fc18.x86_64 > freeipa-python-3.1.0-2.fc18.x86_64 > > I was told this this IPA server is a master IPA. > > I could not find crash log in /var/log/messages other then when I > failed to start certain services or "service ipa start" > > Any idea where I should exactly be looking in to? > > Log messages attached. > > > Hello! The issue seems quite annoying. Could you please provide more info? Do you have one freeipa master or more replicas? If not do you experience this issue only on one of them? According to the logs it looks like starting of pki-tomcatd fails and therefore "ipactl start" fails. Could you run "# ipactl start -d" and post its output? Also starting individual services is not a good idea as you can forget to start some (you actually did :-) -- David Kupka From umarzuki at gmail.com Tue Jun 30 05:53:50 2015 From: umarzuki at gmail.com (Umarzuki Mochlis) Date: Tue, 30 Jun 2015 13:53:50 +0800 Subject: [Freeipa-users] freeipa sudden stop In-Reply-To: <55922A82.7040502@redhat.com> References: <55922A82.7040502@redhat.com> Message-ID: 2015-06-30 13:34 GMT+08:00 David Kupka : .. > > Hello! > The issue seems quite annoying. Could you please provide more info? > Do you have one freeipa master or more replicas? > If not do you experience this issue only on one of them? > > According to the logs it looks like starting of pki-tomcatd fails and > therefore "ipactl start" fails. > > Could you run "# ipactl start -d" and post its output? > > Also starting individual services is not a good idea as you can forget to > start some (you actually did :-) > > -- > David Kupka It have one replica Output of ipactl start -d # ipactl start -d ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py' ipa: DEBUG: skipping plugin module ipalib.plugins.entitle: No module named rhsm.connection ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: Starting external process ipa: DEBUG: args=klist -V ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py' Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start dirsrv.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active dirsrv.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active dirsrv.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= Starting krb5kdc Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start krb5kdc.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active krb5kdc.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= Starting kadmin Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start kadmin.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active kadmin.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= Starting ipa_memcached Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start ipa_memcached.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active ipa_memcached.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= Starting httpd Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start httpd.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active httpd.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= Starting pki-tomcatd Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active pki-tomcatd.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 120 ipa: DEBUG: Waiting until the CA is running ipa: INFO: request 'https://ipa.domain.com:443/ca/admin/ca/getStatus' ipa: DEBUG: request body '' ipa: DEBUG: request status 500 ipa: DEBUG: request reason_phrase u'Internal Server Error' ipa: DEBUG: request headers {'date': 'Tue, 30 Jun 2015 05:45:08 GMT', 'content-length': '2094', 'content-type': 'text/html;charset=utf-8', 'connection': 'close', 'server': 'Apache/2.4.3 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.2 NSS/3.13.5.0 mod_wsgi/3.4 Python/2.7.3'} ipa: DEBUG: request body 'Apache Tomcat/7.0.34 - Error report

HTTP Status 500 - CS server is not ready to serve.

type Exception report

message CS server is not ready to serve.

description The server encountered an internal error that prevented it from fulfilling this request.

exception 

java.io.IOException: CS
server is not ready to
serve.\n\tcom.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:439)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:728)\n\tsun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)\n\tsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:601)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:271)\n\tjava.security.AccessController.doPrivileged(Native
Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:306)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:166)\n

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.34 logs.

Apache Tomcat/7.0.34

' Failed to start pki-tomcatd Service Shutting down ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop krb5kdc.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop kadmin.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop ipa_memcached.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop httpd.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop pki-tomcatd.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop dirsrv.target ipa: DEBUG: Process finished, return code=0 ipa: INFO: File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617, in run_script return_value = main_function() File "/usr/sbin/ipactl", line 490, in main ipa_start(options) File "/usr/sbin/ipactl", line 261, in ipa_start raise IpactlError("Aborting ipactl") ipa: INFO: The ipactl command failed, exception: IpactlError: Aborting ipactl Aborting ipactl From prashant at apigee.com Tue Jun 30 06:04:55 2015 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 30 Jun 2015 11:34:55 +0530 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> Message-ID: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? Thanks. --Prashant On 27 June 2015 at 13:06, Prashant Bapat wrote: > Aah ok ! > > Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended > up using nss-pam-ldap, nscd and nslcd. > > However this looks promising. Only for the servers exposed to Internet I > could use CentOS/Fedora and this method of authentication. Let me try this > and come back to you. > > Thanks. > --Prashant > > On 27 June 2015 at 10:17, Alexander Bokovoy wrote: > >> >> >> ----- Original Message ----- >> > Hi , >> > >> > I'm exploring implementing a 2FA solution to my servers exposed to >> public. >> > Mainly to secure SSH with 2FA. The SSH keys and users are already in >> > FreeIPA. >> > >> > Is there a way to utilize the OTP inside FreeIPA during a user login to >> these >> > servers ? A user will have to enter the TOTP code bases on whats >> configured >> > in FreeIPA. Something along the lines of >> > https://github.com/google/google-authenticator/tree/master/libpam >> If you are using SSSD (pam_sss), it will automatically accept 2FA. >> >> You need to force OpenSSH to combine authentication methods, something >> like: >> >> AuthenticationMethods publickey,password:pam >> publickey,keyboard-interactive:pam >> >> Look into sshd_config manual page for details. This is feature of OpenSSH >> 6.2 or later. >> >> -- >> / Alexander Bokovoy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jun 30 07:09:19 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 30 Jun 2015 09:09:19 +0200 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> Message-ID: <20150630070919.GN6442@hendrix.redhat.com> On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > Hi, > > I was able to set this up in a Fedora instance with SSSD and it works as > expected. SSHD first uses the public key and then prompts for password > which is ofcourse password+OTP. > > However, having a user enter the password+OTP every time he logs in during > the day is kind of inconvenient. Is it possible to make sure the user has > to login once and the credentials are cached for say 12/24 hours. I know > this is possible just using the password. Question is, is this possible > using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! From sbose at redhat.com Tue Jun 30 07:22:13 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 30 Jun 2015 09:22:13 +0200 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: <20150630070919.GN6442@hendrix.redhat.com> References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> <20150630070919.GN6442@hendrix.redhat.com> Message-ID: <20150630072213.GB31810@p.redhat.com> On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > Hi, > > > > I was able to set this up in a Fedora instance with SSSD and it works as > > expected. SSHD first uses the public key and then prompts for password > > which is ofcourse password+OTP. > > > > However, having a user enter the password+OTP every time he logs in during > > the day is kind of inconvenient. Is it possible to make sure the user has > > to login once and the credentials are cached for say 12/24 hours. I know > > this is possible just using the password. Question is, is this possible > > using password+OTP? > > We have an SSSD feature under review now that would help you: > https://fedorahosted.org/sssd/ticket/1807 > > But to be honest, I'm not sure if we tested the patches with 2FA yet. We > should! hm, I agree we should, but I guess we should test that cached authentication does _not_ work with 2FA/OTP. Because it is expected that the OTP token only works once, so that e.g. it can be used in an insecure environment to set up a secure tunnel. Maybe it would make sense to add a paragraph to https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and discuss OTP/2FA usage here or on sssd-devel. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jpazdziora at redhat.com Tue Jun 30 07:30:28 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 30 Jun 2015 09:30:28 +0200 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> Message-ID: <20150630073028.GG11744@redhat.com> On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > I was able to set this up in a Fedora instance with SSSD and it works as > expected. SSHD first uses the public key and then prompts for password > which is ofcourse password+OTP. > > However, having a user enter the password+OTP every time he logs in during > the day is kind of inconvenient. Is it possible to make sure the user has > to login once and the credentials are cached for say 12/24 hours. I know The problem is, you don't really know it's the same user, upon that second access. Would Kerberos/GSSAPI perhaps help you, by giving you time-constrained service ticket? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jhrozek at redhat.com Tue Jun 30 07:31:55 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 30 Jun 2015 09:31:55 +0200 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: <20150630072213.GB31810@p.redhat.com> References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> <20150630070919.GN6442@hendrix.redhat.com> <20150630072213.GB31810@p.redhat.com> Message-ID: <20150630073155.GQ6442@hendrix.redhat.com> On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > > Hi, > > > > > > I was able to set this up in a Fedora instance with SSSD and it works as > > > expected. SSHD first uses the public key and then prompts for password > > > which is ofcourse password+OTP. > > > > > > However, having a user enter the password+OTP every time he logs in during > > > the day is kind of inconvenient. Is it possible to make sure the user has > > > to login once and the credentials are cached for say 12/24 hours. I know > > > this is possible just using the password. Question is, is this possible > > > using password+OTP? > > > > We have an SSSD feature under review now that would help you: > > https://fedorahosted.org/sssd/ticket/1807 > > > > But to be honest, I'm not sure if we tested the patches with 2FA yet. We > > should! > > hm, I agree we should, but I guess we should test that cached > authentication does _not_ work with 2FA/OTP. Because it is expected that > the OTP token only works once, so that e.g. it can be used in an > insecure environment to set up a secure tunnel. Sure, the second factor must not be reused :-) but couldn't we use the cached auth to support cases like this where the second factor is to be used only once per some time and use only the first factor in the meantime? > > Maybe it would make sense to add a paragraph to > https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and > discuss OTP/2FA usage here or on sssd-devel. Yes, whatever the result it, it should be documented, also in the man pages, because currently it's not clear what happens. From ftweedal at redhat.com Tue Jun 30 07:55:24 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 30 Jun 2015 17:55:24 +1000 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> Message-ID: <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> On Mon, Jun 29, 2015 at 07:37:31PM +0200, Alexandre Ellert wrote: > Hello, > > I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) > Ipa server doesn?t restart correctly (using systemctl restart ipa or reboot the whole server) : > # ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other services > ipa: INFO: The ipactl command was successful > > and I have to force the start process : > # ipactl start -f > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > > > Failed to start pki-tomcatd Service > Forced start, ignoring pki-tomcatd Service, continuing normal operation > Starting ipa-otpd Service > ipa: INFO: The ipactl command was successful > > But, as you see the pki-tomcatd is unable to start. > I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : > Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception > java.io.IOException: CS server is not ready to serve. > at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > I don?t know how to fix that error and also don?t know if it is the root cause. > Thanks for your help and please tell me if you need more information. > > Alexandre > Could you please provide the content of logfile: `/var/log/pki/pki-tomcat/ca/debug', around the time the error occurs? Thanks, Fraser From sbose at redhat.com Tue Jun 30 08:06:39 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 30 Jun 2015 10:06:39 +0200 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: <20150630073155.GQ6442@hendrix.redhat.com> References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> <20150630070919.GN6442@hendrix.redhat.com> <20150630072213.GB31810@p.redhat.com> <20150630073155.GQ6442@hendrix.redhat.com> Message-ID: <20150630080639.GC31810@p.redhat.com> On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > > > Hi, > > > > > > > > I was able to set this up in a Fedora instance with SSSD and it works as > > > > expected. SSHD first uses the public key and then prompts for password > > > > which is ofcourse password+OTP. > > > > > > > > However, having a user enter the password+OTP every time he logs in during > > > > the day is kind of inconvenient. Is it possible to make sure the user has > > > > to login once and the credentials are cached for say 12/24 hours. I know > > > > this is possible just using the password. Question is, is this possible > > > > using password+OTP? > > > > > > We have an SSSD feature under review now that would help you: > > > https://fedorahosted.org/sssd/ticket/1807 > > > > > > But to be honest, I'm not sure if we tested the patches with 2FA yet. We > > > should! > > > > hm, I agree we should, but I guess we should test that cached > > authentication does _not_ work with 2FA/OTP. Because it is expected that > > the OTP token only works once, so that e.g. it can be used in an > > insecure environment to set up a secure tunnel. > > Sure, the second factor must not be reused :-) but couldn't we use the > cached auth to support cases like this where the second factor is to be > used only once per some time and use only the first factor in the > meantime? I'm a bit reluctant here. If the two factors are intercepted in an insecure environment the attacker will still have a valid password which can be used for some time. Additionally, iirc cached authentication is not aware of the service used. If e.g. OTP was used to just get a response from some unprotected and unprivileged service the intercepted password can be used to log in with ssh as well. So I guess we need a careful discussion here. bye, Sumit > > > > > Maybe it would make sense to add a paragraph to > > https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and > > discuss OTP/2FA usage here or on sssd-devel. > > Yes, whatever the result it, it should be documented, also in the man > pages, because currently it's not clear what happens. From aellert at numeezy.com Tue Jun 30 08:16:12 2015 From: aellert at numeezy.com (Alexandre Ellert) Date: Tue, 30 Jun 2015 10:16:12 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> References: <0DBCE9CE-8CEE-4EB2-B132-11D309A2392D@numeezy.com> <20150630075524.GN6584@dhcp-40-8.bne.redhat.com> Message-ID: > Could you please provide the content of logfile: > `/var/log/pki/pki-tomcat/ca/debug', around the time the error > occurs? > > Thanks, > Fraser When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ [30/Jun/2015:10:02:13][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [30/Jun/2015:10:02:13][localhost-startStop-1]: ============================================ [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine.shutdown() [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [30/Jun/2015:10:02:15][ajp-bio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. I checked that ns-slapd was running on port 636 # netstat -antp|grep 636 tcp6 0 0 :::636 :::* LISTEN 22855/ns-slapd After a quick search, I found this bug https://fedorahosted.org/freeipa/ticket/4666 is quite similar. Many workarounds are suggested there but I?m confused about which could be efficient for me. Thanks for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jun 30 09:30:28 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 30 Jun 2015 11:30:28 +0200 Subject: [Freeipa-users] DNS forwarder "first" does not fallback to local In-Reply-To: References: <55910DC2.30807@redhat.com> <55912FAE.1080403@redhat.com> <55914A08.1090300@redhat.com> <5591602E.8010006@redhat.com> <559171C5.10609@redhat.com> Message-ID: <559261B4.2050304@redhat.com> On 29.6.2015 18:33, Matt . wrote: > Hi Petr, > > No problem at all! I can remove/move things easily... but this > splitbrain really makes these 2 networks standing on their own, which > is what I need. > > Both are provisioned but not all the same. It gives me the flexibility > we need, that's why it's not difficult to move, as it's flexible at > the moment. Yeah, you can get most flexibility by using two separate domains for each network, possibly on two separate servers :-) Let us know if you need further assistance. Petr^2 Spacek > 2015-06-29 18:26 GMT+02:00 Petr Spacek : >> On 29.6.2015 18:22, Matt . wrote: >>> Hi, >>> >>> Because it can happen that hostnames are used twice, but one for each network. >>> >>> This sounds a little bit odd, but it has something todo with hostnames >>> that are needed, public names and internal names. But as both networks >>> have their own DNS servers, some records are just not provisioned so >>> need to be added manually to the non-managed server. >> >> Okay, so you basically wants 'DNS views'. There is only once advice about >> that: "Do not do that" :-) >> >> I would highly recommend you to read and follow following articles: >> >> http://www.freeipa.org/page/Deployment_Recommendations#DNS >> http://www.freeipa.org/page/DNS#Internal-only_domains >> >> Sure, in already deployed network it is not easy but be assured that getting >> rid of DNS views/split-brain DNS it will save you a lot of headaches in the >> long term. >> >> I'm sorry for uncomforting answers... >> >> Petr Spacek @ Red Hat >> >>> 2015-06-29 17:11 GMT+02:00 Petr Spacek : >>>> On 29.6.2015 16:10, Matt . wrote: >>>>> Hi Petr, >>>>> >>>>> Yes I understand why this is "not possible". The idea was to have a >>>>> managed DNS server from scripting and one for "other usage" by clients >>>>> who only need to know about the "unknown" records on Server1, this as >>>>> it should forward most and only do specific local lookups. >>>>> >>>>> Your subdomain solution might be something if I want to go this way. >>>> >>>> I still do not understand the use case. Why not let scripts to modify records >>>> on one single server? >>>> >>>> -- >>>> Petr^2 Spacek From simo at redhat.com Tue Jun 30 10:14:30 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 30 Jun 2015 06:14:30 -0400 Subject: [Freeipa-users] Using FreeIPA OTP in a PAM module In-Reply-To: <20150630080639.GC31810@p.redhat.com> References: <1646050176.9608709.1435380420168.JavaMail.zimbra@redhat.com> <20150630070919.GN6442@hendrix.redhat.com> <20150630072213.GB31810@p.redhat.com> <20150630073155.GQ6442@hendrix.redhat.com> <20150630080639.GC31810@p.redhat.com> Message-ID: <1435659270.7621.37.camel@willson.usersys.redhat.com> On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote: > On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: > > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: > > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > > > > Hi, > > > > > > > > > > I was able to set this up in a Fedora instance with SSSD and it works as > > > > > expected. SSHD first uses the public key and then prompts for password > > > > > which is ofcourse password+OTP. > > > > > > > > > > However, having a user enter the password+OTP every time he logs in during > > > > > the day is kind of inconvenient. Is it possible to make sure the user has > > > > > to login once and the credentials are cached for say 12/24 hours. I know > > > > > this is possible just using the password. Question is, is this possible > > > > > using password+OTP? > > > > > > > > We have an SSSD feature under review now that would help you: > > > > https://fedorahosted.org/sssd/ticket/1807 > > > > > > > > But to be honest, I'm not sure if we tested the patches with 2FA yet. We > > > > should! > > > > > > hm, I agree we should, but I guess we should test that cached > > > authentication does _not_ work with 2FA/OTP. Because it is expected that > > > the OTP token only works once, so that e.g. it can be used in an > > > insecure environment to set up a secure tunnel. > > > > Sure, the second factor must not be reused :-) but couldn't we use the > > cached auth to support cases like this where the second factor is to be > > used only once per some time and use only the first factor in the > > meantime? > > I'm a bit reluctant here. If the two factors are intercepted in an > insecure environment the attacker will still have a valid password which > can be used for some time. Additionally, iirc cached authentication is > not aware of the service used. If e.g. OTP was used to just get a > response from some unprotected and unprivileged service the intercepted > password can be used to log in with ssh as well. So I guess we need a > careful discussion here. The solution for this environments already exists and it is called GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or more hours. There is no need to invent broken ways to skip two factor auth when we already have a way to make this easy *and* secure. Simo. -- Simo Sorce * Red Hat, Inc * New York From lkrispen at redhat.com Tue Jun 30 13:54:14 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 30 Jun 2015 15:54:14 +0200 Subject: [Freeipa-users] changing the default for changelog trimmimg Message-ID: <55929F86.6010907@redhat.com> Hi, 389-ds allows to configure the max size of the replication changelog either by setting a maximum record number or a maximum age of changes. freeIPA does not use this setting. In the context of ticket https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the default to enable changelog trimming. Does anyone already use changlog trimming or is there a scenario where you rely on all changes being available ? Thanks for your feedback, Ludwig From devel at jasonwoods.me.uk Tue Jun 30 15:37:19 2015 From: devel at jasonwoods.me.uk (Jason Woods) Date: Tue, 30 Jun 2015 16:37:19 +0100 Subject: [Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour Message-ID: <5E9CD78A-B08F-45E3-A67B-57734B70C147@jasonwoods.me.uk> Hi, I?ve started playing around with Samba shared on an IPA server running 4.1.0 (CentOS 7 latest as of 30-06-2015). I?m having an issue with performance - it seems to connect to ldap almost 10 times for every file operation to try lookup a group - and the lookup fails. On another system running IPA 3.0.0 on CentOS 6.6 this runs perfectly, and the lookup succeeds. Everything is setup: yum install ipa-server-trust-ad ipa-adtrust-install Logging level set to 9999: net conf setparm global ?log level? 10 Samba share setup to share a /data directory: [Test] path = /data guest ok = no read only = no valid users = @projects Connecting to the share is great - all works fine - but then copying files is somewhat slower than expected. Examining log.workstation I can see that the group lookup for the @projects group is not functioning: [2015/06/30 16:23:18.050664, 5, pid=14801, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext) smbldap_search_ext: base => [dc=XXX], filter => [(|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)(objectClass=ipaNTUserAttrs)))], scope => [2] [2015/06/30 16:23:18.051555, 3, pid=14801, effective(0, 0), real(0, 0)] ipa_sam.c:942(ldapsam_gid_to_sid) ERROR: Got 0 entries for gid 543800010, expected at least one This happens almost 10 times per file I copy into the share. Checking dirsrv logs, the query is returning 0 entries - so that confirms what ipasam is reporting. However, running the query manually as root (which connect as Directory Manager as opposed to the cifs service principle) it returns results: [root at ipa02 data]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) # requesting: ALL # # projects, groups, accounts, XXX dn: cn=projects,cn=groups,cn=accounts,dc=XXX gidNumber: 543800010 ipaUniqueID: XXX cn: projects description: Projects access objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaNTSecurityIdentifier: XXX member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab cifs/ipa02.XXX at XXX Then run the query using GSSAPI - I get no results! [root at ipa02 data]# ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))' SASL/GSSAPI authentication started SASL username: cifs/ipa02.XXX at XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Even stranger, if I split the OR filter and only run the group part, but still running through GSSAPI - it is successful! [root at ipa02 data]# ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))' SASL/GSSAPI authentication started SASL username: cifs/XXX at XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) # requesting: ALL # # projects, groups, accounts, XXX dn: cn=projects,cn=groups,cn=accounts,dc=XXX gidNumber: 543800010 ipaUniqueID: XXX cn: projects description: Projects access objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaNTSecurityIdentifier: XXX member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas what might be happening here? I?ve read something about non-existent attributes can mess with OR queries. But I can?t understand why it would only affect the GSSAPI authenticated user. Regards, Jason Woods -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rmeggins at redhat.com Tue Jun 30 16:23:13 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 30 Jun 2015 10:23:13 -0600 Subject: [Freeipa-users] Unfamiliar message and crashes In-Reply-To: References: Message-ID: <5592C271.7000304@redhat.com> On 06/29/2015 10:08 PM, Alexander Frolushkin wrote: > > Hello. > > What does message > > NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-host1.domain.com-pki-tomcat" (host2:389): > Unable to acquire replica: the replica instructed us to go into > backoff mode. Will retry later. > > mean? > > A lot of these message appeared in error dirsrv log yesterday, and > several crashes > > ns-slapd[31026]: segfault at 25 ip 00007f7aa499c800 sp > 00007f7a4b7e14f0 error 4 in libslapd.so.0.0.0[7f7aa4948000+11c000] > > also noticed? > > Any thoughts, what to do? > Please provide the versions you are using: # rpm -q 389-ds-base ipa-server slapi-nis Debugging crashes: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes in addition: # debuginfo-install ipa-server slapi-nis We need to see some stack traces > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 30 16:29:16 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Jun 2015 12:29:16 -0400 (EDT) Subject: [Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour In-Reply-To: <5E9CD78A-B08F-45E3-A67B-57734B70C147@jasonwoods.me.uk> References: <5E9CD78A-B08F-45E3-A67B-57734B70C147@jasonwoods.me.uk> Message-ID: <1942624034.11313323.1435681756871.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hi, > > I?ve started playing around with Samba shared on an IPA server running 4.1.0 > (CentOS 7 latest as of 30-06-2015). > I?m having an issue with performance - it seems to connect to ldap almost 10 > times for every file operation to try lookup a group - and the lookup fails. > On another system running IPA 3.0.0 on CentOS 6.6 this runs perfectly, and > the lookup succeeds. > > Everything is setup: > yum install ipa-server-trust-ad > ipa-adtrust-install > > Logging level set to 9999: net conf setparm global ?log level? 10 > Samba share setup to share a /data directory: > > [Test] > path = /data > guest ok = no > read only = no > valid users = @projects > > Connecting to the share is great - all works fine - but then copying files is > somewhat slower than expected. > Examining log.workstation I can see that the group lookup for the @projects > group is not functioning: > > [2015/06/30 16:23:18.050664, 5, pid=14801, effective(0, 0), real(0, 0)] > ../source3/lib/smbldap.c:1249(smbldap_search_ext) > smbldap_search_ext: base => [dc=XXX], filter => > [(|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)(objectClass=ipaNTUserAttrs)))], > scope => [2] > [2015/06/30 16:23:18.051555, 3, pid=14801, effective(0, 0), real(0, 0)] > ipa_sam.c:942(ldapsam_gid_to_sid) > ERROR: Got 0 entries for gid 543800010, expected at least one > > This happens almost 10 times per file I copy into the share. > Checking dirsrv logs, the query is returning 0 entries - so that confirms > what ipasam is reporting. > However, running the query manually as root (which connect as Directory > Manager as opposed to the cifs service principle) it returns results: > > [root at ipa02 data]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' > '(|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))' > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) > # requesting: ALL > # > # projects, groups, accounts, XXX > dn: cn=projects,cn=groups,cn=accounts,dc=XXX > gidNumber: 543800010 > ipaUniqueID: XXX > cn: projects > description: Projects access > objectClass: top > objectClass: groupofnames > objectClass: nestedgroup > objectClass: ipausergroup > objectClass: ipaobject > objectClass: posixgroup > objectClass: ipantgroupattrs > ipaNTSecurityIdentifier: XXX > member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX > # search result > search: 3 > result: 0 Success > # numResponses: 2 > # numEntries: 1 > > If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab > cifs/ipa02.XXX at XXX > Then run the query using GSSAPI - I get no results! > > [root at ipa02 data]# ldapsearch -Y GSSAPI -H > 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' > '(|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))' > SASL/GSSAPI authentication started > SASL username: cifs/ipa02.XXX at XXX > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) > # requesting: ALL > # > # search result > search: 4 > result: 0 Success > # numResponses: 1 > > Even stranger, if I split the OR filter and only run the group part, but > still running through GSSAPI - it is successful! > > [root at ipa02 data]# ldapsearch -Y GSSAPI -H > 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' > '(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))' > SASL/GSSAPI authentication started > SASL username: cifs/XXX at XXX > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) > # requesting: ALL > # > # projects, groups, accounts, XXX > dn: cn=projects,cn=groups,cn=accounts,dc=XXX > gidNumber: 543800010 > ipaUniqueID: XXX > cn: projects > description: Projects access > objectClass: top > objectClass: groupofnames > objectClass: nestedgroup > objectClass: ipausergroup > objectClass: ipaobject > objectClass: posixgroup > objectClass: ipantgroupattrs > ipaNTSecurityIdentifier: XXX > member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX > # search result > search: 4 > result: 0 Success > # numResponses: 2 > # numEntries: 1 > > Any ideas what might be happening here? > I?ve read something about non-existent attributes can mess with OR queries. > But I can?t understand why it would only affect the GSSAPI authenticated > user. This is definitely an issue with ACLs or NACLPlugin. Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory Manager, the second one maps to a specific DN. When you are cn=Directory Manager, no ACLs apply to you, so the result is expected. -- / Alexander Bokovoy From devel at jasonwoods.me.uk Tue Jun 30 16:50:25 2015 From: devel at jasonwoods.me.uk (Jason Woods) Date: Tue, 30 Jun 2015 17:50:25 +0100 Subject: [Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour In-Reply-To: <1942624034.11313323.1435681756871.JavaMail.zimbra@redhat.com> References: <5E9CD78A-B08F-45E3-A67B-57734B70C147@jasonwoods.me.uk> <1942624034.11313323.1435681756871.JavaMail.zimbra@redhat.com> Message-ID: > On 30 Jun 2015, at 17:29, Alexander Bokovoy wrote: > > ----- Original Message ----- >> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab >> cifs/ipa02.XXX at XXX >> Then run the query using GSSAPI - I get no results! >> >> [...] >> >> Even stranger, if I split the OR filter and only run the group part, but >> still running through GSSAPI - it is successful! >> >> [...] >> >> Any ideas what might be happening here? >> I?ve read something about non-existent attributes can mess with OR queries. >> But I can?t understand why it would only affect the GSSAPI authenticated >> user. > This is definitely an issue with ACLs or NACLPlugin. > > Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory Manager, the second one maps to a specific DN. > When you are cn=Directory Manager, no ACLs apply to you, so the result is expected. > -- > / Alexander Bokovoy I thought it might be. However, the fact that the query works fine without the OR - does that not indicate otherwise? Surely permissions would impact both? To summarise, when using GSSAPI with specific DN, the following returns nothing: > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) The following returns one result: > (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) My understanding would be if it were permissions, both would return nothing. I?ve even tried the uidNumber part with a valid uid and it does actually return something. Thanks, Jason Woods -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: Message signed with OpenPGP using GPGMail URL: From abokovoy at redhat.com Tue Jun 30 17:01:18 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Jun 2015 13:01:18 -0400 (EDT) Subject: [Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour In-Reply-To: References: <5E9CD78A-B08F-45E3-A67B-57734B70C147@jasonwoods.me.uk> <1942624034.11313323.1435681756871.JavaMail.zimbra@redhat.com> Message-ID: <238953557.11323112.1435683678975.JavaMail.zimbra@redhat.com> ----- Original Message ----- > > > On 30 Jun 2015, at 17:29, Alexander Bokovoy wrote: > > > > ----- Original Message ----- > >> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab > >> cifs/ipa02.XXX at XXX > >> Then run the query using GSSAPI - I get no results! > >> > >> [...] > >> > >> Even stranger, if I split the OR filter and only run the group part, but > >> still running through GSSAPI - it is successful! > >> > >> [...] > >> > >> Any ideas what might be happening here? > >> I?ve read something about non-existent attributes can mess with OR > >> queries. > >> But I can?t understand why it would only affect the GSSAPI authenticated > >> user. > > This is definitely an issue with ACLs or NACLPlugin. > > > > Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory > > Manager, the second one maps to a specific DN. > > When you are cn=Directory Manager, no ACLs apply to you, so the result is > > expected. > > I thought it might be. > > However, the fact that the query works fine without the OR - does that not > indicate otherwise? Surely permissions would impact both? > > To summarise, when using GSSAPI with specific DN, the following returns > nothing: > > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) > > The following returns one result: > > (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) > > My understanding would be if it were permissions, both would return nothing. > I?ve even tried the uidNumber part with a valid uid and it does actually > return something. That's why I'm saying it might be an issue in NACLPlugin. Can you please file a bug about it? -- / Alexander Bokovoy From sipazzo at yahoo.com Tue Jun 30 18:44:21 2015 From: sipazzo at yahoo.com (sipazzo) Date: Tue, 30 Jun 2015 18:44:21 +0000 (UTC) Subject: [Freeipa-users] keytab issue with service principal Message-ID: <904039285.2647862.1435689861047.JavaMail.yahoo@mail.yahoo.com> I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however.? Is this error a red herring or should I be concerned about this? kvno and klist show same number. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jun 30 18:52:17 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 30 Jun 2015 14:52:17 -0400 Subject: [Freeipa-users] keytab issue with service principal In-Reply-To: <904039285.2647862.1435689861047.JavaMail.yahoo@mail.yahoo.com> References: <904039285.2647862.1435689861047.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1435690337.7621.63.camel@willson.usersys.redhat.com> On Tue, 2015-06-30 at 18:44 +0000, sipazzo wrote: > I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): > oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials > > > When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however. Is this error a red herring or should I be concerned about this? kvno and klist show same number. What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Tue Jun 30 19:16:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Jun 2015 15:16:44 -0400 (EDT) Subject: [Freeipa-users] keytab issue with service principal In-Reply-To: <904039285.2647862.1435689861047.JavaMail.yahoo@mail.yahoo.com> References: <904039285.2647862.1435689861047.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1560735427.11464664.1435691804837.JavaMail.zimbra@redhat.com> ----- Original Message ----- > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab > on the database server (oracledbsrvr): > > oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials Remove -S option, just specify your oracledb/`hostname` principal. With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with. Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/EXAMPLE.COM at EXAMPLE.COM, but I'll be authenticating as host/`hostname` for that." But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails. Why did you choose to use -S option? -- / Alexander Bokovoy From sipazzo at yahoo.com Tue Jun 30 19:34:45 2015 From: sipazzo at yahoo.com (sipazzo) Date: Tue, 30 Jun 2015 19:34:45 +0000 (UTC) Subject: [Freeipa-users] keytab issue with service principal In-Reply-To: <1435690337.7621.63.camel@willson.usersys.redhat.com> References: <1435690337.7621.63.camel@willson.usersys.redhat.com> Message-ID: <1714233103.2677495.1435692885381.JavaMail.yahoo@mail.yahoo.com> Output of klist -kt is KVNO Timestamp???????? Principal ---- ----------------- -------------------------------------------------------- ?? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM ?? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM ?? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM ?? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM From: Simo Sorce To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 11:52 AM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30 at 18:44 +0000, sipazzo wrote: > I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): > oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials > > > When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however.? Is this error a red herring or should I be concerned about this? kvno and klist show same number. What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jun 30 19:39:41 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 30 Jun 2015 15:39:41 -0400 Subject: [Freeipa-users] keytab issue with service principal In-Reply-To: <1714233103.2677495.1435692885381.JavaMail.yahoo@mail.yahoo.com> References: <1435690337.7621.63.camel@willson.usersys.redhat.com> <1714233103.2677495.1435692885381.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1435693181.7621.64.camel@willson.usersys.redhat.com> On Tue, 2015-06-30 at 19:34 +0000, sipazzo wrote: > Output of klist -kt is > KVNO Timestamp Principal > ---- ----------------- -------------------------------------------------------- > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM From: Simo Sorce > To: sipazzo > Cc: Freeipa-users > Sent: Tuesday, June 30, 2015 11:52 AM > Subject: Re: [Freeipa-users] keytab issue with service principal Then the command you want to run is: kinit -kt /opt/oracle/admin/oracledb.keytab oracledb/oracledbsrvr.example.com Note, no -S Simo. > On Tue, 2015-06-30 at 18:44 +0000, sipazzo wrote: > > > > I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): > > oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com > > kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials > > > > > > When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however. Is this error a red herring or should I be concerned about this? kvno and klist show same number. > > What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? > > Simo. > -- Simo Sorce * Red Hat, Inc * New York From sipazzo at yahoo.com Tue Jun 30 19:50:30 2015 From: sipazzo at yahoo.com (sipazzo) Date: Tue, 30 Jun 2015 19:50:30 +0000 (UTC) Subject: [Freeipa-users] keytab issue with service principal In-Reply-To: <1560735427.11464664.1435691804837.JavaMail.zimbra@redhat.com> References: <1560735427.11464664.1435691804837.JavaMail.zimbra@redhat.com> Message-ID: <625845855.2679778.1435693830792.JavaMail.yahoo@mail.yahoo.com> Thank you, I had tried it both ways with same results. Just misunderstood documentation I guess so tried the -S to try to force it to use the service keytab for authentication. kinit -k -t /opt/oracle/admin/oracledb.keytab kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much. From: Alexander Bokovoy To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 12:16 PM Subject: Re: [Freeipa-users] keytab issue with service principal ----- Original Message ----- > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab > on the database server (oracledbsrvr): > > oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials Remove -S option, just specify your oracledb/`hostname` principal. With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with. Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/EXAMPLE.COM at EXAMPLE.COM, but I'll be authenticating as host/`hostname` for that." But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails. Why did you choose to use -S option? -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Tue Jun 30 19:51:08 2015 From: sipazzo at yahoo.com (sipazzo) Date: Tue, 30 Jun 2015 19:51:08 +0000 (UTC) Subject: [Freeipa-users] keytab issue with service principal In-Reply-To: <1435693181.7621.64.camel@willson.usersys.redhat.com> References: <1435693181.7621.64.camel@willson.usersys.redhat.com> Message-ID: <871812890.2675911.1435693868418.JavaMail.yahoo@mail.yahoo.com> Thank you so much, that was it - just a wrong command. Appreciate the help and quick response. From: Simo Sorce To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 12:39 PM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30 at 19:34 +0000, sipazzo wrote: > Output of klist -kt is > KVNO Timestamp? ? ? ? Principal > ---- ----------------- -------------------------------------------------------- >? ? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM >? ? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM >? ? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM >? ? 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example.com at EXAMPLE.COM? ? From: Simo Sorce >? To: sipazzo > Cc: Freeipa-users >? Sent: Tuesday, June 30, 2015 11:52 AM >? Subject: Re: [Freeipa-users] keytab issue with service principal Then the command you want to run is: kinit -kt /opt/oracle/admin/oracledb.keytab oracledb/oracledbsrvr.example.com Note, no -S Simo. > On Tue, 2015-06-30 at 18:44 +0000, sipazzo wrote: > > > > I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): > > oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com > > kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials > > > > > > When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however.? Is this error a red herring or should I be concerned about this? kvno and klist show same number. > > What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? > > Simo. > -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Tue Jun 30 19:51:42 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 30 Jun 2015 21:51:42 +0200 Subject: [Freeipa-users] freeipa sudden stop In-Reply-To: References: Message-ID: <20150630195141.GA23220@mail.corp.redhat.com> On (30/06/15 11:17), Umarzuki Mochlis wrote: >Every once in a week suddenly IPA service would failed and only >realized when zimbra that using authentication with it failed during >user log in. > >So I had to type in below commands one by one each time this happened. > >systemctl start dirsrv at DOMAIN-COM.service >systemctl start krb5kdc.service >systemctl start kadmin.service >systemctl start ipa_memcached.service >systemctl start httpd.service > ># cat /etc/redhat-release >Fedora release 18 (Spherical Cow) > End of life for Fedora 18 was 2014-01-14. See https://fedoraproject.org/wiki/End_of_life Could you try to upgrade to recent release (fedora 21)? If you did not want to upgrade very often then it would be better to use distribution with longer support time. RHEL/CentOS LS From umarzuki at gmail.com Tue Jun 30 23:18:08 2015 From: umarzuki at gmail.com (Umarzuki Mochlis) Date: Wed, 1 Jul 2015 07:18:08 +0800 Subject: [Freeipa-users] freeipa sudden stop In-Reply-To: <20150630195141.GA23220@mail.corp.redhat.com> References: <20150630195141.GA23220@mail.corp.redhat.com> Message-ID: 2015-07-01 3:51 GMT+08:00 Lukas Slebodnik : > End of life for Fedora 18 was 2014-01-14. > See https://fedoraproject.org/wiki/End_of_life > > Could you try to upgrade to recent release (fedora 21)? > If you did not want to upgrade very often then it would > be better to use distribution with longer support time. > RHEL/CentOS > > LS Is it possible to 1- install freeipa on a centos 7 server 2- migrate copy freeipa data over from fedora 18 to centos 7 3- power off freeipa on fedora 18 & change IP on centos 7 freeipa to that was used by fedora 18 for as little downtime as possible? I would imagine that this would not be seamless as I need to check that Zimbra accounts properly authenticated with new freeipa. From harald.dunkel at aixigo.de Mon Jun 29 10:05:02 2015 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Mon, 29 Jun 2015 12:05:02 +0200 Subject: [Freeipa-users] hesitate to deploy freeipa In-Reply-To: <1435247245.22563.63.camel@willson.usersys.redhat.com> References: <558A5709.1000603@aixigo.de> <1435247245.22563.63.camel@willson.usersys.redhat.com> Message-ID: <5591184E.3000908@aixigo.de> Hi Simo, On 06/25/15 17:47, Simo Sorce wrote: > > Harald, > the reason I (and others) started this project many years ago is that > trying to set up all components myself was boring and highly error > prone, and you would always end up with a bag of parts that had a lot of > mismatches, and some functionality was always missing or poor or > incomplete, due to the imperfect integration. > > Yes, the whole project is complex, but not because we like complexity, > it is complex because the problem space is complex and we are bound to > use existing protocols, which sometimes add in complexity, and we want > to offer useful features to admins, so they can think about managing > stuff and not about the plumbing all the time. > Sorry to say, but this part is not in yet. ipa-client-install is included in RedHat/Fedora/Centos. On Debian it is improving (meaning I have to backport it from Testing to Jessie and Wheezy and hope), but for my other Unixes (Solaris, AIX, Suse, all designed more than 5 years ago) I have to do the plumbing on my own. Its a lot of work, but I can live with that. Missing client support is not the problem. The problem is that I do have a working environment (using NIS). NIS is deeply integrated everywhere for +20 years. I understand that NIS is not safe to use, but it is rock solid and *extremely* easy to manage and repair. If something goes wrong, then I can edit a file, run make -C /var/yp and its done. If something goes wrong with freeipa, then in the best case I have to find the bad component and fix it, as for NIS. Worst case is that 2 or more components "disagree somehow". There would be several options to solve this: a) use low level component tools to manipulate their data, hoping to not make incompatible changes breaking things in other components of freeipa b) ask for help on the mailing list, which might imply a downtime of several hours and then option a) Both options don't appear very attractive to me. > The best option is to study the individual components and how they are > integrated, Thats the point: It is not sufficient to study the individual components. You have to know how they work together. For example, you have to know the constructs you should avoid in component A to make sure that you don't break other components of Freeipa. > just like you (presumably) studied how a Unix/Linus OS is > put together and operates. An OS is not simpler in anyway, but you > probably do not see the complexity as menacing anymore because you are > familiar with how it works. > I am telling this to myself again and again, but its not sufficient to get rid of the bad feeling about it. Anyway, please don't get me wrong on this: I highly appreciate the work you and all the others do on creating and improving Freeipa. I completely agree that a modern way of identity management replacing historic tools like NIS and LDAP is overdue. Regards Harri From sajustice at gmail.com Tue Jun 30 13:07:30 2015 From: sajustice at gmail.com (Steve Justice) Date: Tue, 30 Jun 2015 09:07:30 -0400 Subject: [Freeipa-users] CentOS 7 with IPA 4.1 Message-ID: All, I am testing an IDM/IPA setup for out RHEL environment. My current setup. Windows sjlab.local - domain one mylab.local - domain two sjlab and mylab are two separate AD Domain's sjlab is the primary domain IDM will be integrated with. sjlab has a one way (outgoing) Forest type transitive trust with mylab. Linux idm.sjlab.local - IDM domain I have the trust between IDM and sjlab working. when I perform an ipa trust-show on sjlab.local I see that it is connected with a trust direction of Two-way trust and type of Active Directory domain. I can authenticate with users from sjlab.local to a server on the idm domain. That all appears to be working ok. What I cannot do however is authenticate with users from the mylab.local domain. When I perform an ipa trust-fetch-domains for sjlab.local it states that no new domains can be found. I know the documentation refers to this trust as a transitive trust within the forest. I have a forest level trust between sjlab and mylab, however I realize they are not in the same forest. Does that mean that this type of setup will not work, or is there something I am missing? Thank you Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: